mysql_user: privileges_unpack() bug when handling some column-level privileges

[parseword]

SUMMARY

In some scenarios, privileges_unpack() calls privs.append() inside a loop without first emptying or reinitializing the privs list from the prior iteration. This can result in an invalid GRANT statement, which incorrectly includes privileges from a previously-built GRANT statement.

In my environment, the bug is triggered when the priv specification from an Ansible task contains both of the following:

• grants including column-level privileges, and
• grants using the ALL privilege

During execution of privileges_unpack(), the privilege lists for multiple grants become commingled. This results in the module building a bogus statement like GRANT ALL,SELECT,INSERT,UPDATE ON [...] which throws a MySQL syntax error.

I've traced the problem to here. At the time privs.append() is called, privs still contains whatever the last iteration of the for item in priv.strip().split('/'): loop put into it.

In my environment, I resolved the problem by moving the initialization of privs into the outer loop so it gets cleared on each pass.

Here's a giant patch: 8ceec70

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.mysql.mysql_user

ANSIBLE VERSION

ansible 2.10.7
  config file = /home/ansible/.ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

CONFIGURATION

ANSIBLE_PIPELINING(/home/ansible/.ansible.cfg) = True
COLOR_VERBOSE(/home/ansible/.ansible.cfg) = bright blue
DEFAULT_GATHER_TIMEOUT(/home/ansible/.ansible.cfg) = 30
DEFAULT_HOST_LIST(/home/ansible/.ansible.cfg) = ['/home/ansible/ansible.hosts']
DEFAULT_LOG_PATH(/home/ansible/.ansible.cfg) = /home/ansible/ansible.log
DEFAULT_REMOTE_USER(/home/ansible/.ansible.cfg) = ansibler
DEFAULT_SCP_IF_SSH(/home/ansible/.ansible.cfg) = smart
DEFAULT_SSH_TRANSFER_METHOD(/home/ansible/.ansible.cfg) = smart
DEFAULT_TIMEOUT(/home/ansible/.ansible.cfg) = 30
DEPRECATION_WARNINGS(/home/ansible/.ansible.cfg) = True
PERSISTENT_COMMAND_TIMEOUT(/home/ansible/.ansible.cfg) = 30
PERSISTENT_CONNECT_TIMEOUT(/home/ansible/.ansible.cfg) = 30
SYSTEM_WARNINGS(/home/ansible/.ansible.cfg) = True

OS / ENVIRONMENT

• Ansible controller and target are both running CentOS 7
• Target MySQL server is version 8.0.23
• Scenario is copying users with grants from an old MySQL server to a new one

STEPS TO REPRODUCE

Set up a MySQL test environment:

CREATE DATABASE playarea;
CREATE DATABASE sandbox1;
CREATE DATABASE sandbox2;
CREATE DATABASE sandbox3;
CREATE TABLE sandbox2.foo (footest INT);
CREATE TABLE sandbox2.bar (bartest INT);
CREATE TABLE sandbox2.wow (wowtest INT);

Add a user and grant some mixed privileges, including column privileges:

CREATE USER 'testuser'@'127.0.0.1' IDENTIFIED BY 'MVX4_rlm6F2gb';
GRANT ALL PRIVILEGES ON playarea.* TO 'testuser'@'127.0.0.1';
GRANT ALL PRIVILEGES ON sandbox1.* TO 'testuser'@'127.0.0.1';
GRANT INSERT, UPDATE(footest) ON sandbox2.foo TO 'testuser'@'127.0.0.1';
GRANT SELECT, INSERT, UPDATE(wowtest) ON sandbox2.wow TO 'testuser'@'127.0.0.1';
GRANT UPDATE(bartest) ON sandbox2.bar TO 'testuser'@'127.0.0.1';
GRANT ALL PRIVILEGES ON sandbox3.* TO 'testuser'@'127.0.0.1';

Inspect the grants:

mysql> SHOW GRANTS FOR 'testuser'@'127.0.0.1';
+----------------------------------------------------------------------------------------+
| Grants for [email protected]                                                          |
+----------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `testuser`@`127.0.0.1`                                           |
| GRANT ALL PRIVILEGES ON `playarea`.* TO `testuser`@`127.0.0.1`                         |
| GRANT ALL PRIVILEGES ON `sandbox1`.* TO `testuser`@`127.0.0.1`                         |
| GRANT ALL PRIVILEGES ON `sandbox3`.* TO `testuser`@`127.0.0.1`                         |
| GRANT UPDATE (`BARTEST`) ON `sandbox2`.`bar` TO `testuser`@`127.0.0.1`                 |
| GRANT INSERT, UPDATE (`FOOTEST`) ON `sandbox2`.`foo` TO `testuser`@`127.0.0.1`         |
| GRANT SELECT, INSERT, UPDATE (`WOWTEST`) ON `sandbox2`.`wow` TO `testuser`@`127.0.0.1` |
+----------------------------------------------------------------------------------------+
7 rows in set (0.00 sec)

