break: change user's privileges

This commit is contained in:
Adrien Waksberg 2021-08-18 15:30:41 +02:00
parent bfb5bd0233
commit 9b5275aa2b
6 changed files with 19 additions and 129 deletions

View file

@ -5,6 +5,10 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
## [Unreleased]
### Break
- change user's privileges
### Added
- add support for debian 11

View file

@ -21,15 +21,9 @@ Install and configure InfluxDB
- name: test
password: secret
admin: true
state: present
```
* `influxdb_privileges` - array with the privileges
```
- user: test
database: metric
privilege: WRITE
grants:
- database: collectd
privilege: WRITE
state: present
```

View file

@ -1,7 +1,6 @@
---
influxdb_databases: []
influxdb_users: []
influxdb_privileges: []
influxdb_api_user: user
influxdb_api_password: password
influxdb_api_port: 8086

View file

@ -1,94 +0,0 @@
#!/usr/bin/python
from ansible.module_utils.basic import *
import requests
import json
class InfluxdbPrivilege:
def __init__(self, user, database, privilege, api_host, api_port, api_user, api_password):
self.user = user
self.database = database
self.privilege = privilege
self.api_host = api_host
self.api_port = api_port
self.api_user = api_user
self.api_password = api_password
self.change = False
self.get_info()
def request(self, query):
url = 'http://{}:{}/query?q={}'.format(self.api_host, self.api_port, requests.utils.quote(query))
if self.api_user is not None:
r = requests.get(url, auth=(self.api_user, self.api_password))
else:
r = requests.get(url)
if r.status_code != 200:
raise Exception('Influxdb', 'Bad status code {}: {}'.format(r.status_code, r.text))
return json.loads(r.text)
def get_info(self):
privileges = self.request(
'SHOW GRANTS FOR {}'.format(self.user),
)['results'][0]['series'][0]
if 'values' in privileges:
for privilege in privileges['values']:
if self.database == privilege[0]:
self.exist = True
if self.privilege != privilege[1]:
self.change = True
return
self.exist = False
def grant(self):
self.request(
'GRANT {} ON {} TO {}'.format(self.privilege, self.database, self.user)
)
def revoke(self):
self.request(
'REVOKE {} ON {} FROM {}'.format(self.privilege, self.database, self.user)
)
def main():
fields = {
'user': { 'type': 'str', 'required': True },
'database': { 'type': 'str', 'required': True },
'privilege': { 'type': 'str', 'required': True, 'choices': ['ALL', 'WRITE', 'READ'] },
'api_user': { 'type': 'str' },
'api_password': { 'type': 'str', 'no_log': True},
'api_host': { 'type': 'str', 'default': '127.0.0.1' },
'api_port': { 'type': 'int', 'default': 8086 },
'state': { 'type': 'str', 'default': 'present', 'choices': ['present', 'absent'] }
}
module = AnsibleModule(argument_spec=fields)
changed = False
influxdb_privilege = InfluxdbPrivilege(
module.params['user'],
module.params['database'],
module.params['privilege'],
module.params['api_host'],
module.params['api_port'],
module.params['api_user'],
module.params['api_password']
)
if module.params['state'] == 'present':
if not influxdb_privilege.exist or influxdb_privilege.change:
influxdb_privilege.grant()
changed = True
else:
if influxdb_privilege.exist:
influxdb_privilege.revoke()
changed = True
module.exit_json(changed=changed)
if __name__ == '__main__':
main()

View file

@ -10,14 +10,13 @@
admin: yes
- name: test
password: test2
grants:
- database: test_db
privilege: WRITE
- name: user_absent
state: absent
influxdb_databases:
- test_db
influxdb_privileges:
- user: test
database: test_db
privilege: WRITE
influxdb_config:
'[collectd]':
enabled: true
@ -25,7 +24,6 @@
database: collectd
typesdb: /usr/share/collectd/types.db
pre_tasks:
- name: update apt cache
ansible.builtin.apt:

View file

@ -22,11 +22,20 @@
timeout: 10
tags: influxdb
- name: create databases
community.general.influxdb_database:
database_name: '{{ item }}'
username: '{{ influxdb_api_user }}'
password: '{{ influxdb_api_password }}'
loop: '{{ influxdb_databases }}'
tags: influxdb
- name: create users
community.general.influxdb_user:
user_name: '{{ item.name }}'
user_password: '{{ item.password }}'
admin: '{{ item.admin|default(false) }}'
grants: '{{ item.grants|default([]) }}'
username: '{{ influxdb_api_user }}'
password: '{{ influxdb_api_password }}'
loop: '{{ influxdb_users }}'
@ -46,23 +55,3 @@
label: '{{ item.name }}'
when: item.state is defined and item.state == 'absent'
tags: influxdb
- name: create databases
community.general.influxdb_database:
database_name: '{{ item }}'
username: '{{ influxdb_api_user }}'
password: '{{ influxdb_api_password }}'
loop: '{{ influxdb_databases }}'
tags: influxdb
- name: create privileges
influxdb_privilege:
user: '{{ item.user }}'
database: '{{ item.database }}'
privilege: '{{ item.privilege }}'
api_user: '{{ influxdb_api_user }}'
api_password: '{{ influxdb_api_password }}'
api_port: '{{ influxdb_api_port }}'
state: '{{ item.state|default("present") }}'
loop: '{{ influxdb_privileges }}'
tags: influxdb