Vh$ddlmZmZmZeZdZdZdZddl m Z ddl m Z m Z mZmZddlmZmZmZmZmZmZddlmZdd lmZdd ZGd d ZGd dZGddZGddZGddZ GddZ!dZ"e#dk(re"yy))absolute_importdivisionprint_functionu --- module: mysql_role short_description: Adds, removes, or updates a MySQL or MariaDB role description: - Adds, removes, or updates a MySQL or MariaDB role. - Roles are supported since MySQL 8.0.0 and MariaDB 10.0.5. version_added: '2.2.0' options: name: description: - Name of the role to add or remove. type: str required: true admin: description: - Supported by B(MariaDB). - Name of the admin user of the role (the I(login_user), by default). type: str priv: description: - "MySQL privileges string in the format: C(db.table:priv1,priv2)." - "You can specify multiple privileges by separating each one using a forward slash: C(db.table:priv/db.table:priv)." - The format is based on MySQL C(GRANT) statement. - Database and table names can be quoted, MySQL-style. - If column privileges are used, the C(priv1,priv2) part must be exactly as returned by a C(SHOW GRANT) statement. If not followed, the module will always report changes. It includes grouping columns by permission (C(SELECT(col1,col2)) instead of C(SELECT(col1),SELECT(col2))). - Can be passed as a dictionary (see the examples). - Supports GRANTs for procedures and functions (see the examples for the M(community.mysql.mysql_user) module). type: raw append_privs: description: - Append the privileges defined by the I(priv) option to the existing ones for this role instead of overwriting them. Mutually exclusive with I(subtract_privs). type: bool default: false subtract_privs: description: - Revoke the privileges defined by the I(priv) option and keep other existing privileges. If set, invalid privileges in I(priv) are ignored. Mutually exclusive with I(append_privs). version_added: '3.2.0' type: bool default: false members: description: - List of members of the role. - For users, use the format C(username@hostname). Always specify the hostname part explicitly. - For roles, use the format C(rolename). - Mutually exclusive with I(admin). type: list elements: str append_members: description: - Add members defined by the I(members) option to the existing ones for this role instead of overwriting them. - Mutually exclusive with the I(detach_members) and I(admin) option. type: bool default: false detach_members: description: - Detaches members defined by the I(members) option from the role instead of overwriting all the current members. - Mutually exclusive with the I(append_members) and I(admin) option. type: bool default: false set_default_role_all: description: - Is not supported by MariaDB and is silently ignored when working with MariaDB. - If C(yes), runs B(SET DEFAULT ROLE ALL TO) each of the I(members) when changed. - If you want to avoid this behavior, set this option to C(no) explicitly. type: bool default: true state: description: - If C(present) and the role does not exist, creates the role. - If C(present) and the role exists, does nothing or updates its attributes. - If C(absent), removes the role. type: str choices: [ absent, present ] default: present check_implicit_admin: description: - Check if mysql allows login as root/nopassword before trying supplied credentials. - If success, passed I(login_user)/I(login_password) will be ignored. type: bool default: false members_must_exist: description: - When C(yes), the