--- /dev/null
+Facter.add("mysql_exists") do
+ ENV["PATH"]="/bin:/sbin:/usr/bin:/usr/sbin"
+
+ setcode do
+ mysqlexists = system "which mysql > /dev/null 2>&1"
+ ($?.exitstatus == 0)
+ end
+end
--- /dev/null
+# hash a string as mysql's "PASSWORD()" function would do it
+require 'digest/sha1'
+
+module Puppet::Parser::Functions
+ newfunction(:mysql_password, :type => :rvalue) do |args|
+ '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase
+ end
+end
+
--- /dev/null
+require 'puppet/provider/package'
+
+Puppet::Type.type(:mysql_database).provide(:mysql,
+ :parent => Puppet::Provider::Package) do
+
+ desc "Use mysql as database."
+ commands :mysqladmin => '/usr/bin/mysqladmin'
+ commands :mysql => '/usr/bin/mysql'
+
+ # retrieve the current set of mysql users
+ def self.instances
+ dbs = []
+
+ cmd = "#{command(:mysql)} mysql -NBe 'show databases'"
+ execpipe(cmd) do |process|
+ process.each do |line|
+ dbs << new( { :ensure => :present, :name => line.chomp } )
+ end
+ end
+ return dbs
+ end
+
+ def query
+ result = {
+ :name => @resource[:name],
+ :ensure => :absent
+ }
+
+ cmd = "#{command(:mysql)} mysql -NBe 'show databases'"
+ execpipe(cmd) do |process|
+ process.each do |line|
+ if line.chomp.eql?(@resource[:name])
+ result[:ensure] = :present
+ end
+ end
+ end
+ result
+ end
+
+ def create
+ mysqladmin "create", @resource[:name]
+ end
+ def destroy
+ mysqladmin "-f", "drop", @resource[:name]
+ end
+
+ def exists?
+ if mysql("mysql", "-NBe", "show databases").match(/^#{@resource[:name]}$/)
+ true
+ else
+ false
+ end
+ end
+end
+
--- /dev/null
+# A grant is either global or per-db. This can be distinguished by the syntax
+# of the name:
+# user@host => global
+# user@host/db => per-db
+
+require 'puppet/provider/package'
+
+MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
+ :create_priv, :drop_priv, :reload_priv, :shutdown_priv, :process_priv,
+ :file_priv, :grant_priv, :references_priv, :index_priv, :alter_priv,
+ :show_db_priv, :super_priv, :create_tmp_table_priv, :lock_tables_priv,
+ :execute_priv, :repl_slave_priv, :repl_client_priv, :create_view_priv,
+ :show_view_priv, :create_routine_priv, :alter_routine_priv,
+ :create_user_priv
+]
+
+MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
+ :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv,
+ :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv,
+ :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv
+]
+
+Puppet::Type.type(:mysql_grant).provide(:mysql) do
+
+ desc "Uses mysql as database."
+
+ commands :mysql => '/usr/bin/mysql'
+ commands :mysqladmin => '/usr/bin/mysqladmin'
+
+ def mysql_flush
+ mysqladmin "flush-privileges"
+ end
+
+ # this parses the
+ def split_name(string)
+ matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact
+ case matches.length
+ when 2
+ {
+ :type => :user,
+ :user => matches[0],
+ :host => matches[1]
+ }
+ when 4
+ {
+ :type => :db,
+ :user => matches[0],
+ :host => matches[1],
+ :db => matches[3]
+ }
+ end
+ end
+
+ def create_row
+ unless @resource.should(:privileges).empty?
+ name = split_name(@resource[:name])
+ case name[:type]
+ when :user
+ mysql "mysql", "-e", "INSERT INTO user (host, user) VALUES ('%s', '%s')" % [
+ name[:host], name[:user],
+ ]
+ when :db
+ mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [
+ name[:host], name[:user], name[:db],
+ ]
+ end
+ mysql_flush
+ end
+ end
+
+ def destroy
+ mysql "mysql", "-e", "REVOKE ALL ON '%s'.* FROM '%s@%s'" % [ @resource[:privileges], @resource[:database], @resource[:name], @resource[:host] ]
+ end
+
+ def row_exists?
