-
Notifications
You must be signed in to change notification settings - Fork 794
/
Copy pathmysql.rb
255 lines (226 loc) · 12.1 KB
/
mysql.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
require File.expand_path(File.join(File.dirname(__FILE__), '..', 'mysql'))
Puppet::Type.type(:mysql_user).provide(:mysql, parent: Puppet::Provider::Mysql) do
desc 'manage users for a mysql database.'
commands mysql_raw: 'mysql'
# Build a property_hash containing all the discovered information about MySQL
# users.
def self.instances
users = mysql_caller("SELECT CONCAT(User, '@',Host) AS User FROM mysql.user", 'regular').split("\n")
# To reduce the number of calls to MySQL we collect all the properties in
# one big swoop.
users.map do |name|
if mysqld_version.nil?
## Default ...
# rubocop:disable Metrics/LineLength
query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'"
elsif newer_than('mysql' => '5.7.6', 'percona' => '5.7.6')
query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, AUTHENTICATION_STRING, PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'"
elsif newer_than('mariadb' => '10.1.21')
query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, PASSWORD, PLUGIN, AUTHENTICATION_STRING FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'"
else
query = "SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, PASSWORD /*!50508 , PLUGIN */ FROM mysql.user WHERE CONCAT(user, '@', host) = '#{name}'"
end
@max_user_connections, @max_connections_per_hour, @max_queries_per_hour,
@max_updates_per_hour, ssl_type, ssl_cipher, x509_issuer, x509_subject,
@password, @plugin, @authentication_string = mysql_caller(query, 'regular').chomp.split(%r{\t})
@tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject)
if newer_than('mariadb' => '10.1.21') && @plugin == 'ed25519'
# Some auth plugins (e.g. ed25519) use authentication_string
# to store password hash or auth information
@password = @authentication_string
elsif (newer_than('mariadb' => '10.2.16') && older_than('mariadb' => '10.2.19')) ||
(newer_than('mariadb' => '10.3.8') && older_than('mariadb' => '10.3.11'))
# Old mariadb 10.2 or 10.3 store password hash in authentication_string
# https://jira.mariadb.org/browse/MDEV-16238 https://jira.mariadb.org/browse/MDEV-16774
@password = @authentication_string
end
# rubocop:enable Metrics/LineLength
new(name: name,
ensure: :present,
password_hash: @password,
plugin: @plugin,
max_user_connections: @max_user_connections,
max_connections_per_hour: @max_connections_per_hour,
max_queries_per_hour: @max_queries_per_hour,
max_updates_per_hour: @max_updates_per_hour,
tls_options: @tls_options)
end
end
# We iterate over each mysql_user entry in the catalog and compare it against
# the contents of the property_hash generated by self.instances
def self.prefetch(resources)
users = instances
# rubocop:disable Lint/AssignmentInCondition
resources.keys.each do |name|
if provider = users.find { |user| user.name == name }
resources[name].provider = provider
end
end
# rubocop:enable Lint/AssignmentInCondition
end
def create
# (MODULES-3539) Allow @ in username
merged_name = @resource[:name].reverse.sub('@', "'@'").reverse
password_hash = @resource.value(:password_hash)
plugin = @resource.value(:plugin)
max_user_connections = @resource.value(:max_user_connections) || 0
max_connections_per_hour = @resource.value(:max_connections_per_hour) || 0
max_queries_per_hour = @resource.value(:max_queries_per_hour) || 0
max_updates_per_hour = @resource.value(:max_updates_per_hour) || 0
tls_options = @resource.value(:tls_options) || ['NONE']
# Use CREATE USER to be compatible with NO_AUTO_CREATE_USER sql_mode
# This is also required if you want to specify a authentication plugin
if !plugin.nil?
if !password_hash.nil?