module fails if any user in I(members) does not exist. - When C(no), users in I(members) which don't exist are simply skipped. type: bool default: true column_case_sensitive: description: - The default is C(false). - When C(true), the module will not uppercase the field in the privileges. - When C(false), the field names will be upper-cased. This was the default before this feature was introduced but since MySQL/MariaDB is case sensitive you should set this to C(true) in most cases. type: bool version_added: '3.8.0' notes: - Roles are supported since MySQL 8.0.0 and MariaDB 10.0.5. - Pay attention that the module runs C(SET DEFAULT ROLE ALL TO) all the I(members) passed by default when the state has changed. If you want to avoid this behavior, set I(set_default_role_all) to C(no). attributes: check_mode: support: full seealso: - module: community.mysql.mysql_user - name: MySQL role reference description: Complete reference of the MySQL role documentation. link: https://dev.mysql.com/doc/refman/8.0/en/create-role.html author: - Andrew Klychkov (@Andersson007) - Felix Hamme (@betanummeric) - kmarse (@kmarse) - Laurent Indermühle (@laurent-indermuehle) extends_documentation_fragment: - community.mysql.mysql al # If you encounter the "Please explicitly state intended protocol" error, # use the login_unix_socket argument, for example, login_unix_socket: /run/mysqld/mysqld.sock # Example of a .my.cnf file content for setting a root password # [client] # user=root # password=n<_665{vS43y # # Example of a privileges dictionary passed through the priv option # priv: # 'mydb.*': 'INSERT,UPDATE' # 'anotherdb.*': 'SELECT' # 'yetanotherdb.*': 'ALL' # # You can also use the string format like in the community.mysql.mysql_user module, for example # mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL # # For more examples on how to specify privileges, refer to the community.mysql.mysql_user module # Create a role developers with all database privileges # and add alice and bob as members. # The statement 'SET DEFAULT ROLE ALL' to them will be run. - name: Create role developers, add members community.mysql.mysql_role: name: developers state: present priv: '*.*:ALL' members: - 'alice@%' - 'bob@%' - name: Same as above but do not run SET DEFAULT ROLE ALL TO each member community.mysql.mysql_role: name: developers state: present priv: '*.*:ALL' members: - 'alice@%' - 'bob@%' set_default_role_all: false # Assuming that the role developers exists, # add john to the current members - name: Add members to an existing role community.mysql.mysql_role: name: developers state: present append_members: true members: - 'joe@localhost' # Create role readers with the SELECT privilege # on all tables in the fiction database - name: Create role developers, add members community.mysql.mysql_role: name: readers state: present priv: 'fiction.*:SELECT' # Assuming that the role readers exists, # add the UPDATE privilege to the role on all tables in the fiction database - name: Create role developers, add members community.mysql.mysql_role: name: readers state: present priv: 'fiction.*:UPDATE' append_privs: true - name: Create role with the 'SELECT' and 'UPDATE' privileges in db1 and db2 community.mysql.mysql_role: state: present name: foo priv: 'db1.*': 'SELECT,UPDATE' 'db2.*': 'SELECT,UPDATE' - name: Remove joe from readers community.mysql.mysql_role: state: present name: readers members: - 'joe@localhost' detach_members: true - name: Remove the role readers if exists community.mysql.mysql_role: state: absent name: readers - name: Example of using login_unix_socket to connect to the server community.mysql.mysql_role: name: readers state: present login_unix_socket: /var/run/mysqld/mysqld.sock # Pay attention that the admin cannot be changed later # and will be ignored if a role currently exists. # To change members, you need to run a separate task using the admin # of the role as the login_user. - name: On MariaDB, create the role readers with alice as its admin community.mysql.mysql_role: state: present name: readers admin: 'alice@%' - name: Create the role business, add the role marketing to members community.mysql.mysql_role: state: present name: business members: - marketing - name: Ensure the role foo does not have the DELETE privilege community.mysql.mysql_role: state: present name: foo subtract_privs: true priv: 'db1.*': DELETE - name: Add some members to a role and skip not-existent users community.mysql.mysql_role: state: present name: foo append_members: true members_must_exist: false members: - 'existing_user@localhost' - 'not_existing_user@localhost' - name: Detach some members from a role and ignore not-existent users community.mysql.mysql_role: state: present name: foo detach_members: true members_must_exist: false members: - 'existing_user@localhost' - 'not_existing_user@localhost' #) AnsibleModule) mysql_connect mysql_drivermysql_driver_fail_msgmysql_common_argument_spec)convert_priv_dict_to_strget_user_implementationget_modeuser_modprivileges_grantprivileges_unpack) to_native) iteritemscg}|D]} |jd}|ddk(r|jdt|dk(r0|s|j|ddfn>|j|ddfn't|dk(r|j|d|df|S#t$r.}d |d t |d }|j|Yd }~d }~wwxYw) aNormalize passed user names. Example of transformation: ['user0'] => [('user0', '')] / ['user0'] => [('user0', '%')] ['user0@host0'] => [('user0', 'host0')] Args: module (AnsibleModule): Object of the AnsibleModule class. users (list): List of user names. is_mariadb (bool): Flag indicating we are working with MariaDB Returns: list: List of tuples like [('user0', ''), ('user0', 'host0')]. @rzMember's name cannot be empty.msg%z&Error occured while parsing the name "z": z=. It must be in the format "username" or "username@hostname" N)split fail_jsonlenappend Exceptionr)moduleusers is_mariadbnormalized_usersusertmpers n/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/mysql/plugins/modules/mysql_role.pynormalize_usersr)Cs& &**S/C1v|  %E F3x1}!$++SVSM:$++SVRL9SQ ''QQ(89&,   &.29Q<AC     % %  &sBB C&$CCcFeZdZdZdZdZdZdZdZdZ dZ d Z d Z y ) DbServeraClass to fetch information from a database. Args: module (AnsibleModule): Object of the AnsibleModule class. cursor (cursor): Cursor object of a database Python connector. Attributes: module (AnsibleModule): Object of the AnsibleModule class. cursor (cursor): Cursor object of a database Python connector. role_impl (library): Corresponding library depending on a server type (MariaDB or MySQL) mariadb (bool): True if MariaDB, False otherwise. roles_supported (bool): True if roles are supported, False otherwise. users (set): Set of users existing in a DB in the form (username, hostname). c||_||_|j|_|jj |_|jj |j|_t|j|_ yN) r!cursorget_implementation role_implr#mariadbsupports_rolesroles_supportedset_DbServer__get_usersr")selfr!r.s r(__init__zDbServer.