Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added new return status fields and support for multiple keyspaces for cassandra_grant #4

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions example-tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@
mode: grant # ["grant", "revoke"]
role: x_role
permission: all # ["all", "alter", "drop", "select", "modify", "authorise", "describe", "execute"]
keyspace: "mykeyspace"
keyspace:
- mykeyspace1
- mykeyspace2
all_keyspaces: "False"

- name: grant roles to users (aka roles to roles)
Expand All @@ -33,4 +35,4 @@

login_hosts: localhost
login_user: cassandra
login_password: cassandra
login_password: cassandra
40 changes: 24 additions & 16 deletions library/cassandra_grant.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@
- what permission to grant
required: true
choices: ["all", "create", "alter", "drop", "select", "modify", "authorize"]
keyspace:
keyspaces:
description:
- required if `all_keyspaces` == false
- ignored if `inherit_role` is set
required: false
default: false
default: []
all_keyspaces:
description:
- if true, `on` is ignored and the `what` is granted to all keyspaces
Expand Down Expand Up @@ -74,7 +74,7 @@
- cassandra_grant: permission='select' all_keyspaces=True role=read_only login_hosts=localhost login_pass=cassandra login_user=cassandra

# Revoke modify permission to foo keyspace
- cassandra_grant: mode=revoke permission=modify keyspace=foo role=no_modify_foo login_hosts=localhost login_pass=cassandra login_user=cassandra
- cassandra_grant: mode=revoke permission=modify keyspaces=[foo,bar] role=no_modify_foo login_hosts=localhost login_pass=cassandra login_user=cassandra

# Inherit roles
- cassandra_grant: mode=grant inherit_role=read_only role=my_user_role login_hosts=localhost login_pass=cassandra login_user=cassandra
Expand Down Expand Up @@ -141,7 +141,7 @@ def assign_role(session, check_mode, is_revoke, inherit_role, role):
return True


def grant_role_permission(session, in_check_mode, is_revoke, permission, all_keyspaces, keyspace, role):
def grant_role_permission(session, in_check_mode, is_revoke, permission, all_keyspaces, keyspaces, role):
permission = permission.upper()
if is_revoke and all_keyspaces:
# revoking for all keyspaces
Expand All @@ -151,10 +151,18 @@ def grant_role_permission(session, in_check_mode, is_revoke, permission, all_key
query = GRANT_PERMISSION_TO_ROLE_FOR_ALL_KESYPACES_FORMAT.format(permission=permission)
elif is_revoke:
# revoking for a specific keyspace
query = REVOKE_PERMISSION_FROM_ROLE_FOR_KESYPACE_FORMAT.format(permission=permission, keyspace=keyspace)
for keyspace in keyspaces:
query = REVOKE_PERMISSION_FROM_ROLE_FOR_KESYPACE_FORMAT.format(permission=permission, keyspace=keyspace)
if not in_check_mode:
session.execute(query, {'role': role})
return True
else:
# granting for a specific keyspace
query = GRANT_PERMISSION_TO_ROLE_FOR_KESYPACE_FORMAT.format(permission=permission, keyspace=keyspace)
for keyspace in keyspaces:
query = GRANT_PERMISSION_TO_ROLE_FOR_KESYPACE_FORMAT.format(permission=permission, keyspace=keyspace)
if not in_check_mode:
session.execute(query, {'role': role})
return True

if not in_check_mode:
session.execute(query, {'role': role})
Expand All @@ -163,10 +171,10 @@ def grant_role_permission(session, in_check_mode, is_revoke, permission, all_key
return True


def grant_access(session, in_check_mode, permission, role, inherit_role, keyspace, all_keyspaces, mode):
if keyspace and all_keyspaces:
def grant_access(session, in_check_mode, permission, role, inherit_role, keyspaces, all_keyspaces, mode):
if keyspaces and all_keyspaces:
raise Exception("Specify a keyspace or all keyspaces, not both")
if keyspace and inherit_role:
if keyspaces and inherit_role:
raise Exception("If you are inheriting a role you can't specify a keyspace")
if all_keyspaces and inherit_role:
raise Exception("If you are inheriting a role you can't specify all keyspaces")
Expand All @@ -177,7 +185,7 @@ def grant_access(session, in_check_mode, permission, role, inherit_role, keyspac
if inherit_role:
return assign_role(session, in_check_mode, is_revoke, inherit_role, role)
else:
return grant_role_permission(session, in_check_mode, is_revoke, permission, all_keyspaces, keyspace, role)
return grant_role_permission(session, in_check_mode, is_revoke, permission, all_keyspaces, keyspaces, role)


def main():
Expand Down Expand Up @@ -212,10 +220,10 @@ def main():
'required': False,
'default': None
},
'keyspace': {
'keyspaces': {
'required': False,
'default': None,
'type': 'str'
'default': [],
'type': 'list'
},
'all_keyspaces': {
'default': False,
Expand All @@ -235,7 +243,7 @@ def main():
permission = module.params["permission"]
role = module.params["role"]
inherit_role = module.params["inherit_role"]
keyspace = module.params["keyspace"]
keyspaces = module.params["keyspaces"]
all_keyspaces = module.params["all_keyspaces"]
mode = module.params["mode"]

Expand All @@ -249,7 +257,7 @@ def main():
cluster = Cluster(login_hosts, port=login_port)
else:
auth_provider = PlainTextAuthProvider(username=login_user, password=login_password)
cluster = Cluster(login_hosts, auth_provider=auth_provider, protocol_version=2, port=login_port)
cluster = Cluster(login_hosts, auth_provider=auth_provider, protocol_version=3, port=login_port)
session = cluster.connect()
session.row_factory = dict_factory
except Exception, e:
Expand All @@ -258,7 +266,7 @@ def main():
% e)

try:
changed = grant_access(session, module.check_mode, permission, role, inherit_role, keyspace, all_keyspaces,
changed = grant_access(session, module.check_mode, permission, role, inherit_role, keyspaces, all_keyspaces,
mode)
except Exception, e:
module.fail_json(msg=str(e))
Expand Down
17 changes: 13 additions & 4 deletions library/cassandra_role.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
alias: role
password:
description:
- Set the role's password. Setting password will always elicit a 'change' (even if is the same).
- Set the role's password.
required: true
superuser:
description:
Expand Down Expand Up @@ -106,7 +106,11 @@ def role_save(session, check_mode, name, password, can_login, is_superuser):
do_save(session, existing_role, is_superuser, name, password, can_login)

new_user = get_role(session, name)
return bool(new_user != existing_role)

if bool(password):
return not bool(existing_role)
else:
return bool(new_user != existing_role)


def do_save(session, existing_role, is_superuser, name, password, can_login):
Expand Down Expand Up @@ -199,15 +203,19 @@ def main():

else:
auth_provider = PlainTextAuthProvider(username=login_user, password=login_password)
cluster = Cluster(login_hosts, auth_provider=auth_provider, protocol_version=2, port=login_port)
cluster = Cluster(login_hosts, auth_provider=auth_provider, protocol_version=3, port=login_port)
session = cluster.connect()
session.row_factory = dict_factory
except Exception, e:
module.fail_json(
msg="unable to connect to cassandra, check login_user and login_password are correct. Exception message: %s"
% e)

new_role = not bool(get_role(session, name))

if state == "present":
if new_role:
changed = True
try:
changed = role_save(session, module.check_mode, name, password, enable_login, superuser)
except Exception, e:
Expand All @@ -217,7 +225,8 @@ def main():
changed = role_delete(session, module.check_mode, name)
except Exception, e:
module.fail_json(msg=str(e))
module.exit_json(changed=changed, name=name)

module.exit_json(changed=changed, role=name, new_role=new_role )


from ansible.module_utils.basic import *
Expand Down