self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS '#{password_hash}'", 'system')
else
self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'", 'system')
end
@property_hash[:ensure] = :present
@property_hash[:plugin] = plugin
elsif newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.1.3')
self.class.mysql_caller("CREATE USER IF NOT EXISTS '#{merged_name}' IDENTIFIED WITH 'mysql_native_password' AS '#{password_hash}'", 'system')
@property_hash[:ensure] = :present
@property_hash[:password_hash] = password_hash
else
self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED BY PASSWORD '#{password_hash}'", 'system')
@property_hash[:ensure] = :present
@property_hash[:password_hash] = password_hash
end
# rubocop:disable Metrics/LineLength
if newer_than('mysql' => '5.7.6', 'percona' => '5.7.6')
self.class.mysql_caller("ALTER USER IF EXISTS '#{merged_name}' WITH MAX_USER_CONNECTIONS #{max_user_connections} MAX_CONNECTIONS_PER_HOUR #{max_connections_per_hour} MAX_QUERIES_PER_HOUR #{max_queries_per_hour} MAX_UPDATES_PER_HOUR #{max_updates_per_hour}", 'system')
else
self.class.mysql_caller("GRANT USAGE ON *.* TO '#{merged_name}' WITH MAX_USER_CONNECTIONS #{max_user_connections} MAX_CONNECTIONS_PER_HOUR #{max_connections_per_hour} MAX_QUERIES_PER_HOUR #{max_queries_per_hour} MAX_UPDATES_PER_HOUR #{max_updates_per_hour}", 'system')
end
# rubocop:enable Metrics/LineLength
@property_hash[:max_user_connections] = max_user_connections
@property_hash[:max_connections_per_hour] = max_connections_per_hour
@property_hash[:max_queries_per_hour] = max_queries_per_hour
@property_hash[:max_updates_per_hour] = max_updates_per_hour
merged_tls_options = tls_options.join(' AND ')
if newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0')
self.class.mysql_caller("ALTER USER '#{merged_name}' REQUIRE #{merged_tls_options}", 'system')
else
self.class.mysql_caller("GRANT USAGE ON *.* TO '#{merged_name}' REQUIRE #{merged_tls_options}", 'system')
end
@property_hash[:tls_options] = tls_options
exists? ? (return true) : (return false)
end
def destroy
# (MODULES-3539) Allow @ in username
merged_name = @resource[:name].reverse.sub('@', "'@'").reverse
if_exists = if newer_than('mysql' => '5.7', 'percona' => '5.7', 'mariadb' => '10.1.3')
'IF EXISTS '
else
''
end
self.class.mysql_caller("DROP USER #{if_exists}'#{merged_name}'", 'system')
@property_hash.clear
exists? ? (return false) : (return true)
end
def exists?
@property_hash[:ensure] == :present || false
end
##
## MySQL user properties
##
# Generates method for all properties of the property_hash
mk_resource_methods
def password_hash=(string)
merged_name = self.class.cmd_user(@resource[:name])
plugin = @resource.value(:plugin)
# We have a fact for the mysql version ...
if mysqld_version.nil?
# default ... if mysqld_version does not work
self.class.mysql_caller("SET PASSWORD FOR #{merged_name} = '#{string}'", 'system')
elsif newer_than('mariadb' => '10.1.21') && plugin == 'ed25519'
raise ArgumentError, _('ed25519 hash should be 43 bytes long.') unless string.length == 43
# ALTER USER statement is only available upstream starting 10.2
# https://mariadb.com/kb/en/mariadb-1020-release-notes/
if newer_than('mariadb' => '10.2.0')
sql = "ALTER USER #{merged_name} IDENTIFIED WITH ed25519 AS '#{string}'"
else
concat_name = @resource[:name]
sql = "UPDATE mysql.user SET password = '', plugin = 'ed25519'"
sql << ", authentication_string = '#{string}'"
sql << " where CONCAT(user, '@', host) = '#{concat_name}'; FLUSH PRIVILEGES"
end
self.class.mysql_caller(sql, 'system')
elsif newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0')
raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) hashes are supported.') unless string =~ %r{^\*|^$}
self.class.mysql_caller("ALTER USER #{merged_name} IDENTIFIED WITH mysql_native_password AS '#{string}'", 'system')
else
self.class.mysql_caller("SET PASSWORD FOR #{merged_name} = '#{string}'", 'system')
end
(password_hash == string) ? (return true) : (return false)
end
def max_user_connections=(int)
merged_name = self.class.cmd_user(@resource[:name])
self.class.mysql_caller("GRANT USAGE ON *.* TO #{merged_name} WITH MAX_USER_CONNECTIONS #{int}", 'system').chomp
(max_user_connections == int) ? (return true) : (return false)
end
def max_connections_per_hour=(int)
merged_name = self.class.cmd_user(@resource[:name])
self.class.mysql_caller("GRANT USAGE ON *.* TO #{merged_name} WITH MAX_CONNECTIONS_PER_HOUR #{int}", 'system').chomp
(max_connections_per_hour == int) ? (return true) : (return false)
end
def max_queries_per_hour=(int)
merged_name = self.class.cmd_user(@resource[:name])
self.class.mysql_caller("GRANT USAGE ON *.* TO #{merged_name} WITH MAX_QUERIES_PER_HOUR #{int}", 'system').chomp
(max_queries_per_hour == int) ? (return true) : (return false)
end
def max_updates_per_hour=(int)
merged_name = self.class.cmd_user(@resource[:name])
self.class.mysql_caller("GRANT USAGE ON *.* TO #{merged_name} WITH MAX_UPDATES_PER_HOUR #{int}", 'system').chomp
(max_updates_per_hour == int) ? (return true) : (return false)
end
def plugin=(string)
merged_name = self.class.cmd_user(@resource[:name])
if newer_than('mariadb' => '10.1.21') && string == 'ed25519'
if newer_than('mariadb' => '10.2.0')
sql = "ALTER USER #{merged_name} IDENTIFIED WITH '#{string}' AS '#{@resource[:password_hash]}'"
else
concat_name = @resource[:name]
sql = "UPDATE mysql.user SET password = '', plugin = '#{string}'"
sql << ", authentication_string = '#{@resource[:password_hash]}'"
sql << " where CONCAT(user, '@', host) = '#{concat_name}'; FLUSH PRIVILEGES"
end
elsif newer_than('mysql' => '5.7.6', 'percona' => '5.7.6')
sql = "ALTER USER #{merged_name} IDENTIFIED WITH '#{string}'"
sql << " AS '#{@resource[:password_hash]}'" if string == 'mysql_native_password'
else
# See https://bugs.mysql.com/bug.php?id=67449
sql = "UPDATE mysql.user SET plugin = '#{string}'"
sql << ((string == 'mysql_native_password') ? ", password = '#{@resource[:password_hash]}'" : ", password = ''")
sql << " WHERE CONCAT(user, '@', host) = '#{@resource[:name]}'"
end
self.class.mysql_caller(sql, 'system')
(plugin == string) ? (return true) : (return false)
end
def tls_options=(array)
merged_name = self.class.cmd_user(@resource[:name])
merged_tls_options = array.join(' AND ')
if newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0')
self.class.mysql_caller("ALTER USER #{merged_name} REQUIRE #{merged_tls_options}", 'system')
else
self.class.mysql_caller("GRANT USAGE ON *.* TO #{merged_name} REQUIRE #{merged_tls_options}", 'system')
end
(tls_options == array) ? (return true) : (return false)
end
def self.parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject)
if ssl_type == 'ANY'
['SSL']
elsif ssl_type == 'X509'
['X509']
elsif ssl_type == 'SPECIFIED'
options = []
options << "CIPHER '#{ssl_cipher}'" if !ssl_cipher.nil? && !ssl_cipher.empty?
options << "ISSUER '#{x509_issuer}'" if !x509_issuer.nil? && !x509_issuer.empty?
options << "SUBJECT '#{x509_subject}'" if !x509_subject.nil? && !x509_subject.empty?
options
else
['NONE']
end
end
end