Merge "Support custom privileges for managed MySQL users"
This commit is contained in:
commit
00944b8c36
|
@ -17,7 +17,8 @@ Users will be created if Heat Metadata is passed in under the
|
|||
Ref: SomeWaitConditionHandle
|
||||
|
||||
This will cause mysql to create the user 'dbuser1' if it does not exist,
|
||||
and grant it all privileges on somedb. It will have a random password
|
||||
and grant it all privileges on somedb. If no 'database' parameter is supplied,
|
||||
the user will be given access to all databases. It will have a random password
|
||||
generated and passed to the WaitConditionHandle with the key of the
|
||||
username, and password as the data. A password can also be given for
|
||||
the user like this:
|
||||
|
@ -30,3 +31,12 @@ the user like this:
|
|||
|
||||
If a userhandle is also given with the password, it will be passed to
|
||||
the wait condition handle in the same manner.
|
||||
|
||||
Privileges may be restricted for the user like so:
|
||||
|
||||
mysql:
|
||||
create-users:
|
||||
- username: dbuser2
|
||||
database: somedb
|
||||
password: abcdefg12345
|
||||
privilege: "USAGE, SELECT"
|
||||
|
|
|
@ -78,13 +78,23 @@ to_create = should_exist - existing
|
|||
|
||||
for createuser in to_create:
|
||||
dbvalue = by_user[createuser]
|
||||
|
||||
username = dbvalue['username']
|
||||
database = dbvalue.get('database', None)
|
||||
privilege = dbvalue.get('privilege', 'ALL')
|
||||
|
||||
if 'password' in dbvalue:
|
||||
password = dbvalue['password']
|
||||
else:
|
||||
password = base64.b64encode(os.urandom(30))
|
||||
|
||||
cmd = "GRANT ALL PRIVILEGES ON `%s`.* TO `%s`@'%%' IDENTIFIED BY '%s'" % (
|
||||
dbvalue['database'], dbvalue['username'], password)
|
||||
if database is not None:
|
||||
cmd = "GRANT %s ON `%s`.*" % (privilege, database)
|
||||
else:
|
||||
cmd = "GRANT %s ON *.*" % (privilege)
|
||||
|
||||
cmd += " TO `%s`@'%%' IDENTIFIED BY '%s'" % (username, password)
|
||||
|
||||
if opts.noop:
|
||||
print("%s" % (cmd))
|
||||
else:
|
||||
|
@ -94,7 +104,7 @@ for createuser in to_create:
|
|||
|
||||
if 'userhandle' in dbvalue:
|
||||
# Inform Heat of new password for this user
|
||||
cmd = ['/opt/aws/bin/cfn-signal', '-i', dbvalue['username'],
|
||||
cmd = ['/opt/aws/bin/cfn-signal', '-i', username,
|
||||
'-s', 'true', '--data', password, dbvalue['userhandle']]
|
||||
if opts.noop:
|
||||
print(cmd)
|
||||
|
|
Loading…
Reference in New Issue