Get the user's hashed password for the Ansible task:

mysql> SELECT user,host,authentication_string FROM mysql.user WHERE user='testuser';
+----------+-----------+-------------------------------------------+
| user     | host      | authentication_string                     |
+----------+-----------+-------------------------------------------+
| testuser | 127.0.0.1 | *0B866B2D7A9AF6E45C18322E0252869F2937F4EE |
+----------+-----------+-------------------------------------------+

Drop the user, to simulate adding it as a new user in the Ansible task:

mysql> DROP USER 'testuser'@'127.0.0.1';

Now attempt to create the user through this Ansible task. (Assume that /root/.my.cnf has already been configured to allow root access to MySQL.)

- name: Add testuser
  community.mysql.mysql_user:
    name: testuser
    host: '127.0.0.1'
    password: '*0B866B2D7A9AF6E45C18322E0252869F2937F4EE'
    encrypted: yes
    priv:
      'playarea.*': 'ALL'
      'sandbox1.*': 'ALL'
      'sandbox3.*': 'ALL'
      'sandbox2.bar': 'UPDATE (`bartest`)'
      'sandbox2.foo': 'INSERT, UPDATE (`footest`)'
      'sandbox2.wow': 'SELECT, INSERT, UPDATE (`wowtest`)'
    state: present

EXPECTED RESULTS

The user is added with all of the privileges specified in the priv dictionary, and the task succeeds.

ACTUAL RESULTS

The task ultimately fails. It does manage to add the user and some of the privileges, by successfully running these queries against MySQL:

2021-04-03T19:10:05.642528Z       453 Connect   root@localhost on  using Socket
2021-04-03T19:10:05.643921Z       453 Query     set autocommit=0
2021-04-03T19:10:05.645246Z       453 Query     SELECT @@GLOBAL.sql_mode
2021-04-03T19:10:05.648936Z       453 Query     SELECT count(*) FROM mysql.user WHERE user = 'testuser' AND host = '127.0.0.1'
2021-04-03T19:10:05.653332Z       453 Query     SELECT VERSION()
2021-04-03T19:10:05.653832Z       453 Query     SELECT VERSION() AS version
2021-04-03T19:10:05.654375Z       453 Query     CREATE USER 'testuser'@'127.0.0.1' IDENTIFIED WITH mysql_native_password AS '*0B866B2D7A9AF6E45C18322E0252869F2937F4EE'
2021-04-03T19:10:05.664437Z       453 Query     GRANT ALL ON `sandbox3`.* TO 'testuser'@'127.0.0.1'
2021-04-03T19:10:05.666930Z       453 Query     GRANT SELECT,INSERT,UPDATE (WOWTEST) ON `sandbox2`.`wow` TO 'testuser'@'127.0.0.1'
2021-04-03T19:10:05.679867Z       453 Query     GRANT INSERT,UPDATE (FOOTEST) ON `sandbox2`.`foo` TO 'testuser'@'127.0.0.1'
2021-04-03T19:10:05.689012Z       453 Quit

But then it attempts to run an invalid query:

GRANT ALL,SELECT,INSERT,UPDATE ON `sandbox1`.* TO 'testuser'@'127.0.0.1'

That query throws a syntax error due to specifying both ALL and granular privileges, instead of just ALL. The MySQL error causes the remainder of the task to bomb out.

Ansible output:

TASK [Add testuser] ************************************************************
...snip SSH debug output...
The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
  File "/tmp/ansible_community.mysql.mysql_user_payload_t_WjZY/ansible_community.mysql.mysql_user_payload.zip/ansible_collections/community/mysql/plugins/modules/mysql_user.py", line 1241, in main
  File "/tmp/ansible_community.mysql.mysql_user_payload_t_WjZY/ansible_community.mysql.mysql_user_payload.zip/ansible_collections/community/mysql/plugins/modules/mysql_user.py", line 671, in user_mod
  File "/tmp/ansible_community.mysql.mysql_user_payload_t_WjZY/ansible_community.mysql.mysql_user_payload.zip/ansible_collections/community/mysql/plugins/modules/mysql_user.py", line 994, in privileges_grant
  File "/usr/lib64/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
    self.errorhandler(self, exc, value)
  File "/usr/lib64/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
fatal: [target]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "append_privs": false,
            "ca_cert": null,
            "check_hostname": null,
            "check_implicit_admin": false,
            "client_cert": null,
            "client_key": null,
            "config_file": "/root/.my.cnf",
            "connect_timeout": 30,
            "encrypted": true,
            "host": "127.0.0.1",
            "host_all": false,
            "login_host": "localhost",
            "login_password": null,
            "login_port": 3306,
            "login_unix_socket": null,
            "login_user": null,
            "name": "testuser",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "plugin": null,
            "plugin_auth_string": null,
            "plugin_hash_string": null,
            "priv": {
                "playarea.*": "ALL",
                "sandbox1.*": "ALL",
                "sandbox2.bar": "UPDATE (`bartest`)",
                "sandbox2.foo": "INSERT, UPDATE (`footest`)",
                "sandbox2.wow": "SELECT, INSERT, UPDATE (`wowtest`)",
                "sandbox3.*": "ALL"
            },
            "resource_limits": null,
            "sql_log_bin": true,
            "state": "present",
            "tls_requires": null,
            "update_password": "always",
            "user": "testuser"
        }
    },
    "msg": "(1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',SELECT,INSERT,UPDATE ON `sandbox1`.* TO 'testuser'@'127.0.0.1'' at line 1\")"
}

Note that the Ansible output doesn't show the origin of the problem, or the full failed query text. I tracked it down to privileges_unpack() using some messy debugging (I don't know python so I stuck a bunch of print statements throughout mysql_user.py).

TESTING THE PATCH

After applying the patch at 8ceec70, and dropping the MySQL user again to simulate a clean environment, the task succeeds and MySQL shows it ran the correct set of GRANT queries:

Ansible output:

changed: [target] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "append_privs": false,
            "ca_cert": null,
            "check_hostname": null,
            "check_implicit_admin": false,
            "client_cert": null,
            "client_key": null,
            "config_file": "/root/.my.cnf",
            "connect_timeout": 30,
            "encrypted": true,
            "host": "127.0.0.1",
            "host_all": false,
            "login_host": "localhost",
            "login_password": null,
            "login_port": 3306,
            "login_unix_socket": null,
            "login_user": null,
            "name": "testuser",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "plugin": null,
            "plugin_auth_string": null,
            "plugin_hash_string": null,
            "priv": {
                "playarea.*": "ALL",
                "sandbox1.*": "ALL",
                "sandbox2.bar": "UPDATE (`bartest`)",
                "sandbox2.foo": "INSERT, UPDATE (`footest`)",
                "sandbox2.wow": "SELECT, INSERT, UPDATE (`wowtest`)",
                "sandbox3.*": "ALL"
            },
            "resource_limits": null,
            "sql_log_bin": true,
            "state": "present",
            "tls_requires": null,
            "update_password": "always",
            "user": "testuser"
        }
    },
    "msg": "User added",
    "user": "testuser"
}

MySQL query log:

2021-04-04T03:19:26.451730Z       469 Connect   root@localhost on  using Socket
2021-04-04T03:19:26.452851Z       469 Query     set autocommit=0
2021-04-04T03:19:26.453477Z       469 Query     SELECT @@GLOBAL.sql_mode
2021-04-04T03:19:26.455197Z       469 Query     SELECT count(*) FROM mysql.user WHERE user = 'testuser' AND host = '127.0.0.1'
2021-04-04T03:19:26.456229Z       469 Query     SELECT VERSION()
2021-04-04T03:19:26.456645Z       469 Query     SELECT VERSION() AS version
2021-04-04T03:19:26.457102Z       469 Query     CREATE USER 'testuser'@'127.0.0.1' IDENTIFIED WITH mysql_native_password AS '*0B866B2D7A9AF6E45C18322E0252869F2937F4EE'
2021-04-04T03:19:26.471273Z       469 Query     GRANT ALL ON `sandbox3`.* TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.474750Z       469 Query     GRANT SELECT,INSERT,UPDATE (WOWTEST) ON `sandbox2`.`wow` TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.476923Z       469 Query     GRANT INSERT,UPDATE (FOOTEST) ON `sandbox2`.`foo` TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.479187Z       469 Query     GRANT ALL ON `sandbox1`.* TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.480721Z       469 Query     GRANT ALL ON `playarea`.* TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.483241Z       469 Query     GRANT USAGE ON *.* TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.484760Z       469 Query     GRANT UPDATE (BARTEST) ON `sandbox2`.`bar` TO 'testuser'@'127.0.0.1'
2021-04-04T03:19:26.491867Z       469 Quit

