Merge remote-tracking branch 'riseup/master'

Conflicts: manifests/client.pp manifests/server.pp manifests/server/base.pp manifests/server/cron/backup.pp manifests/server/munin/default.pp manifests/server/nagios.pp
2013-01-02 17:25:51 +01:00 · 2013-01-02 17:25:51 +01:00 · 8a96ea5cf0
commit 8a96ea5cf0
parent 33241a38d2 9465f48a65
5 changed files with 113 additions and 19 deletions
--- a/9
+++ b/9
@ -16,6 +16,15 @@ installed, specifically it must have nagios::plugin::deploy functionality.

 You will need to have activated storedconfigs on the puppetmaster.

+Special Notes
+=============
+
+By using this module, the following users will be automatically removed, if they
+exist: "root@${fqdn}", "root@127.0.0.1", "@${fqdn}", "@localhost", "@%"
+
+If you require any of these, you can subclass class
+mysql::server::account_security to override this.
+
 Mysql Server
 ============

--- a/lib/puppet/provider/mysql_grant/mysql.rb
+++ b/lib/puppet/provider/mysql_grant/mysql.rb
@ -11,7 +11,7 @@ MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
  :show_db_priv, :super_priv, :create_tmp_table_priv, :lock_tables_priv,
  :execute_priv, :repl_slave_priv, :repl_client_priv, :create_view_priv,
  :show_view_priv, :create_routine_priv, :alter_routine_priv,
-  :create_user_priv
+  :create_user_priv, :trigger_priv
 ]
 mysql_version = Facter.value(:mysql_version)
 if mysql_version =~ /^5.1/ && mysql_version.split('.').last.to_i >= 6
@ -29,6 +29,12 @@ else
  ]
 end

+MYSQL_TABLE_PRIVS = [ :select, :insert, :update, :delete, :create, :drop, 
+		      :references, :index, :alter
+]
+
+MYSQL_COLUMN_PRIVS = [ :select_priv, :insert_priv, :update_priv, :references_priv ]
+
 Puppet::Type.type(:mysql_grant).provide(:mysql) do

  desc "Uses mysql as database."
@ -42,7 +48,8 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do

  # this parses the
  def split_name(string)
-    matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact
+    matches = /^([^@]*)@([^\/]*)(\/([^\/]*))?(\/([^\/]*))?$/.match(string).captures.compact
+
    case matches.length 
      when 2
        {
@ -57,6 +64,23 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
          :host => matches[1],
          :db => matches[3]
        }
+      when 6
+        {
+          :type => :tables_priv,
+          :user => matches[0],
+          :host => matches[1],
+          :db => matches[3],
+          :table_name => matches[5]
+        }
+      when 8
+        {
+          :type => :table,
+          :user => matches[0],
+          :host => matches[1],
+          :db => matches[3],
+          :table => matches[5],
+          :column => matches[7]
+        }
    end
  end

@ -72,6 +96,10 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
        mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [
          name[:host], name[:user], name[:db],
        ]
+      when :column
+        mysql "mysql", "-e", "INSERT INTO columns_priv (host, user, db, table, column_name) VALUES ('%s', '%s', '%s', '%s', '%s')" % [
+          name[:host], name[:user], name[:db], name[:table], name[:column],
+        ]
      end
      mysql_flush
    end
@ -87,6 +115,9 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
    if name[:type] == :db
      fields << :db
    end
+    if name[:type] == :column
+      fields << :column
+    end
    not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty?
  end

@ -96,6 +127,10 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
        MYSQL_USER_PRIVS
      when :db
        MYSQL_DB_PRIVS
+      when :tables_priv
+        MYSQL_TABLE_PRIVS
+      when :column
+        MYSQL_COLUMN_PRIVS
    end
    all_privs = all_privs.collect do |p| p.to_s end.sort.join("|")
    privs = privileges.collect do |p| p.to_s end.sort.join("|")
@ -112,25 +147,37 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
      privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ]
    when :db
      privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+    when :tables_priv
+      privs = mysql "mysql", "-NBe", 'select Table_priv from tables_priv where User="%s" and Host="%s" and Db="%s" and Table_name="%s"' % [ name[:user], name[:host], name[:db], name[:table_name] ]
+      privs = privs.chomp.downcase
+      return privs
+    when :columns
+      privs = mysql "mysql", "-Be", 'select * from columns_priv where User="%s" and Host="%s" and Db="%s" and Table_name="%s" and Column_name="%s"' % [ name[:user], name[:host], name[:db], name[:table], name[:column] ]
    end

