diff options
author | Robin Miller <robin.miller@jamfsoftware.com> | 2015-05-05 17:54:02 -0500 |
---|---|---|
committer | Robin Miller <robin.miller@jamfsoftware.com> | 2015-05-26 12:56:08 -0500 |
commit | 74b7ce9dcf93b1f37597ded6e6990d1e993a3b68 (patch) | |
tree | dde2c18a1772f741512749e780dcf7261ce59a40 | |
parent | 48c83a0d9d45bac26a33cbea40a06232149ed3e9 (diff) | |
download | ansible-modules-core-74b7ce9dcf93b1f37597ded6e6990d1e993a3b68.tar.gz |
Only revoke actually granted permissions, not 'ALL'.
This prevents errors when the login_user does not have 'ALL'
permissions, and the 'priv' value contains fewer permissions than are
held by an existing user. This is particularly an issue when using an
Amazon Web Services RDS instance, as there is no (accessible) user with
'ALL' permissions on *.*.
-rw-r--r-- | database/mysql/mysql_user.py | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/database/mysql/mysql_user.py b/database/mysql/mysql_user.py index ba5b6370..824f2b47 100644 --- a/database/mysql/mysql_user.py +++ b/database/mysql/mysql_user.py @@ -245,7 +245,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): grant_option = True if db_table not in new_priv: if user != "root" and "PROXY" not in priv and not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,priv,grant_option) changed = True # If the user doesn't currently have any privileges on a db.table, then @@ -262,7 +262,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table]) if (len(priv_diff) > 0): if not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option) privileges_grant(cursor, user,host,db_table,new_priv[db_table]) changed = True @@ -342,7 +342,7 @@ def privileges_unpack(priv): return output -def privileges_revoke(cursor, user,host,db_table,grant_option): +def privileges_revoke(cursor, user,host,db_table,priv,grant_option): # Escape '%' since mysql db.execute() uses a format string db_table = db_table.replace('%', '%%') if grant_option: @@ -350,7 +350,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option): query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) - query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')] + priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) + query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) |