Privilege target does not accept template strings

Question

Privilege target does not accept template strings

mcclory opened this issue a year ago · 1 comments

SUMMARY

When creating a user with a database, I am unable to use a jinja/ansible string tempalte to fill in the lefthand portion (target) for the privileges to be assigned.

ISSUE TYPE

Bug Report

COMPONENT NAME

community.mysql.mysql_user

ANSIBLE VERSION

ansible [core 2.14.4]
  config file = /home/pmdev/Dev/openstack-basic/ansible.cfg
  configured module search path = ['/home/pmdev/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/pmdev/.cache/pypoetry/virtualenvs/openstack-basic-ycHJs1Yi-py3.10/lib/python3.10/site-packages/ansible
  ansible collection location = /home/pmdev/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/pmdev/.cache/pypoetry/virtualenvs/openstack-basic-ycHJs1Yi-py3.10/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/home/pmdev/.cache/pypoetry/virtualenvs/openstack-basic-ycHJs1Yi-py3.10/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /home/pmdev/.cache/pypoetry/virtualenvs/openstack-basic-ycHJs1Yi-py3.10/lib/python3.10/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 6.5.0

CONFIGURATION

ANSIBLE_PIPELINING(/home/pmdev/Dev/openstack-basic/ansible.cfg) = True
CACHE_PLUGIN(/home/pmdev/Dev/openstack-basic/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/home/pmdev/Dev/openstack-basic/ansible.cfg) = ./_facts
CACHE_PLUGIN_TIMEOUT(/home/pmdev/Dev/openstack-basic/ansible.cfg) = 86400
CONFIG_FILE() = /home/pmdev/Dev/openstack-basic/ansible.cfg
DEFAULT_FORKS(/home/pmdev/Dev/openstack-basic/ansible.cfg) = 500
DEFAULT_GATHERING(/home/pmdev/Dev/openstack-basic/ansible.cfg) = smart
DEFAULT_HASH_BEHAVIOUR(/home/pmdev/Dev/openstack-basic/ansible.cfg) = merge
HOST_KEY_CHECKING(/home/pmdev/Dev/openstack-basic/ansible.cfg) = False
RETRY_FILES_ENABLED(/home/pmdev/Dev/openstack-basic/ansible.cfg) = True
RETRY_FILES_SAVE_PATH(/home/pmdev/Dev/openstack-basic/ansible.cfg) = /home/pmdev/Dev/openstack-basic

OS / ENVIRONMENT

Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammy
Dual Broadcom 10g nics in lacp bond for 20gbps
Additional hardware details here: https://gist.github.com/mcclory/fdbfb031a7bda537612496f60d7d1844

STEPS TO REPRODUCE

For this task, assuming that the keystone var has a db_user and db_name value (verified on my end):

- hosts: controller
  become: true
  vars: 
    mariadb: 
      version: 10.11
    keystone:
      db_name: keystone
      db_user: keystone
      db_password: not an actual password
  tasks:
    - name: add mariadb apt key
      ansible.builtin.apt_key:
        url: https://mariadb.org/mariadb_release_signing_key.asc
    - name: add mariadb repo
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64] http://mariadb.mirror.globo.tech/repo/{{ mariadb.version }}/ubuntu {{ ansible_distribution_release }} main"
        update_cache: true
    - name: install mariadb
      ansible.builtin.apt:
        update_cache: true
        name:
          - mariadb-server
          - python3-pymysql
        state: latest
    - name: create keystone database
      community.mysql.mysql_db:
        login_unix_socket: /run/mysqld/mysqld.sock
        name: "{{ keystone.db_name|default('keystone') }}"
        state: present
    - name: create keystone user
      community.mysql.mysql_user:
        login_unix_socket: /run/mysqld/mysqld.sock
        name: "{{ keystone.db_user|default('keystone') }}"
        host: '%'
        password: "{{ keystone.db_password }}"
        priv:
          "{{ keystone.db_name|default('keystone') }}.*": "ALL"

EXPECTED RESULTS

I'd expected all string inputs to comply with ansible's standard string formatting structure/capabilities.

ACTUAL RESULTS

I get the following privileges configured in my instance of mariadb:

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.000 sec)

MariaDB [(none)]> show grants for 'keystone'@'%';
+---------------------------------------------------------------------------------------------------------+
| Grants for keystone@%                                                                                   |
+---------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `keystone`@`%` IDENTIFIED BY PASSWORD '*B9C8E35D1A6C3A16CEBC4D95C7BC1C8B3BF66A11' |
| GRANT ALL PRIVILEGES ON `{{ keystone.db_name|default('keystone') }}`.* TO `keystone`@`%`                |
+---------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)

Answer 1 · 2023-04-25T06:14:29.000Z

@mcclory hello, thanks for reporting the issue! Once someone has time to investigate the case, they'll take a look. I'll put the help_wanted label.