-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix hashed passwords being returned by get_existing_authentication() via the plugin_auth_string variable instead of plugin_hash_string #629
Conversation
I used plugin_auth_string instead of plugin_hash_string. But using the module is dangerous because we ma never catch an error. So using a command was the way to go anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laurent-indermuehle thanks for the PR! Makes sense to change, though looks like a breaking change as we're changing the interface here.
Maybe it's time to plan the major release and incorporate it in https://github.com/ansible-collections/community.mysql/milestone/1 ?
For now, can we have both the keys having the same content (i.e. change your PR to have both)
if it's possible, we could add a deprecation message to the changelog under major_changes/breaking changes now saying that the wrong one will go away in 4.0.0.
In several month we could release 4.0.0 - it'll be at least a bit expected for users.
I'm not insisting though. Please decide how you think it'll be OK and I'll share the responsibility in case of any complaints (which might not even happen, not sure if anyone checks that key in playbook conditions).
@Andersson007 I'm lost. The original method We should be more careful when we add a functionality that is not supported by MySQL and MariaDB. It adds complexity for no obvious reasons. For instance, I've read #344 and feel like it could have been solved in the playbook with 1-2 tasks and loop. I thank @betanummeric for this feature that adds to the value of c.mysql. But it is now hard to maintain. All the tests are passing before and after I change the variables. I've lost my confidence about this change. But yes, you're right. I can add |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@laurent-indermuehle let's emphasize the (potentially) breaking change in the changelog.
@betanummeric any concerns on this PR? |
Oh, it looks like the "update_password: on_new_username" feature of The The feature is currently broken because
I am using this feature in production so I am happy I did not upgrade to the broken version yet and I would be glad if we can fix this. Sure, it would be possible to work around this outside of the module, but I thought others could use this feature too. I think the logic is simple enough to maintain, but apparently the documentation could have been better. |
@betanummeric thanks for your reply. But, if the tests still passes, it means they are incomplete! We should fix that. |
@betanummeric could you confirm something please? - "C(on_new_username) works like C(on_create), but it tries to reuse an existing password: If one different user
with the same username exists, or multiple different users with the same username and equal C(plugin) and
C(authentication_string) attribute, the existing C(plugin) and C(authentication_string) are used for the
new user instead of the I(password), I(plugin), I(plugin_hash_string) or I(plugin_auth_string) argument." It's not clear to me what will happen if I have 2 accounts with same username but different passwords and I'm creating a 3rd account with The integration tests here suggests that the plugin will use the password set in the arguments. But I thought this feature would be used without setting any password at all. Since you explicitly want to reuse an existing one? I was expecting a failure if the account already exists with different passwords. When I will understand this, I will be able to decide what to do with the current PR. Let me know if you feel that this PR could be merged and we fix |
In that case the module arguments I intentionally built |
@betanummeric thank you for confirming the first part and the explanation about I get that the root cause is that So, I think we need to:
Will that works? |
|
any updates on this? there's another PR depending on this one |
I'm busy on something else. I won't have time before few weeks. @betanummeric have you some time to add the missings tests? |
Ok @betanummeric I know what's wrong... the tasks file So, I'm going to merge this PR that fix another real issue. And open a new one that address the regression! |
50e7413
into
ansible-collections:main
SUMMARY
Fix hashed passwords being returned by
get_existing_authentication()
via theplugin_auth_string
variable instead ofplugin_hash_string
. This method is used inuser_add()
, which doesn't seem appropriate. I would have expected to find it inuser_mod()
instead. I hope it is never used and doesn't require to treat this PR as a major_change.The only other place where
get_existing_authentication()
is used is inmysql_info
while utilizing theusers_info
filter introduced in 3.8.0 (#580). Since this feature is relatively new, I don't expect it to have widespread usage yet.This doesn't f-i-x #621 but the issue was reported there. It makes more sense to use the right variable anyway.
ISSUE TYPE
COMPONENT NAME
mysql_user, mysql_info
ADDITIONAL INFORMATION
Using
mysql_info
with community.mysql 3.9.0:Using
mysql_info
with this PR: