1. 首頁
  2. 問答
  3. 如何授予MySQL服務器管理權限(SUPER,RELOAD ...)與否?

如何授予MySQL服務器管理權限(SUPER,RELOAD ...)與否?

2014-04-09 105 views
8

有沒有辦法如何使用Ansible mysql_user模塊(或使用任何其他模塊)授予MySQL管理權限?我想爲用戶設置SUPERRELOADSHOW DATABASES特權以及其他一些特定於數據庫的特權。如何授予MySQL服務器管理權限(SUPER,RELOAD ...)與否?

基本設置很適合我:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ item }} 
    with_items: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL'

...結果:

TASK: [db | Set user privileges] 
********************************************** 
ok: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL)

以下設置口口聲聲說 「改變」 和特權都沒有什麼人們會預期:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ item }} 
    with_items: 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES' 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL'

(重複)運行:

TASK: [db | Set user privileges] 
********************************************** 
changed: [dbuser] => (item=*.*:SUPER,RELOAD,SHOW\ DATABASES) 
changed: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL)

結果:

mysql> show grants for 'dbuser'@'localhost'; 
+---------------------------------------------------------------------------------------------------------------+ 
| Grants for [email protected]                     | 
+---------------------------------------------------------------------------------------------------------------+ 
| GRANT USAGE ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' | 
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'            | 
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'           | 
+---------------------------------------------------------------------------------------------------------------+ 
3 rows in set (0.00 sec)

有誰知道如何:

  1. 設置SUPERRELOADSHOW DATABASE管理。特權?
  2. 使配置冪等?

來源

2014-04-09 Ikar Pohorský

回答

12

終於找到了優雅的解決方案!首先所有的特權應該某處定義爲一個列表:

$ cat group_vars/dbservers 
mysql_privileges: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL' 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'

那麼mysql_user插件並不需要追加的特權,只要使用以下格式在documentation提到的權限字符串:mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL

唯一的訣竅就是列表轉換爲字符串:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ mysql_privileges|join('/') }}

任務的重複運行不說改變了:

TASK: [db | Set user privileges] 
********************************************** 
ok: [dbuser]

來源

2014-04-14 08:05:45

7

發現當切換特權順序時,我可以授予提及的管理員權限。特權:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    append_privs=yes 
    priv={{ item }} 
    with_items: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL' 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'

權限按預期設定:

mysql> show grants for 'dbuser'@'localhost'; 
+---------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for [email protected]                           | 
+---------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT RELOAD, SHOW DATABASES, SUPER ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' | 
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'                  | 
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'                 | 
+---------------------------------------------------------------------------------------------------------------------------------------+

雖然任務依然沒有冪等。每一輪都給我:

TASK: [db | Set user privileges] 
********************************************** 
changed: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL) 
changed: [dbuser] => (item=*.*:SUPER,RELOAD,SHOW\ DATABASES)

來源

2014-04-09 10:27:16

+1

感謝提'append_privs' – oblalex

1

沒有必要與竅門列表中,您可以設置多個以斜槓分隔的特權:

- name: Set user privileges 
    mysql_user: 
    user: {{ mysql_user }} 
    password: {{ mysql_password }} 
    state: present 
    priv: 'somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'

或短:

- name: Set user privileges 
    mysql_user: user={{ mysql_user }} password={{ mysql_password }} state=present priv='somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'

來源

2016-11-15 14:49:57

+0

這絕對是可以的用例之一,但我需要授予的某些數據庫權限列表和一個超集一些其他特權數據庫。你的方法會導致重複這些「共享」特權。雖然你的解決方案對於更簡單的情況已經足夠了;)謝謝你的答案! –

相關問題

 相關問題