-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mysql.user tries to set password on second run with update_password = "on_create" #334
Comments
Hello I looked a bit deeper into the code, plugins/modules/mysql_user.py
in if != always case: password is replaced by "None" in the user_mod() call but "plugin, plugin_hash_string, plugin_auth_string"
I don't get errors anymore. |
@hubiongithub hello and welcome to the project!
Good question, i don't know:) @hubiongithub anyway you could continue the investigation. |
@rsicart @betanummeric @Jorge-Rodriguez @bmalynovytch do you have any ideas on #334 (comment) ? |
I've done the git clone and create a branch so far, I probably won't be able to install all the testing stuff on my work pc here, From my point of view "on_create" should never try to set a password again for an existing user. I will try to investigate if changing the plugin in ansible results in passwords rewrites but as the plugin determines how a password is stored (or otherwise checked e.g. PAM) changing the plugin alone results in an empty authentication_string in mysql.user: coming from plugin mysql_native_password So I would say "on_create" is a one_way, if you need to change the plugin you either drop/create the user or use always, |
Hello
I did not find an issue describing my problem, tested witch community_mysql 3.1.2
SUMMARY
create user in mysql (8) with password validation configured:
password_history = 5
second run tries to update password (with the same value) which results in
"msg": "(3638, "Cannot use these credentials for 'bobby@localhost' because they contradict the password history policy")"}
see below for ansible code used
ISSUE TYPE
COMPONENT NAME
mysql.user
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 20.04 LTS on both sides
STEPS TO REPRODUCE
and a smal .ini file describing which hosts to use
EXPECTED RESULTS
If update_password is set to "on_create" I would assume no alter user ... is issued at all, as long the user exists.
I'm not sure if it is possible to analyse authentication_string from mysql.user with the current password in the yaml
code in plugins/module_utils/user.py says (line 267)
if plugin_auth_string and current_plugin[1] != plugin_auth_string:
# this case can cause more updates than expected,
# as plugin can hash auth_string in any way it wants
# and there's no way to figure it out for
# a check, so I prefer to update more often than never
update = True
that it isn't, which will cause the same problem if update_password is set to always.
But at least if update_password is set to on_create this code should not run at all.
ACTUAL RESULTS
Probably this also will fail on every other plugin also, but I only tested caching_sha2_password.
Beside the actual error if I don't use plugin_auth_string but password, I get the user created but with an empty authentication_string,
the documentation could be a bit more clear when to use which variable. (Or the code could could handle "password" differently depending on the plugin given, so one who makes the plugin variable don't need to code around this depending on which plugin is used)
Regards
The text was updated successfully, but these errors were encountered: