Skip to content

Commit

Permalink
tmp
Browse files Browse the repository at this point in the history
  • Loading branch information
@Andersson007
Andersson007 committed Aug 19, 2024
1 parent a3ef29b commit 119a1ee
Show file tree
Hide file tree
Showing 2 changed files with 231 additions and 35 deletions.
85 changes: 62 additions & 23 deletions plugins/modules/clickhouse_user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@
roles:
description:
- Grants specified roles for the user.
- To append specified roles to existing ones, also add I(append=true) to your task.
- To append specified roles to existing ones, also add I(append_roles=true) to your task.
- To revoke all roles, pass an empty list and I(append_roles=false).
type: list
elements: str
version_added: '0.6.0'
Expand All @@ -95,7 +96,8 @@
- The roles must be explicitly granted to the user whether manually
before using this argument or by using the I(roles)
argument in the same task.
- To append specified roles to existing ones, also add I(append_roles=true) to your task.
- To append specified roles to existing ones, also add I(append_default_roles=true) to your task.
- To unset all roles as default, pass an empty list and I(append_default_roles=false).
type: list
elements: str
version_added: '0.6.0'
Expand All @@ -104,7 +106,7 @@
- When set to C(true), appends roles specified in I(roles) to existing
user roles instead of removing the user from not specified roles.
- The default is C(false), which will remove the user from all not specified roles.
- Requires I(roles) to be set in the task.
- Ignored without I(roles) set.
type: bool
default: false
version_added: '0.6.0'
Expand All @@ -113,7 +115,7 @@
- When set to C(true), appends roles specified in I(default_roles) to existing
default roles instead of unsetting not specified ones.
- The default is C(false), which will unset all not specified roles.
- Requires I(default_roles) to be set in the task.
- Ignored without I(default_roles) set.
type: bool
default: false
version_added: '0.6.0'
Expand Down Expand Up @@ -147,6 +149,24 @@
- sales
append_roles: true
- name: Unset all alice's default roles
community.clickhouse.clickhouse_user:
login_host: localhost
login_user: alice
login_db: foo
login_password: my_password
name: test_user
default_roles: []
- name: Revoke all roles from alice
community.clickhouse.clickhouse_user:
login_host: localhost
login_user: alice
login_db: foo
login_password: my_password
name: test_user
roles: []
- name: If user exists, update password
community.clickhouse.clickhouse_user:
login_host: localhost
Expand Down Expand Up @@ -280,7 +300,7 @@ def create(self):
return True

def update(self, update_password):
if self.module.params['roles']:
if self.module.params['roles'] is not None:
desired_roles = self.module.params['roles']

roles_to_grant = []
Expand All @@ -294,31 +314,36 @@ def update(self, update_password):
if not self.module.params['append_roles']:
roles_to_revoke = []
for role in self.current_roles:
if role not in self.desired_roles:
if role not in desired_roles:
roles_to_revoke.append(role)

if roles_to_revoke:
self.__revoke_roles(roles_to_revoke)

if self.module.params['default_roles']:
if self.module.params['default_roles'] is not None:
default_roles = self.module.params['default_roles']

if self.module.params['append_roles']:
roles_to_set = []
for role in default_roles:
if role not in self.current_default_roles:
roles_to_set.append(role)

if roles_to_set:
cur_def_roles_set = set(self.current_default_roles)
req_def_roles_set = set(default_roles)

if self.module.params['append_roles'] is False:
if not req_def_roles_set:
# Update roles info in case all roles were revoked
# in the same task and then unset if the roles list
# is not empty
self.current_roles = self.__fetch_user_groups()
if self.current_roles:
self.__unset_default_roles()

elif cur_def_roles_set != req_def_roles_set:
self.__set_default_roles(default_roles)

else:
if cur_def_roles_set != req_def_roles_set:
# Append roles to default roles.
# Use set union to make a list of unique roles
roles_to_set = list(cur_def_roles_set.union(req_def_roles_set))
self.__set_default_roles(roles_to_set)

