break: change user's privileges

2021-08-18 15:30:41 +02:00 · 2021-08-18 15:30:41 +02:00 · 9b5275aa2b
commit 9b5275aa2b
parent bfb5bd0233
6 changed files with 19 additions and 129 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,10 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)

 ## [Unreleased]

+### Break
+
+- change user's privileges
+
 ### Added

 - add support for debian 11
--- a/README.md
+++ b/README.md
@ -21,15 +21,9 @@ Install and configure InfluxDB
 - name: test
  password: secret
  admin: true
-  state: present
-```
-
-* `influxdb_privileges` - array with the privileges
-
-```
- user: test
-  database: metric
-  privilege: WRITE
+  grants:
+    - database: collectd
+      privilege: WRITE 
  state: present
 ```

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,7 +1,6 @@
 ---
 influxdb_databases: []
 influxdb_users: []
-influxdb_privileges: []
 influxdb_api_user: user
 influxdb_api_password: password
 influxdb_api_port: 8086
--- a/library/influxdb_privilege.py
+++ b/library/influxdb_privilege.py
@ -1,94 +0,0 @@
-#!/usr/bin/python
-
-from ansible.module_utils.basic import *
-import requests
-import json
-
-class InfluxdbPrivilege:
-  def __init__(self, user, database, privilege, api_host, api_port, api_user, api_password):
-    self.user = user
-    self.database = database
-    self.privilege = privilege
-    self.api_host = api_host
-    self.api_port = api_port
-    self.api_user = api_user
-    self.api_password = api_password
-    self.change = False
-    self.get_info()
-
-  def request(self, query):
-    url = 'http://{}:{}/query?q={}'.format(self.api_host, self.api_port, requests.utils.quote(query))
-    
-    if self.api_user is not None:
-      r = requests.get(url, auth=(self.api_user, self.api_password))
-    else:
-      r = requests.get(url)
-      
-    if r.status_code != 200:
-      raise Exception('Influxdb', 'Bad status code {}: {}'.format(r.status_code, r.text))
-    
-    return json.loads(r.text)
-
-  def get_info(self):
-    privileges = self.request(
-      'SHOW GRANTS FOR {}'.format(self.user),
-    )['results'][0]['series'][0]
-
-    if 'values' in privileges:
-      for privilege in privileges['values']:
-        if self.database == privilege[0]:
-          self.exist = True
-          if self.privilege != privilege[1]:
-            self.change = True
-          return
-
-    self.exist = False
-
-  def grant(self):
-    self.request(
-      'GRANT {} ON {} TO {}'.format(self.privilege, self.database, self.user)
-    )
-
-  def revoke(self):
-    self.request(
-      'REVOKE {} ON {} FROM {}'.format(self.privilege, self.database, self.user)
-    )
-  
-
-def main():
-  fields = {
-    'user':         { 'type': 'str', 'required': True },
-    'database':     { 'type': 'str', 'required': True },
-    'privilege':    { 'type': 'str', 'required': True, 'choices': ['ALL', 'WRITE', 'READ'] },
-    'api_user':     { 'type': 'str' },
-    'api_password': { 'type': 'str', 'no_log': True},
-    'api_host':     { 'type': 'str', 'default': '127.0.0.1' },
-    'api_port':     { 'type': 'int', 'default': 8086 },
-    'state':        { 'type': 'str', 'default': 'present', 'choices': ['present', 'absent'] }
-  }
-  module = AnsibleModule(argument_spec=fields)
-  changed = False
-
-  influxdb_privilege = InfluxdbPrivilege(
-    module.params['user'],
-    module.params['database'],
-    module.params['privilege'],
-    module.params['api_host'],
-    module.params['api_port'],
-    module.params['api_user'],
-    module.params['api_password']
-  )
-
-  if module.params['state'] == 'present':
-    if not influxdb_privilege.exist or influxdb_privilege.change:
-      influxdb_privilege.grant()
-      changed = True
-  else:
-    if influxdb_privilege.exist:
-      influxdb_privilege.revoke()
-      changed = True
- 
-  module.exit_json(changed=changed)
-
-if __name__ == '__main__':
-  main()
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -10,14 +10,13 @@
        admin: yes
      - name: test
        password: test2
+        grants:
+          - database: test_db
+            privilege: WRITE
      - name: user_absent
        state: absent
    influxdb_databases:
      - test_db
-    influxdb_privileges:
-      - user: test
-        database: test_db
-        privilege: WRITE
    influxdb_config:
      '[collectd]':
        enabled: true
@ -25,7 +24,6 @@
        database: collectd
        typesdb: /usr/share/collectd/types.db

-
  pre_tasks:
    - name: update apt cache
      ansible.builtin.apt:
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -22,11 +22,20 @@
    timeout: 10
  tags: influxdb

+- name: create databases
+  community.general.influxdb_database:
+    database_name: '{{ item }}'
+    username: '{{ influxdb_api_user }}'
+    password: '{{ influxdb_api_password }}'
+  loop: '{{ influxdb_databases }}'
+  tags: influxdb
+
 - name: create users
  community.general.influxdb_user:
    user_name: '{{ item.name }}'
    user_password: '{{ item.password }}'
    admin: '{{ item.admin|default(false) }}'
+    grants: '{{ item.grants|default([]) }}'
    username: '{{ influxdb_api_user }}'
    password: '{{ influxdb_api_password }}'
  loop: '{{ influxdb_users }}'
@ -46,23 +55,3 @@
    label: '{{ item.name }}'
  when: item.state is defined and item.state == 'absent'
  tags: influxdb
-
- name: create databases
-  community.general.influxdb_database:
-    database_name: '{{ item }}'
-    username: '{{ influxdb_api_user }}'
-    password: '{{ influxdb_api_password }}'
-  loop: '{{ influxdb_databases }}'
-  tags: influxdb
-
- name: create privileges
-  influxdb_privilege:
-    user: '{{ item.user }}'
-    database: '{{ item.database }}'
-    privilege: '{{ item.privilege }}'
-    api_user: '{{ influxdb_api_user }}'
-    api_password: '{{ influxdb_api_password }}'
-    api_port: '{{ influxdb_api_port }}'
-    state: '{{ item.state|default("present") }}'
-  loop: '{{ influxdb_privileges }}'
-  tags: influxdb