From 9b5275aa2b1edc7027183eb3e5e3e99497436734 Mon Sep 17 00:00:00 2001
From: Adrien Waksberg <git@yae.im>
Date: Wed, 18 Aug 2021 15:30:41 +0200
Subject: [PATCH] break: change user's privileges

---
 CHANGELOG.md                  |  4 ++
 README.md                     | 12 ++---
 defaults/main.yml             |  1 -
 library/influxdb_privilege.py | 94 -----------------------------------
 molecule/default/converge.yml |  8 ++-
 tasks/config.yml              | 29 ++++-------
 6 files changed, 19 insertions(+), 129 deletions(-)
 delete mode 100644 library/influxdb_privilege.py

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 607047f..6242b1f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
 ## [Unreleased]
 
+### Break
+
+- change user's privileges
+
 ### Added
 
 - add support for debian 11
diff --git a/README.md b/README.md
index 622458d..7d8b95b 100644
--- a/README.md
+++ b/README.md
@@ -21,15 +21,9 @@ Install and configure InfluxDB
 - name: test
   password: secret
   admin: true
-  state: present
-```
-
-* `influxdb_privileges` - array with the privileges
-
-```
-- user: test
-  database: metric
-  privilege: WRITE
+  grants:
+    - database: collectd
+      privilege: WRITE 
   state: present
 ```
 
diff --git a/defaults/main.yml b/defaults/main.yml
index e019396..022c1c6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,6 @@
 ---
 influxdb_databases: []
 influxdb_users: []
-influxdb_privileges: []
 influxdb_api_user: user
 influxdb_api_password: password
 influxdb_api_port: 8086
diff --git a/library/influxdb_privilege.py b/library/influxdb_privilege.py
deleted file mode 100644
index 7b6473e..0000000
--- a/library/influxdb_privilege.py
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/usr/bin/python
-
-from ansible.module_utils.basic import *
-import requests
-import json
-
-class InfluxdbPrivilege:
-  def __init__(self, user, database, privilege, api_host, api_port, api_user, api_password):
-    self.user = user
-    self.database = database
-    self.privilege = privilege
-    self.api_host = api_host
-    self.api_port = api_port
-    self.api_user = api_user
-    self.api_password = api_password
-    self.change = False
-    self.get_info()
-
-  def request(self, query):
-    url = 'http://{}:{}/query?q={}'.format(self.api_host, self.api_port, requests.utils.quote(query))
-    
-    if self.api_user is not None:
-      r = requests.get(url, auth=(self.api_user, self.api_password))
-    else:
-      r = requests.get(url)
-      
-    if r.status_code != 200:
-      raise Exception('Influxdb', 'Bad status code {}: {}'.format(r.status_code, r.text))
-    
-    return json.loads(r.text)
-
-  def get_info(self):
-    privileges = self.request(
-      'SHOW GRANTS FOR {}'.format(self.user),
-    )['results'][0]['series'][0]
-
-    if 'values' in privileges:
-      for privilege in privileges['values']:
-        if self.database == privilege[0]:
-          self.exist = True
-          if self.privilege != privilege[1]:
-            self.change = True
-          return
-
-    self.exist = False
-
-  def grant(self):
-    self.request(
-      'GRANT {} ON {} TO {}'.format(self.privilege, self.database, self.user)
-    )
-
-  def revoke(self):
-    self.request(
-      'REVOKE {} ON {} FROM {}'.format(self.privilege, self.database, self.user)
-    )
-  
-
-def main():
-  fields = {
-    'user':         { 'type': 'str', 'required': True },
-    'database':     { 'type': 'str', 'required': True },
-    'privilege':    { 'type': 'str', 'required': True, 'choices': ['ALL', 'WRITE', 'READ'] },
-    'api_user':     { 'type': 'str' },
-    'api_password': { 'type': 'str', 'no_log': True},
-    'api_host':     { 'type': 'str', 'default': '127.0.0.1' },
-    'api_port':     { 'type': 'int', 'default': 8086 },
-    'state':        { 'type': 'str', 'default': 'present', 'choices': ['present', 'absent'] }
-  }
-  module = AnsibleModule(argument_spec=fields)
-  changed = False
-
-  influxdb_privilege = InfluxdbPrivilege(
-    module.params['user'],
-    module.params['database'],
-    module.params['privilege'],
-    module.params['api_host'],
-    module.params['api_port'],
-    module.params['api_user'],
-    module.params['api_password']
-  )
-
-  if module.params['state'] == 'present':
-    if not influxdb_privilege.exist or influxdb_privilege.change:
-      influxdb_privilege.grant()
-      changed = True
-  else:
-    if influxdb_privilege.exist:
-      influxdb_privilege.revoke()
-      changed = True
- 
-  module.exit_json(changed=changed)
-
-if __name__ == '__main__':
-  main()
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index b7fc5b6..2c3dd75 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -10,14 +10,13 @@
         admin: yes
       - name: test
         password: test2
+        grants:
+          - database: test_db
+            privilege: WRITE
       - name: user_absent
         state: absent
     influxdb_databases:
       - test_db
-    influxdb_privileges:
-      - user: test
-        database: test_db
-        privilege: WRITE
     influxdb_config:
       '[collectd]':
         enabled: true
@@ -25,7 +24,6 @@
         database: collectd
         typesdb: /usr/share/collectd/types.db
 
-
   pre_tasks:
     - name: update apt cache
       ansible.builtin.apt:
diff --git a/tasks/config.yml b/tasks/config.yml
index ce21d49..4fa4258 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -22,11 +22,20 @@
     timeout: 10
   tags: influxdb
 
+- name: create databases
+  community.general.influxdb_database:
+    database_name: '{{ item }}'
+    username: '{{ influxdb_api_user }}'
+    password: '{{ influxdb_api_password }}'
+  loop: '{{ influxdb_databases }}'
+  tags: influxdb
+
 - name: create users
   community.general.influxdb_user:
     user_name: '{{ item.name }}'
     user_password: '{{ item.password }}'
     admin: '{{ item.admin|default(false) }}'
+    grants: '{{ item.grants|default([]) }}'
     username: '{{ influxdb_api_user }}'
     password: '{{ influxdb_api_password }}'
   loop: '{{ influxdb_users }}'
@@ -46,23 +55,3 @@
     label: '{{ item.name }}'
   when: item.state is defined and item.state == 'absent'
   tags: influxdb
-
-- name: create databases
-  community.general.influxdb_database:
-    database_name: '{{ item }}'
-    username: '{{ influxdb_api_user }}'
-    password: '{{ influxdb_api_password }}'
-  loop: '{{ influxdb_databases }}'
-  tags: influxdb
-
-- name: create privileges
-  influxdb_privilege:
-    user: '{{ item.user }}'
-    database: '{{ item.database }}'
-    privilege: '{{ item.privilege }}'
-    api_user: '{{ influxdb_api_user }}'
-    api_password: '{{ influxdb_api_password }}'
-    api_port: '{{ influxdb_api_port }}'
-    state: '{{ item.state|default("present") }}'
-  loop: '{{ influxdb_privileges }}'
-  tags: influxdb