+ name = split_name(@resource[:name])
+ fields = [:user, :host]
+ if name[:type] == :db
+ fields << :db
+ end
+ not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty?
+ end
+
+ def all_privs_set?
+ all_privs = case split_name(@resource[:name])[:type]
+ when :user
+ MYSQL_USER_PRIVS
+ when :db
+ MYSQL_DB_PRIVS
+ end
+ all_privs = all_privs.collect do |p| p.to_s end.sort.join("|")
+ privs = privileges.collect do |p| p.to_s end.sort.join("|")
+
+ all_privs == privs
+ end
+
+ def privileges
+ name = split_name(@resource[:name])
+ privs = ""
+
+ case name[:type]
+ when :user
+ privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+ when :db
+ privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+ end
+
+ if privs.match(/^$/)
+ privs = [] # no result, no privs
+ else
+ # returns a line with field names and a line with values, each tab-separated
+ privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end
+ # transpose the lines, so we have key/value pairs
+ privs = privs[0].zip(privs[1])
+ privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
+ end
+
+ privs.collect do |p| symbolize(p[0].downcase) end
+ end
+
+ def privileges=(privs)
+ unless row_exists?
+ create_row
+ end
+
+ # puts "Setting privs: ", privs.join(", ")
+ name = split_name(@resource[:name])
+ stmt = ''
+ where = ''
+ all_privs = []
+ case name[:type]
+ when :user
+ stmt = 'update user set '
+ where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+ all_privs = MYSQL_USER_PRIVS
+ when :db
+ stmt = 'update db set '
+ where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+ all_privs = MYSQL_DB_PRIVS
+ end
+
+ if privs[0] == :all
+ privs = all_privs
+ end
+
+ # puts "stmt:", stmt
+ set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p) ? 'Y' : 'N'] end.join(', ')
+ # puts "set:", set
+ stmt = stmt << set << where
+
+ mysql "mysql", "-Be", stmt
+ mysql_flush
+ end
+end
+
--- /dev/null
+require 'puppet/provider/package'
+
+Puppet::Type.type(:mysql_user).provide(:mysql,
+ # T'is funny business, this code is quite generic
+ :parent => Puppet::Provider::Package) do
+
+ desc "Use mysql as database."
+ commands :mysql => '/usr/bin/mysql'
+ commands :mysqladmin => '/usr/bin/mysqladmin'
+
+ # retrieve the current set of mysql users
+ def self.instances
+ users = []
+
+ cmd = "#{command(:mysql)} mysql -NBe 'select concat(user, \"@\", host), password from user'"
+ execpipe(cmd) do |process|
+ process.each do |line|
+ users << new( query_line_to_hash(line) )
+ end
+ end
+ return users
+ end
+
+ def self.query_line_to_hash(line)
+ fields = line.chomp.split(/\t/)
+ {
+ :name => fields[0],
+ :password_hash => fields[1],
+ :ensure => :present
+ }
+ end
+
+ def mysql_flush
+ mysqladmin "flush-privileges"
+ end
+
+ def query
+ result = {}
+
+ cmd = "#{command(:mysql)} -NBe 'select concat(user, \"@\", host), password from user where concat(user, \"@\", host) = \"%s\"'" % @resource[:name]
+ execpipe(cmd) do |process|
+ process.each do |line|
+ unless result.empty?
+ raise Puppet::Error,
+ "Got multiple results for user '%s'" % @resource[:name]
+ end
+ result = query_line_to_hash(line)
+ end
+ end
+ result
+ end
+
+ def create
+ mysql "mysql", "-e", "create user '%s' identified by PASSWORD '%s'" % [ @resource[:name].sub("@", "'@'"), @resource.should(:password_hash) ]
+ mysql_flush
+ end
+
+ def destroy
+ mysql "mysql", "-e", "drop user '%s'" % @resource[:name].sub("@", "'@'")
+ mysql_flush
+ end
+
+ def exists?
+ not mysql("mysql", "-NBe", "select '1' from user where CONCAT(user, '@', host) = '%s'" % @resource[:name]).empty?
+ end
+
+ def password_hash
+ @property_hash[:password_hash]
+ end
+
+ def password_hash=(string)
+ mysql "mysql", "-e", "SET PASSWORD FOR '%s' = '%s'" % [ @resource[:name].sub("@", "'@'"), string ]
+ mysql_flush
+ end
+end
+
--- /dev/null
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:mysql_database) do
+ @doc = "Manage a database."
+ ensurable
+ newparam(:name) do
+ desc "The name of the database."
+
+ # TODO: only [[:alnum:]_] allowed
+ end
+end
+
--- /dev/null
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:mysql_grant) do
+ @doc = "Manage a database user's rights."
+ #ensurable
+
+ autorequire :mysql_db do
+ # puts "Starting db autoreq for %s" % self[:name]
+ reqs = []
+ matches = self[:name].match(/^([^@]+)@([^\/]+)\/(.+)$/)
+ unless matches.nil?
+ reqs << matches[3]
+ end
+ # puts "Autoreq: '%s'" % reqs.join(" ")
+ reqs
+ end
+
+ autorequire :mysql_user do
+ # puts "Starting user autoreq for %s" % self[:name]
+ reqs = []
+ matches = self[:name].match(/^([^@]+)@([^\/]+).*$/)
+ unless matches.nil?
+ reqs << "%s@%s" % [ matches[1], matches[2] ]
+ end
+ # puts "Autoreq: '%s'" % reqs.join(" ")
+ reqs
+ end
+
+ newparam(:name) do
+ desc "The primary key: either user@host for global privilges or user@host/database for database specific privileges"
+ end
+ newproperty(:privileges, :array_matching => :all) do
+ desc "The privileges the user should have. The possible values are implementation dependent."
+ munge do |v|
+ symbolize(v)
+ end
+
+ def should_to_s(newvalue = @should)
+ if newvalue
+ unless newvalue.is_a?(Array)
+ newvalue = [ newvalue ]
+ end
+ newvalue.collect do |v| v.to_s end.sort.join ", "
+ else
+ nil
+ end
+ end
+
+ def is_to_s(currentvalue = @is)
+ if currentvalue
+ unless currentvalue.is_a?(Array)
+ currentvalue = [ currentvalue ]
+ end
+ currentvalue.collect do |v| v.to_s end.sort.join ", "
+ else
+ nil
+ end
+ end
+
+ # use the sorted outputs for comparison
+ def insync?(is)
+ if defined? @should and @should
+ case self.should_to_s
+ when "all"
+ self.provider.all_privs_set?
+ when self.is_to_s(is)
+ true
+ else
+ false
+ end
+ else
+ true
+ end
+ end
+
+ end
+end
+
--- /dev/null
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:mysql_user) do
+ @doc = "Manage a database user."
+ ensurable
+ newparam(:name) do
+ desc "The name of the user. This uses the 'username@hostname' form."
+
+ validate do |value|
+ if value.split('@').first.size > 16
+ raise ArgumentError,
+ "MySQL usernames are limited to a maximum of 16 characters"
+ else
+ super
+ end
+ end
+ end
+
+ newproperty(:password_hash) do
+ desc "The password hash of the user. Use mysql_password() for creating such a hash."
