Fatal编程技术网
  • mysql/
  • 如何使用ansible授予MySQL服务器管理权限(超级、重新加载…)?

如何使用ansible授予MySQL服务器管理权限(超级、重新加载…)?

mysql ansible

如何使用ansible授予MySQL服务器管理权限(超级、重新加载…)?,mysql,ansible,Mysql,Ansible,有没有办法使用Ansible MySQL_用户模块(或使用任何其他模块)授予MySQL管理权限?我想为用户设置SUPER、RELOAD和SHOW DATABASES权限以及一些其他特定于数据库的权限 以下基本设置适合我: - name: Set user privileges mysql_user: user={{ mysql_user }} password={{ mysql_password }} state=present priv={{ item }}

有没有办法使用Ansible MySQL_用户模块(或使用任何其他模块)授予MySQL管理权限?我想为用户设置
SUPER
RELOAD
SHOW DATABASES
权限以及一些其他特定于数据库的权限

以下基本设置适合我:

- name: Set user privileges
  mysql_user:
    user={{ mysql_user }}
    password={{ mysql_password }}
    state=present
    priv={{ item }}
  with_items:
    - 'somedatabase.*:ALL'
    - 'someotherdatabase.*:ALL'
…结果是:

TASK: [db | Set user privileges]
**********************************************
ok: [dbuser] => (item=somedatabase.*:ALL)
ok: [dbuser] => (item=someotherdatabase.*:ALL)

mysql> show grants for 'dbuser'@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for dbuser@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' |
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'                                              |
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'                                         |
+---------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
以下安装程序一直在说“已更改”,并且权限不是预期的:

- name: Set user privileges
  mysql_user:
    user={{ mysql_user }}
    password={{ mysql_password }}
    state=present
    priv={{ item }}
  with_items:
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'
    - 'somedatabase.*:ALL'
    - 'someotherdatabase.*:ALL'
(重复)运行:

结果:

TASK: [db | Set user privileges]
**********************************************
ok: [dbuser] => (item=somedatabase.*:ALL)
ok: [dbuser] => (item=someotherdatabase.*:ALL)

mysql> show grants for 'dbuser'@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for dbuser@localhost                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' |
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'                                              |
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'                                         |
+---------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
有人知道如何:

  • 设置
    SUPER
    RELOAD
    SHOW DATABASE
    admin。特权
  • 使配置幂等
    • 发现当切换权限顺序时,我可以授予提到的管理员。特权:

    - name: Set user privileges
  mysql_user:
    user={{ mysql_user }}
    password={{ mysql_password }}
    state=present
    append_privs=yes
    priv={{ item }}
  with_items:
    - 'somedatabase.*:ALL'
    - 'someotherdatabase.*:ALL'
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'
    特权按预期设置:

    mysql> show grants for 'dbuser'@'localhost';
+---------------------------------------------------------------------------------------------------------------------------------------+
| Grants for dbuser@localhost                                                                                                           |
+---------------------------------------------------------------------------------------------------------------------------------------+
| GRANT RELOAD, SHOW DATABASES, SUPER ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' |
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'                                                                      |
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'                                                                 |
+---------------------------------------------------------------------------------------------------------------------------------------+
    虽然任务仍然不是幂等的。每次跑步都会让我:

    TASK: [db | Set user privileges]
**********************************************
changed: [dbuser] => (item=somedatabase.*:ALL)
ok: [dbuser] => (item=someotherdatabase.*:ALL)
changed: [dbuser] => (item=*.*:SUPER,RELOAD,SHOW\ DATABASES)
    终于找到了优雅的解决方案!首先,应将特权定义为列表:

    $ cat group_vars/dbservers
mysql_privileges:
  - 'somedatabase.*:ALL'
  - 'someotherdatabase.*:ALL'
  - '*.*:SUPER,RELOAD,SHOW\ DATABASES'
    然后,
    mysql\u用户
    插件不需要附加特权,只需使用以下格式中提到的特权字符串:
    mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL

    唯一的技巧是如何将列表转换为字符串:

    - name: Set user privileges
  mysql_user:
    user={{ mysql_user }}
    password={{ mysql_password }}
    state=present
    priv={{ mysql_privileges|join('/') }}
    任务的可重复运行不再表示已更改:

    无需使用列表技巧,您可以设置多个以斜杠分隔的权限:

    - name: Set user privileges
  mysql_user:
    user: {{ mysql_user }}
    password: {{ mysql_password }}
    state: present
    priv: 'somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'
    或更短:

    - name: Set user privileges
  mysql_user: user={{ mysql_user }} 
  password={{ mysql_password }} 
  state=present
   priv='somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'
    感谢您提到
    append\u privs
    ,这肯定是一个用例,但我需要为某些数据库授予特权列表,并为某些其他数据库授予超级特权集。您的方法将导致重复这些“共享”特权。虽然您的解决方案对于更简单的情况已经足够好了;)谢谢你的回答!