elif not self.module.params['append_roles']:
# Use sets to make a list of unique roles
set1 = set(self.current_default_roles)
set2 = set(default_roles)
roles_to_set = list(set1.union(set2))
self.__set_default_roles(roles_to_set)

if update_password == 'on_create':
return False or self.changed

Expand Down Expand Up @@ -357,7 +382,7 @@ def __grant_roles(self, roles_to_set):
self.changed = True

def __revoke_roles(self, roles_to_revoke):
query = "REVOKE %s FROM %s" % (' ,'.join(roles_to_revoke), self.name)
query = "REVOKE %s FROM %s" % (', '.join(roles_to_revoke), self.name)
executed_statements.append(query)

if not self.module.check_mode:
Expand All @@ -366,6 +391,11 @@ def __revoke_roles(self, roles_to_revoke):
self.changed = True

def __set_default_roles(self, roles_to_set):
self.current_roles = self.__fetch_user_groups()
for role in roles_to_set:
if role not in self.current_roles and role not in self.module.params["roles"]:
self.module.fail_json("User %s is not in %s role. Grant it explicitly first." % (self.name, role))

query = "ALTER USER %s DEFAULT ROLE %s" % (self.name, ', '.join(roles_to_set))
executed_statements.append(query)

Expand All @@ -374,6 +404,15 @@ def __set_default_roles(self, roles_to_set):

self.changed = True

def __unset_default_roles(self):
query = "SET DEFAULT ROLE NONE TO %s" % self.name
executed_statements.append(query)

if not self.module.check_mode:
execute_query(self.module, self.client, query)

self.changed = True


def main():
argument_spec = client_common_argument_spec()
Expand Down
181 changes: 169 additions & 12 deletions tests/integration/targets/clickhouse_user/tasks/initial.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,8 @@
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements == ["GRANT accountant, manager TO test_user", "ALTER USER test_user DEFAULT ROLE accountant, manager"]
- result.executed_statements[0] == "GRANT accountant, manager TO test_user"
- result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE accountant, manager" or result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE manager, accountant"

- name: Check the actual state
register: result
Expand Down Expand Up @@ -186,7 +187,8 @@
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements == ["GRANT accountant, manager TO test_user", "ALTER USER test_user DEFAULT ROLE accountant, manager"]
- result.executed_statements[0] == "GRANT accountant, manager TO test_user"
- result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE accountant, manager" or result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE manager, accountant"

- name: Check the actual state
register: result
Expand All @@ -197,10 +199,10 @@
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["accountant", "manager"]
- result["users"]["test_user"]["roles"] == ["accountant", "manager"] or result["users"]["test_user"]["roles"] == ["manager", "accountant"]
- result["users"]["test_user"]["default_roles_list"] == ["accountant", "manager"]

- name: Set another role as default in check mode
- name: Grant and set another role as default in check mode
register: result
check_mode: true
community.clickhouse.clickhouse_user:
Expand All @@ -216,7 +218,7 @@
that:
- result is changed
- result.executed_statements[0] == "GRANT sales TO test_user"
- result.executed_statements[1] == "REVOKE account, manager FROM test_user"
- result.executed_statements[1] == "REVOKE accountant, manager FROM test_user" or result.executed_statements[1] == "REVOKE manager, accountant FROM test_user"
- result.executed_statements[2] == "ALTER USER test_user DEFAULT ROLE sales"

- name: Check the actual state
Expand All @@ -228,8 +230,8 @@
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["accountant", "manager"]
- result["users"]["test_user"]["default_roles_list"] == ["accountant", "manager"]
- result["users"]["test_user"]["roles"] == ["accountant", "manager"] or result["users"]["test_user"]["roles"] == ["manager", "accountant"]
- result["users"]["test_user"]["default_roles_list"] == ["accountant", "manager"] or result["users"]["test_user"]["default_roles_list"] == ["manager", "accountant"]

