Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct GRANTS management bugs #236 & #243 #255

Closed
wants to merge 3 commits into from
Closed

Correct GRANTS management bugs #236 & #243 #255

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
58446f2
Correct GRANTS management bugs #236 & #243
sinfomicien Apr 11, 2019
dc58be5
Merge branch 'master' into correct-privileges-grant
PowerSchill Oct 15, 2019
6e73288
Merge branch 'master' into correct-privileges-grant
xorima Feb 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p

- Simplify a platform version check in the repository resource
- Migrate testing to actions
- Grant action should not require and modify the password ([#236](https://github.com/sous-chefs/mariadb/issues/236))
- Grant fails if symbol privilege contains an underscore ([#243](https://github.com/sous-chefs/mariadb/issues/243))

## [3.1.0] (2019-10-24)

Expand Down
28 changes: 16 additions & 12 deletions resources/user.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
if current_resource.nil?
converge_by "Creating user '#{new_resource.username}'@'#{new_resource.host}'" do
create_sql = "CREATE USER '#{new_resource.username}'@'#{new_resource.host}'"
if new_resource.password
unless new_resource.password.nil?
create_sql << ' IDENTIFIED BY '
create_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
Expand Down Expand Up @@ -194,7 +194,7 @@ def desired_privs
desired_privs
end

def revokify_key(key)
def clean_grant_name(key)
return '' if key.nil?

# Some keys need to be translated as outlined by the table found here:
Expand Down Expand Up @@ -245,15 +245,19 @@ def revokify_key(key)

# Repair
if incorrect_privs
privileges_to_set = new_resource.privileges.map { |key| clean_grant_name(key) }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not tested my PR against a RDS database, but this one won't work to my mind. In this specific case my PR better handles it by working with desired_privs instead of new_resource.privileges.
see here for more details

converge_by "Granting privs for '#{new_resource.username}'@'#{new_resource.host}'" do
repair_sql = "GRANT #{new_resource.privileges.join(',')}"
repair_sql = "GRANT #{privileges_to_set.join(',')}"
repair_sql << " ON #{db_name}.#{tbl_name}"
repair_sql << " TO '#{new_resource.username}'@'#{new_resource.host}' IDENTIFIED BY"
repair_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
else
" '#{new_resource.password}'"
end
repair_sql << " TO '#{new_resource.username}'@'#{new_resource.host}'"
unless new_resource.password.nil?
repair_sql << ' IDENTIFIED BY'
repair_sql << if new_resource.password.is_a?(HashedPassword)
" PASSWORD '#{new_resource.password}'"
else
" '#{new_resource.password}'"
end
end
repair_sql << ' REQUIRE SSL' if new_resource.require_ssl
repair_sql << ' REQUIRE X509' if new_resource.require_x509
repair_sql << ' WITH GRANT OPTION' if new_resource.grant_option
Expand All @@ -263,9 +267,9 @@ def revokify_key(key)
run_query(repair_sql)
run_query('FLUSH PRIVILEGES')
end
else
elsif !password_up_to_date && !new_resource.password.nil?
# The grants are correct, but perhaps the password needs updating?
update_user_password unless password_up_to_date
update_user_password
end
end

Expand All @@ -286,7 +290,7 @@ def revokify_key(key)
desired_privs.each do |p|
key = p.to_s.capitalize.tr(' ', '_').gsub('Replication_', 'Repl_').gsub('Create_temporary_tables', 'Create_tmp_table').gsub('Show_databases', 'Show_db')
key = "#{key}_priv"
privs_to_revoke << revokify_key(p) if r[key] != 'N'
privs_to_revoke << clean_grant_name(p) if r[key] != 'N'
end
end

Expand Down
11 changes: 9 additions & 2 deletions test/cookbooks/test/recipes/user_database.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,22 @@
end

mariadb_user 'fozzie' do
database_name 'databass'
password 'wokkawokka'
host 'mars'
privileges [:select, :update, :insert]
privileges [:usage]
require_ssl true
ctrl_password 'gsql'
action :grant
end

mariadb_user 'fozzie' do
database_name 'databass'
host 'mars'
privileges [:select, :update, :insert, :show_view]
ctrl_password 'gsql'
action :grant
end

hash2 = hashed_password('*F798E7C0681068BAE3242AA2297D2360DBBDA62B'); # 'zokkazokka'

mariadb_user 'moozie' do
Expand Down
1 change: 1 addition & 0 deletions test/integration/resources/controls/user_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

describe sql.query("show grants for 'fozzie'@'mars'") do
its(:stdout) { should include '*EF112B3D562CB63EA3275593C10501B59C4A390D' }
its(:stdout) { should include 'SHOW VIEW' }
end

describe sql.query('show grants for \'moozie\'@\'127.0.0.1\'') do
Expand Down