search

ansible-collections / community.cassandra

Cassandra Ansible Collection
http://galaxy.ansible.com/community/cassandra
GNU General Public License v3.0
25 stars 17 forks source link

cassandra_role is non-idempotent with "ALL PERMISSIONS" #204

Closed acidroper closed 2 years ago

acidroper commented 2 years ago
SUMMARY

When the keyspace_permissions parameter is set to "ALL PERMISSIONS" for a certain keyspace (not for the 'all_keyspaces' key), the result of cassandra_role execution is always "changed". First, it grants the permissions, then it revokes them, then it grants them again, and so on.

ISSUE TYPE
COMPONENT NAME

cassandra_role

ANSIBLE VERSION
ansible [core 2.11.6] 
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/acidroper/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/acidroper/.local/share/virtualenvs/ansible-role-cassandra-McW3PTBC/lib/python3.10/site-packages/ansible
  ansible collection location = /home/acidroper/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/acidroper/.local/share/virtualenvs/ansible-role-cassandra-McW3PTBC/bin/ansible
  python version = 3.10.1 (main, Dec 18 2021, 23:53:45) [GCC 11.1.0]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /home/acidroper/.ansible/collections/ansible_collections
Collection          Version
------------------- -------
community.cassandra 1.1.0
CONFIGURATION
OS / ENVIRONMENT

Host: Manjaro Linux Target: Debian 11

STEPS TO REPRODUCE

Run the task multiple times.

- name: Create a test role
  community.cassandra.cassandra_role:
    name: test_role
    password: p4ssw0rd
    login: true
    keyspace_permissions:
      test_keyspace:
        - "ALL PERMISSIONS"
    state: present
    login_user: cassandra
    login_password: cassandra
    login_host: "{{ ansible_default_ipv4.address }}"
  run_once: true
EXPECTED RESULTS

"changed": false

ACTUAL RESULTS

The first run:

changed: [node0] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "data_centers": null,
            "debug": false,
            "keyspace_permissions": {
                "test_keyspace": [
                    "ALL PERMISSIONS"
                ]
            },
            "login": true,
            "login_host": [
                "172.17.0.2"
            ],
            "login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "login_port": 9042,
            "login_user": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "test_role",
            "options": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "roles": null,
            "state": "present",
            "super_user": false
        }
    },
    "permissions": {
        "grant": [
            "GRANT ALL PERMISSIONS ON KEYSPACE test_keyspace TO test_role"
        ],
        "revoke": [],
        "temp": [
            "ALL PERMISSIONS test_keyspace False"
        ]
    },
    "role": "test_role"
}

The second run:

changed: [node0] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "data_centers": null,
            "debug": false,
            "keyspace_permissions": {
                "test_keyspace": [
                    "ALL PERMISSIONS"
                ]
            },
            "login": true,
            "login_host": [
                "172.17.0.2"
            ],
            "login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "login_port": 9042,
            "login_user": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "test_role",
            "options": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "roles": null,
            "state": "present",
            "super_user": false
        }
    },
    "permissions": {
        "grant": [],
        "revoke": [
            "REVOKE CREATE ON KEYSPACE test_keyspace FROM test_role",
            "REVOKE MODIFY ON KEYSPACE test_keyspace FROM test_role",
            "REVOKE AUTHORIZE ON KEYSPACE test_keyspace FROM test_role",
            "REVOKE SELECT ON KEYSPACE test_keyspace FROM test_role",
            "REVOKE ALTER ON KEYSPACE test_keyspace FROM test_role",
            "REVOKE DROP ON KEYSPACE test_keyspace FROM test_role"
        ],
        "temp": [
            "ALL PERMISSIONS test_keyspace True"
        ]
    },
    "role": "test_role"
}

One more run:

changed: [node0] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "data_centers": null,
            "debug": false,
            "keyspace_permissions": {
                "test_keyspace": [
                    "ALL PERMISSIONS"
                ]
            },
            "login": true,
            "login_host": [
                "172.17.0.2"
            ],
            "login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "login_port": 9042,
            "login_user": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "test_role",
            "options": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "roles": null,
            "state": "present",
            "super_user": false
        }
    },
    "permissions": {
        "grant": [
            "GRANT ALL PERMISSIONS ON KEYSPACE test_keyspace TO test_role"
        ],
        "revoke": [],
        "temp": [
            "ALL PERMISSIONS test_keyspace False"
        ]
    },
    "role": "test_role"
}
rhysmeister commented 2 years ago

Hello, @acidroper

Thanks for the very detailed report. I've confirmed this as a problem and I'll look into it.

Thanks,

Rhys

rhysmeister commented 2 years ago

Hello @acidroper,

Fix included in https://github.com/ansible-collections/community.cassandra/pull/206

You can see the test cases I've used here https://github.com/ansible-collections/community.cassandra/pull/206/files#diff-f2f13f26302f5d98877b657a6e3c4eda0c3d2e71b229f99f548427fdf55a984a

Rhys

rhysmeister commented 2 years ago

Fix merged.

acidroper commented 2 years ago

Hello @rhysmeister,

Thanks for the fix. Could you tell me please, when the new version with the fix will be available on Ansible Galaxy?

rhysmeister commented 2 years ago

Hello @acidroper,

Not sure when I'll get the time exactly but probably not too long. You can get the latest build from here https://github.com/ansible-collections/community.cassandra/releases/tag/latest

Cheers,

Rhys

rhysmeister commented 2 years ago

Release to Galaxy done: https://galaxy.ansible.com/community/cassandra