    if privs.match(/^$/) 
      privs = [] # no result, no privs
    else
+      case name[:type]
+      when :user, :db
      # returns a line with field names and a line with values, each tab-separated
        privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end
        # transpose the lines, so we have key/value pairs
        privs = privs[0].zip(privs[1])
-      privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
-    end
-
+        privs = privs.select do |p| (/_priv$/) and p[1] == 'Y' end
        privs.collect do |p| symbolize(p[0].downcase) end
      end
+    end
+  end

  def privileges=(privs) 
+    name = split_name(@resource[:name])
+    # don't need to create a row for tables_priv and columns_priv
+    if name[:type] == :user || name[:type] == :db
      unless row_exists?
        create_row
      end
+    end

    # puts "Setting privs: ", privs.join(", ")
    name = split_name(@resource[:name])
@ -146,19 +193,49 @@ Puppet::Type.type(:mysql_grant).provide(:mysql) do
      stmt = 'update db set '
      where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
      all_privs = MYSQL_DB_PRIVS
+    when :tables_priv
+      currently_set = privileges
+      currently_set = currently_set.scan(/\w+/)
+      privs.map! {|i| i.to_s.downcase}
+      revoke = currently_set - privs
+
+      if !revoke.empty?
+         #puts "Revoking table privs: ", revoke
+         mysql "mysql", "-e", "REVOKE %s ON %s.%s FROM '%s'@'%s'" % [ revoke.join(", "), name[:db], name[:table_name], name[:user], name[:host] ]
+      end
+
+      set = privs - currently_set
+      stmt = 'GRANT '
+      where = ' ON %s.%s TO "%s"@"%s"' % [ name[:db], name[:table_name], name[:user], name[:host] ]
+      all_privs = MYSQL_TABLE_PRIVS    
+    when :column
+      stmt = 'update columns_priv set '
+      where = ' where user="%s" and host="%s" and Db="%s" and Table_name="%s"' % [ name[:user], name[:host], name[:db], name[:table_name] ]
+      all_privs = MYSQL_COLUMN_PRIVS    
    end

    if privs[0] == :all 
      privs = all_privs
    end
  
-    # puts "stmt:", stmt
+    #puts "stmt:", stmt
+    case name[:type]
+    when :user
      set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ')
-    # puts "set:", set
-    stmt = stmt << set << where
+    when :db
+      set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ')
+    when :tables_priv
+      set = set.join(', ')
+    end

+    #puts "set:", set
+    stmt = stmt << set << where
+    #puts "stmt:", stmt
+
+    if !set.empty?
      mysql "mysql", "-Be", stmt
      mysql_flush
    end
+  end
 end

--- a/lib/puppet/type/mysql_grant.rb
+++ b/lib/puppet/type/mysql_grant.rb
@ -5,6 +5,16 @@ Puppet::Type.newtype(:mysql_grant) do
  #ensurable
  autorequire(:service) { 'mysqld' }

+  autorequire :mysql_table do
+    reqs = []
+    matches = self[:name].match(/^([^@]*)@([^\/]*)\/(.+)\/(.+)$/)
+    unless matches.nil?
+      reqs << matches[4]
+    end
+    # puts "Autoreq: '%s'" % reqs.join(" ")
+    reqs
+  end
+
  autorequire :mysql_db do
    # puts "Starting db autoreq for %s" % self[:name]
    reqs = []
--- a/manifests/client.pp
+++ b/manifests/client.pp
@ -2,7 +2,6 @@
 class mysql::client (
  $manage_shorewall = false
 ) {
-
  case $::operatingsystem {
    debian: { include mysql::client::debian }
    default: { include mysql::client::base }
@ -11,5 +10,4 @@ class mysql::client (
  if $manage_shorewall {
    include shorewall::rules::out::mysql
  }
-
 }
--- a/templates/root/my.cnf.erb
+++ b/templates/root/my.cnf.erb
@ -1,4 +1,4 @@
 [client]
 user=root
 host=localhost
-password=<%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %>
+password=<%= Puppet::Parser::Functions.function('trocla');'' %><%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %>