mysql.grant_exists is not working properly

jakubek commented 10 years ago

Versions and configuration:

[root@i-bb-cubi-mw-11 ~]# salt-minion --version
salt-minion 2014.1.4

root@saltmaster:/srv/salt# salt --version
salt 2014.1.4
root@saltmaster:/srv/salt# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 7.5 (wheezy)
Release:        7.5
Codename:       wheezy

[root@i-bb-cubi-mw-11 ~]# grep mysql /etc/salt/minion
mysql.default_file: '/root/.my.cnf'
[root@i-bb-cubi-mw-11 ~]# cat /etc/centos-release 
CentOS release 6.5 (Final)

[root@i-bb-cubi-mw-11 ~]# rpm -qa | grep -i mysql
mysql-community-devel-5.5.37-4.el6.x86_64
MySQL-python-1.2.3-0.3.c1.1.el6.x86_64
mysql-community-release-el6-5.noarch
compat-mysql51-5.1.54-1.el6.remi.x86_64
mysql-connector-python-1.1.6-1.el6.remi.noarch
mysql-utilities-1.3.6-1.el6.remi.noarch
mysql-community-libs-5.5.37-4.el6.x86_64
mysql-community-client-5.5.37-4.el6.x86_64
mysql-community-server-5.5.37-4.el6.x86_64
perl-DBD-MySQL-4.013-3.el6.x86_64
mysql-community-common-5.5.37-4.el6.x86_64

root@saltmaster:/srv/salt# salt 'i-bb-*' mysql.grant_exists 'SELECT' 'middleware_server.assass' 'munin' '127.0.0.1'
i-bb-cubi-mw-11:
    True
root@saltmaster:/srv/salt# salt 'i-bb-*' mysql.grant_exists 'SELECT' 'middleware_server.xxxxxxxxxxxxxxxxxxxxxx' 'munin' '127.0.0.1'
i-bb-cubi-mw-11:
    True

Output of those two commands should return False.

root@saltmaster:/srv/salt# salt 'i-bb-*' mysql.user_grants 'munin' '127.0.0.1'
i-bb-cubi-mw-11:
    - GRANT PROCESS, SUPER ON *.* TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `mysql`.* TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`devices` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`offers` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`epgs` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`npvr_folders` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`customers` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`entitlements` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`npvr_schedules` TO 'munin'@'127.0.0.1'
    - GRANT SELECT ON `middleware_server`.`products` TO 'munin'@'127.0.0.1'

mysql> SHOW GRANTS FOR munin@127.0.0.1;                                                                                                                                                                                                      
+-----------------------------------------------------------------------------------------------------------------------+                                                                                                                    
| Grants for munin@127.0.0.1                                                                                            |                                                                                                                    
+-----------------------------------------------------------------------------------------------------------------------+                                                                                                                    
| GRANT PROCESS, SUPER ON *.* TO 'munin'@'127.0.0.1' IDENTIFIED BY PASSWORD 'XXX' |                                                                                                                    
| GRANT SELECT ON `mysql`.* TO 'munin'@'127.0.0.1'                                                                      |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`devices` TO 'munin'@'127.0.0.1'                                                  |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`offers` TO 'munin'@'127.0.0.1'                                                   |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`epgs` TO 'munin'@'127.0.0.1'                                                     |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`npvr_folders` TO 'munin'@'127.0.0.1'                                             |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`customers` TO 'munin'@'127.0.0.1'                                                |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`entitlements` TO 'munin'@'127.0.0.1'                                             |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`npvr_schedules` TO 'munin'@'127.0.0.1'                                           |                                                                                                                    
| GRANT SELECT ON `middleware_server`.`products` TO 'munin'@'127.0.0.1'                                                 |                                                                                                                    
+-----------------------------------------------------------------------------------------------------------------------+                                                                                                                    
10 rows in set (0.00 sec)

[DEBUG   ] Grant Query generated: GRANT SELECT ON `middleware_server`.`assass` TO %(user)s@%(host)s args {'host': '127.0.0.1', 'user': 'munin'}
[DEBUG   ] Doing query: SELECT User,Host FROM mysql.user WHERE User = %(user)s AND Host = %(host)s args: {'host': '127.0.0.1', 'user': 'munin'} 
[DEBUG   ] Doing query: SHOW GRANTS FOR %(user)s@%(host)s args: {'host': '127.0.0.1', 'user': 'munin'} 
[DEBUG   ] ["GRANT PROCESS, SUPER ON *.* TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `mysql`.* TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`devices` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`offers` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`epgs` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`npvr_folders` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`customers` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`entitlements` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`npvr_schedules` TO 'munin'@'127.0.0.1'", "GRANT SELECT ON `middleware_server`.`products` TO 'munin'@'127.0.0.1'"]
[DEBUG   ] _grant_to_tokens entry {'qry': 'GRANT SELECT ON `middleware_server`.`assass` TO %(user)s@%(host)s', 'args': {'host': '127.0.0.1', 'user': 'munin'}}
[DEBUG   ] grant to token 'munin'::'127.0.0.1'::['SELECT']::'`middleware_server`'
[DEBUG   ] _grant_to_tokens entry "GRANT PROCESS, SUPER ON *.* TO 'munin'@'127.0.0.1'"
[DEBUG   ] grant to token 'munin'::'127.0.0.1'::['PROCESS', 'SUPER']::'*'
[DEBUG   ] grants mismatch {'host': '127.0.0.1', 'database': '*', 'user': 'munin', 'grant': ['PROCESS', 'SUPER']}<>{'host': '127.0.0.1', 'database': '`middleware_server`', 'user': 'munin', 'grant': ['SELECT']}
[DEBUG   ] _grant_to_tokens entry "GRANT SELECT ON `mysql`.* TO 'munin'@'127.0.0.1'"
[DEBUG   ] grant to token 'munin'::'127.0.0.1'::['SELECT']::'`mysql`'
[DEBUG   ] grants mismatch {'host': '127.0.0.1', 'database': '`mysql`', 'user': 'munin', 'grant': ['SELECT']}<>{'host': '127.0.0.1', 'database': '`middleware_server`', 'user': 'munin', 'grant': ['SELECT']}
[DEBUG   ] _grant_to_tokens entry "GRANT SELECT ON `middleware_server`.`devices` TO 'munin'@'127.0.0.1'"
[DEBUG   ] grant to token 'munin'::'127.0.0.1'::['SELECT']::'`middleware_server`'

basepi commented 10 years ago

Thanks for the report, well investigate this.

jfindlay commented 9 years ago

@jakubek, do you still have this problem with the latest release of salt (2015.5.3)?

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

saltstack / salt

mysql.grant_exists is not working properly #12967