__init__}sd  002~~002 #~~<y)zCheck if users exist in a database. Args: users (list): List of tuples (username, hostname) to check. z User / role `rz ` with host `rz` does not existrN)r"r!r)r6r"r%rs r(check_users_in_dbzDbServer.check_users_in_dbsI  /D4::%JNq'SWXYSZ[ %%#%. /r8c#@K|D]}||jvs|ywr-r")r6r"r%s r(filter_existing_userszDbServer.filter_existing_userss& Dtzz!  scl|jjd|jjS)z\Get users. Returns: list: List of tuples (username, hostname). z!SELECT User, Host FROM mysql.userr.r=fetchallr:s r( __get_userszDbServer.__get_userss* ?@{{##%%r8c|jS)z|Get set of tuples (username, hostname) existing in a DB. Returns: self.users: Attribute value. rKr:s r( get_userszDbServer.get_userss zzr8c|r|jjd||fn|jjd|f|jjS)zGet grants. Args: user (str): User name host (str): Host name Returns: list: List of tuples like [(grant1,), (grant2,), ... ]. zSHOW GRANTS FOR %s@%szSHOW GRANTS FOR %srN)r6r%hosts r( get_grantszDbServer.get_grantssJ  KK   7$ F KK   4tg >{{##%%r8N) __name__ __module__ __qualname____doc__r7r#r2r/rIrLr5rRrUr8r(r+r+ms4-$  / &&r8r+c0eZdZdZdZdZdZdZddZy) MySQLQueryBuilderzClass to build and return queries specific to MySQL. Args: name (str): Role name. host (str): Role host. Attributes: name (str): Role name. host (str): Role host. c ||_||_yr-namerT)r6r_rTs r(r7zMySQLQueryBuilder.__init__s  r8c6d|j|jffS)zReturn a query to check if a role with self.name and self.host exists in a database. Returns: tuple: (query_string, tuple_containing_parameters). z=SELECT count(*) FROM mysql.user WHERE user = %s AND host = %sr^r:s r( role_existszMySQLQueryBuilder.role_existss# OQUQZQZ\`\e\ePfffr8c|dr"d|j|j|d|dffSd|j|j|dffS)zReturn a query to grant a role to a user or a role. Args: user (tuple): User / role to grant the role to in the form (username, hostname). Returns: tuple: (query_string, tuple_containing_parameters). rzGRANT %s@%s TO %s@%srzGRANT %s@%s TO %sr^r6r%s r( role_grantzMySQLQueryBuilder.role_grantsN 7)DIItyy$q'4PQ7+SS S&DIItAw(GG Gr8c|dr"d|j|j|d|dffSd|j|j|dffS)Return a query to revoke a role from a user or role. Args: user (tuple): User / role to revoke the role from in the form (username, hostname). Returns: tuple: (query_string, tuple_containing_parameters). rzREVOKE %s@%s FROM %s@%srzREVOKE %s@%s FROM %sr^rcs r( role_revokezMySQLQueryBuilder.role_revokesN 7,tyy$))T!WdSTg.VV V)DIItyy$q'+JJ Jr8Nc d|jffS)aReturn a query to create a role. Args: admin (tuple): Admin user in the form (username, hostname). Because it is not supported by MySQL, we ignore it. Returns: tuple: (query_string, tuple_containing_parameters). CREATE ROLE %sr_r6admins r( role_createzMySQLQueryBuilder.role_create s $))--r8r- rVrWrXrYr7rardrgrmrZr8r(r\r\s# g H K .r8r\c0eZdZdZdZdZdZdZddZy) MariaDBQueryBuilderzClass to build and return queries specific to MariaDB. Args: name (str): Role name. Attributes: name (str): Role name. c||_yr-rj)r6r_s r(r7zMariaDBQueryBuilder.__init__ s  r8c d|jffS)zReturn a query to check if a role with self.name exists in a database. Returns: tuple: (query_string, tuple_containing_parameters). zBSELECT count(*) FROM mysql.user WHERE user = %s AND is_role = 'Y'rjr:s r(razMariaDBQueryBuilder.role_exists#s TVZV_V_Uaaar8c`|drd|j|d|dffSd|j|dffS)zReturn a query to grant a role to a user or role. Args: user (tuple): User / role to grant the role to in the form (username, hostname). Returns: tuple: (query_string, tuple_containing_parameters). rzGRANT %s TO %s@%srzGRANT %s TO %srjrcs r(rdzMariaDBQueryBuilder.role_grant+sA 7&DGT!W(EE E#diia%99 9r8c`|drd|j|d|dffSd|j|dffS)rfrzREVOKE %s FROM %s@%srzREVOKE %s FROM %srjrcs r(rgzMariaDBQueryBuilder.role_revoke9sA 7)DIItAwQ+HH H&DG(<< )r6querys r(r|zMariaDBRoleImpl.get_admins8 : EDII<0{{##%%r8c|d}|d}|j}||f|k7r+d|dd|dd}|jj|yy)zSet an admin of a role. TODO: Implement changing when ALTER ROLE statement to change role's admin gets supported. Args: admin (tuple): Admin user of the role in the form (username, hostname). rrz6The "admin" option value and the current roles admin (rzZ) don not match. Ignored. To change the admin, you need to drop and create the role again.N)r|r!warn)r6rl admin_user admin_host current_adminrs r(r~zMariaDBRoleImpl.set_adminsa1X 1X (  #} 4%2!$4mA6FHC KK  S ! 5r8NrrZr8r(rrs    &"r8rcbeZdZdZdZdZ d dZd dZ d dZd dZ d dZ dd Z d Z y )RoleaClass to work with MySQL role objects. Args: module (AnsibleModule): Object of the AnsibleModule class. cursor (cursor): Cursor object of a database Python connector. name (str): Role name. server (DbServer): Object of the DbServer class. Attributes: module (AnsibleModule): Object of the AnsibleModule class. cursor (cursor): Cursor object of a database Python connector. name (str): Role name. server (DbServer): Object of the DbServer class. host (str): Role's host. full_name (str): Role's full name. exists (bool): Indicates if a role exists or not. members (set): Set of current role's members. c||_||_||_||_|jj |_|jrft |j|_t|j|j|j|_d|jz|_ d|_ nd|_ t|j|j|_t|j|j|j|j|_d|jd|jd|_ |j|_t|_|jr|j#|_yy)Nz`%s`rr`z`@`)r!r.r_serverr#rp q_builderrr0 full_namerTr\rw_Role__role_existsexistsr4members_Role__get_members)r6r!r.r_rs r(r7z Role.__init__s    ++002 ??0;DN,T[[$++tyyQDN#dii/DNDIDI.tyy$))DDN*4;; TYYPTPYPYZDN,0IItyyADN((* u ;;--/DL r8c|jj|jj|jj ddkDS)zsCheck if a role exists. Returns: bool: True if the role exists, False if it does not. r)r.r=rrar>r:s r( __role_existszRole.__role_existssB  T^^779:{{##%a(1,,r8c P|r|jsyy|jj|jj ||r|j |||rMt |D]?\}}t|j|j|j||d|jAy)aAdd a role. Args: users (list): Role members. privs (str): String containing privileges. check_mode (bool): If True, just checks and does nothing. admin (tuple): Role's admin. Contains (username, hostname). set_default_role_all (bool): If True, runs SET DEFAULT ROLE ALL TO each member. Returns: bool: True if the state has changed, False if has not. TF)rzN) tls_requires maria_role) rr.r=rrmupdate_membersrrr_rTr#)r6r"privs check_moderlrzdb_tableprivs r(addzRole.adds ;; T^^77>?    

%>t%DE'NN77=  NLL AD5 T-B%B..tZ@ Ar8c`|syd}|D]#}||jvs|j||}%|S)zRemove members from a role. Args: users (list): Role members. check_mode (bool): If True, just checks and does nothing. Returns: bool: True if the state has changed, False if has not. F)rr)r6r"rrr%s r(remove_memberszRole.remove_membersWsE ADt||#..tZ@ Ar8cn|ry|jj|jj|y)aRemove a member from a role. Args: user (str): Role member to remove. check_mode (bool): If True, just returns True and does nothing. Returns: bool: True if the state has changed, False if has not. T)r.r=rrg)r6r%rs r(__remove_memberzRole.