- name: Set another role as default in real mode
register: result
Expand All @@ -244,7 +246,7 @@
that:
- result is changed
- result.executed_statements[0] == "GRANT sales TO test_user"
- result.executed_statements[1] == "REVOKE account, manager FROM test_user"
- result.executed_statements[1] == "REVOKE accountant, manager FROM test_user" or result.executed_statements[1] == "REVOKE manager, accountant FROM test_user"
- result.executed_statements[2] == "ALTER USER test_user DEFAULT ROLE sales"

- name: Check the actual state
Expand Down Expand Up @@ -308,8 +310,110 @@
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements[0] == ["GRANT accountant TO test_user"]
- result.executed_statements[1] == ["ALTER USER test_user DEFAULT ROLE sales, accountant"]
- result.executed_statements[0] == "GRANT accountant TO test_user"
- result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE sales, accountant" or result.executed_statements[1] == "ALTER USER test_user DEFAULT ROLE accountant, sales"

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["sales", "accountant"] or result["users"]["test_user"]["roles"] == ["accountant", "sales"]
- result["users"]["test_user"]["default_roles_list"] == ["sales", "accountant"] or result["users"]["test_user"]["default_roles_list"] == ["accountant", "sales"]

- name: Unset all default roles in check mode
register: result
check_mode: true
community.clickhouse.clickhouse_user:
state: present
name: test_user
default_roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements[0] == "SET DEFAULT ROLE NONE TO test_user"

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["sales", "accountant"] or result["users"]["test_user"]["roles"] == ["accountant", "sales"]
- result["users"]["test_user"]["default_roles_list"] == ["sales", "accountant"] or result["users"]["test_user"]["default_roles_list"] == ["accountant", "sales"]

- name: Unset all default roles in real mode
register: result
community.clickhouse.clickhouse_user:
state: present
name: test_user
default_roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements[0] == "SET DEFAULT ROLE NONE TO test_user"

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["sales", "accountant"] or result["users"]["test_user"]["roles"] == ["accountant", "sales"]
- result["users"]["test_user"]["default_roles_list"] == []

- name: Revoke all roles in check mode
register: result
check_mode: true
community.clickhouse.clickhouse_user:
state: present
name: test_user
roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements[0] == "REVOKE accountant, sales FROM test_user" or result.executed_statements[0] == "REVOKE sales, accountant FROM test_user"

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["sales", "accountant"] or result["users"]["test_user"]["roles"] == ["accountant", "sales"]
- result["users"]["test_user"]["default_roles_list"] == []

- name: Revoke all roles in real mode
register: result
community.clickhouse.clickhouse_user:
state: present
name: test_user
roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is changed
- result.executed_statements[0] == "REVOKE accountant, sales FROM test_user" or result.executed_statements[0] == "REVOKE sales, accountant FROM test_user"

- name: Check the actual state
register: result
Expand All @@ -320,5 +424,58 @@
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == ["sales", "accountant"]
- result["users"]["test_user"]["default_roles_list"] == ["sales", "accountant"]
- result["users"]["test_user"]["roles"] == []
- result["users"]["test_user"]["default_roles_list"] == []

- name: Revoke all roles and unset all default roles in check mode
register: result
check_mode: true
community.clickhouse.clickhouse_user:
state: present
name: test_user
roles: []
default_roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is not changed
- result.executed_statements == []

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == []
- result["users"]["test_user"]["default_roles_list"] == []

- name: Revoke all roles and unset all default roles in real mode
register: result
community.clickhouse.clickhouse_user:
state: present
name: test_user
roles: []
default_roles: []

- name: Check ret values
ansible.builtin.assert:
that:
- result is not changed
- result.executed_statements == []

- name: Check the actual state
register: result
community.clickhouse.clickhouse_info:
login_host: localhost

- name: Check result
ansible.builtin.assert:
that:
- result is not changed
- result["users"]["test_user"]["roles"] == []
- result["users"]["test_user"]["default_roles_list"] == []

0 comments on commit 119a1ee

Please sign in to comment.