+ end
+end
+
--- /dev/null
+
+err("Will create 'test_db'")
+mysql_database { "test_db": ensure => present }
+
--- /dev/null
+
+err("Will create user 'test_user@%' with password 'blah'")
+
+mysql_user{ "test_user@%":
+ password_hash => mysql_password("blah"),
+ ensure => present
+}
--- /dev/null
+
+err("Changing password for user 'test_user@%'")
+mysql_user{ "test_user@%":
+ password_hash => mysql_password("foo"),
+ ensure => present
+}
--- /dev/null
+err("Grant SELECT, INSERT and UPDATE to test_user@%")
+
+mysql_grant {
+ "test_user@%":
+ privileges => [ "select_priv", 'insert_priv', 'update_priv' ],
+ tag => test;
+}
+
+
--- /dev/null
+err("Revoke UPDATE from test_user@%")
+
+mysql_grant {
+ "test_user@%":
+ privileges => [ "select_priv", 'insert_priv' ],
+}
+
+
--- /dev/null
+err("Grant DELETE to test_user@%")
+
+mysql_grant {
+ "test_user@%":
+ privileges => [ "select_priv", 'insert_priv', 'delete_priv' ],
+}
+
+
--- /dev/null
+err("Replace DELETE with UPDATE grant for test_user@%")
+
+mysql_grant {
+ "test_user@%":
+ privileges => [ "select_priv", 'insert_priv', 'update_priv' ],
+}
+
+
--- /dev/null
+err("Change the order of the defined privileges")
+
+mysql_grant {
+ "test_user@%":
+ privileges => [ "update_priv", 'insert_priv', 'select_priv' ],
+}
+
+
--- /dev/null
+err("Create a db grant")
+
+mysql_grant {
+ "test_user@%test_db":
+ privileges => [ "select_priv", 'insert_priv', 'update_priv' ],
+ tag => test;
+}
+
+
--- /dev/null
+err("Revoke UPDATE from test_user@%test_db")
+
+mysql_grant {
+ "test_user@%test_db":
+ privileges => [ "select_priv", 'insert_priv'],
+}
+
+
--- /dev/null
+err("Grant DELETE to test_user@%test_db")
+
+mysql_grant {
+ "test_user@%test_db":
+ privileges => [ "select_priv", 'insert_priv', 'delete_priv'],
+}
+
+
--- /dev/null
+err("Change DELETE to UPDATE privilege for test_user@%test_db")
+
+mysql_grant {
+ "test_user@%test_db":
+ privileges => [ "select_priv", 'insert_priv', 'update_priv'],
+}
+
+
--- /dev/null
+err("Change privilege order")
+
+mysql_grant {
+ "test_user@%test_db":
+ privileges => [ "update_priv", 'insert_priv', 'select_priv'],
+}
+
+
--- /dev/null
+err("Grant ALL to test_user@%")
+
+mysql_grant {
+ "test_user@%":
+ privileges => all
+}
+
+
--- /dev/null
+err("Grant ALL to test_user@%/test_db")
+
+mysql_grant {
+ "test_user@%/test_db":
+ privileges => all
+}
+
+
--- /dev/null
+err("Remove the db grant")
+
+mysql_grant { "test_user@%test_db": privileges => [ ] }
+
+
--- /dev/null
+err("Removing the user grant")
+
+mysql_grant { "test_user@%": privileges => [] }
+
+
--- /dev/null
+
+err("Removing user 'test_user@%'")
+mysql_user{ "test_user@%": ensure => absent }
--- /dev/null
+err("Will remove 'test_db'")
+mysql_database { "test_db": ensure => absent }
+
--- /dev/null
+Execute these testfile in asciibetical order to check the functioning of the
+types and providers.
+
+They try to create databases, users, grants, check for their existance, change
+attributes, and remove them again.
+
--- /dev/null
+#!/bin/bash
+
+export RUBYLIB=${RUBYLIB:-../plugins}
+OPTIONS="$*"
+OPTIONS="${OPTIONS:---trace}"
+
+find -iname \*.pp | sort | while read current; do
+ echo "Running $current"
+ puppet $OPTIONS $current
+ echo "Running $current again"
+ puppet $OPTIONS $current
+ echo
+done
projects / puppet-mysql.git / commitdiff