__remove_memberks0  T^^77=>r8c d} d} |r+|r|j||} n|j|||| } |r|tdid|jd|jd|j ddd dd dd dd dd dddd|d|d|ddddd|j ddddddd|j} | d} |r|jj|| xs| } | S)aJUpdate a role. Update a role if needed. Todo: Implement changing of role's admin when ALTER ROLE statement to do that gets supported. Args: users (list): Role members. privs (str): String containing privileges. check_mode (bool): If True, just checks and does nothing. append_privs (bool): If True, adds new privileges passed through privs not touching current privileges. subtract_privs (bool): If True, revoke the privileges passed through privs not touching other existing privileges. append_members (bool): If True, adds new members passed through users not touching current members. detach_members (bool): If True, removes members passed through users from a role. admin (tuple): Role's admin. Contains (username, hostname). set_default_role_all (bool): If True, runs SET DEFAULT ROLE ALL TO each member. Returns: bool: True if the state has changed, False if has not. F)r)rrrzr.r%rThost_allNpassword encryptedpluginplugin_auth_stringplugin_hash_stringsaltnew_priv append_privssubtract_privs attributesrr!password_expirepassword_expire_intervalrFTrrrZ) rrrr.r_rTr!r#r0r~) r6r"rrrrrdetach_membersrlrzrmembers_changedresults r(updatez Role.update|sr8 "&"5"5e "5"S#'"5"5e ESK_#6#a dT[[dtyydtyyd'+d6:dFJdSWd15dJNdUYd(-d!%@$FK,0%N("/42749156p +r8rc~ t}|jtddtddddgtdtdtd d td d td d td d td d td d td d td d td d  t|dd}|jd}|jd}|jd}|jd}|jd}|jd}|jd}|jd} |jd} |jd} |j |jd} |jd} |jd}|jd}|jd}|jd }|jd!}|jd"}d#}|jd$}|jd%}|jd&}|r6t |ttfs d't|z}|j|(|rt |tr t|}t|jt(|d }|jd)d} |r t|d*d#| ||||| |d+ \}}|st|||| ||||| |d+ \}}d }t#|}| t%|} t'||| .}t)||}|j+sd0}|j|(|rD|j-s|jd1(t/||gd2}|j1|g| rIt/|| |j-} |r|j1| nt3|j5| } t7||||} |dk(rX| j8s(| rd}|rd} | j;| ||j<||}nD| j| ||j<| | |||| }n |dk(r| j?|j<}|jA|3y#t$rYwxYw#t$r,}|jd,| d-t!|(Yd}~d}~wwxYw#t$r&}|jt!|(Yd}~d}~wwxYw#t$r)}|jd/t!|z(Yd}~d}~wwxYw#t$r%}|jt!|(Yd}~d}~wwxYw)4NstrT)typerequiredpresentabsent)rdefaultchoices)rrawboolF)rrlist)relements) r_staterlrrrrrrcheck_implicit_adminrzmembers_must_existcolumn_case_sensitive))rr)rlr)rlr)rlr)rr) argument_specsupports_check_modemutually_exclusive login_userlogin_passwordr_rrlrrconnect_timeout config_filerrrrr client_cert client_keyca_certcheck_hostnamerrzrrz:The "priv" parameter must be str or dict but %s was passedrzOption column_case_sensitive is not provided. The default is now false, so the column's name will be uppercased. The default will be changed to true in community.mysql 4.0.0.r)rr autocommitzRunable to connect to database, check login_user and login_password are correct or z) has the credentials. Exception message: ) ensure_usagezInvalid privileges string: %szZRoles are not supported by the server. Minimal versions are MySQL 8.0.0 or MariaDB 10.0.5.z1The "admin" option can be used only with MariaDB.r)r)!r rdictrparamsboolean isinstancerrrr r r rrr rr rrr+r2r#r)rIrrLrrrrr exit_json)!rr!rrr_rrlrrrrrrrrrssl_certssl_keyssl_cardbrzrrrr.db_connr'rimplmoderrFs! r(mainrsl.0M ut ,y8Y:OP u vu57&5177!vu=!vt<VT:"=#   F|,J]]#34N == D MM' "E MM' "E == D!==)?@mm$56O-- .K==0L^^FMM2B$CDNmmI&G]]#34N]]#34N}}]+HmmL)G ]]9 %F]]#34N B!==)?@';<"MM*AB Jtc4[1#%)$Z0S! 4&'-23$ % T UFT  "/K08'62@O?M;? #A+FJ,77,2B;I7; =OFGG "6 *D  /F#D Q$T41FYgUghDff %F  "ES!   "   !T  U03  %)!&'63D3D3FG   $ $W -677@AG f -D+ I ;;!D!"G((7D&2C2CU#79++gtV5F5F Vd&4ne&:<h ii 1 12G  W%]   T9DYq\S T TT /   1  . . /  Q   !@9Qansible_collections.community.mysql.plugins.module_utils.mysqlrr r r =ansible_collections.community.mysql.plugins.module_utils.userr r rrrransible.module_utils._textransible.module_utils.sixrr)r+r\rprwrrrrVrZr8r(rsA@ T lL \ 4 1.'Tg&g&T=.=.@?I?ID1 1 h:":"zt+t+n]&@ zFr8