MySQL grant info:

mysql> SHOW GRANTS FOR 'testuser'@'127.0.0.1';
+----------------------------------------------------------------------------------------+
| Grants for [email protected]                                                          |
+----------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `testuser`@`127.0.0.1`                                           |
| GRANT ALL PRIVILEGES ON `playarea`.* TO `testuser`@`127.0.0.1`                         |
| GRANT ALL PRIVILEGES ON `sandbox1`.* TO `testuser`@`127.0.0.1`                         |
| GRANT ALL PRIVILEGES ON `sandbox3`.* TO `testuser`@`127.0.0.1`                         |
| GRANT UPDATE (`BARTEST`) ON `sandbox2`.`bar` TO `testuser`@`127.0.0.1`                 |
| GRANT INSERT, UPDATE (`FOOTEST`) ON `sandbox2`.`foo` TO `testuser`@`127.0.0.1`         |
| GRANT SELECT, INSERT, UPDATE (`WOWTEST`) ON `sandbox2`.`wow` TO `testuser`@`127.0.0.1` |
+----------------------------------------------------------------------------------------+
7 rows in set (0.00 sec)

On subsequent runs, the patched module exhibits idempotent behavior:

Ansible output:

ok: [target] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "append_privs": false,
            "ca_cert": null,
            "check_hostname": null,
            "check_implicit_admin": false,
            "client_cert": null,
            "client_key": null,
            "config_file": "/root/.my.cnf",
            "connect_timeout": 30,
            "encrypted": true,
            "host": "127.0.0.1",
            "host_all": false,
            "login_host": "localhost",
            "login_password": null,
            "login_port": 3306,
            "login_unix_socket": null,
            "login_user": null,
            "name": "testuser",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "plugin": null,
            "plugin_auth_string": null,
            "plugin_hash_string": null,
            "priv": {
                "playarea.*": "ALL",
                "sandbox1.*": "ALL",
                "sandbox2.bar": "UPDATE (`bartest`)",
                "sandbox2.foo": "INSERT, UPDATE (`footest`)",
                "sandbox2.wow": "SELECT, INSERT, UPDATE (`wowtest`)",
                "sandbox3.*": "ALL"
            },
            "resource_limits": null,
            "sql_log_bin": true,
            "state": "present",
            "tls_requires": null,
            "update_password": "always",
            "user": "testuser"
        }
    },
    "msg": "User unchanged",
    "user": "testuser"
}

MySQL query log:

2021-04-04T03:20:02.106957Z       470 Connect   root@localhost on  using Socket
2021-04-04T03:20:02.107547Z       470 Query     set autocommit=0
2021-04-04T03:20:02.107952Z       470 Query     SELECT @@GLOBAL.sql_mode
2021-04-04T03:20:02.109165Z       470 Query     SELECT count(*) FROM mysql.user WHERE user = 'testuser' AND host = '127.0.0.1'
2021-04-04T03:20:02.109853Z       470 Query     SELECT VERSION()
2021-04-04T03:20:02.110188Z       470 Query     SELECT COLUMN_NAME FROM information_schema.COLUMNS
                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string')
                ORDER BY COLUMN_NAME DESC LIMIT 1
2021-04-04T03:20:02.115772Z       470 Query     SELECT COLUMN_NAME FROM information_schema.COLUMNS
                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string')
                ORDER BY COLUMN_NAME ASC  LIMIT 1
2021-04-04T03:20:02.118998Z       470 Query     SELECT COALESCE(
                        CASE WHEN authentication_string = '' THEN NULL ELSE authentication_string END,
                        CASE WHEN authentication_string = '' THEN NULL ELSE authentication_string END
                    )
                FROM mysql.user WHERE user = 'testuser' AND host = '127.0.0.1'
2021-04-04T03:20:02.123597Z       470 Query     SHOW GRANTS FOR 'testuser'@'127.0.0.1'
2021-04-04T03:20:02.125883Z       470 Query     SELECT VERSION()
2021-04-04T03:20:02.126207Z       470 Query     SHOW CREATE USER 'testuser'@'127.0.0.1'
2021-04-04T03:20:02.132879Z       470 Quit

[Andersson007]

@parseword hi, thanks for reporting this!

Would you like to create a pull request yourself? (If you don't know how to do it, we have a short quick-start guide.

If you don't want, we could.

[Jorge-Rodriguez]

@Andersson007 I've been looking at the code this issue refers to and while the concern is valid, we seem to be doing something fairly stupid, namely:

1. We are supporting the privileges to be specified both as a string and a dictionary
2. If the privileges are specified as a dictionary, we serialize that dictionary into a string by massaging it into the format we expect the privileges string to have
3. We unconditionally deserialize the privileges string back into a dictionary

I argue that rather than patching the loop as @parseword has suggested, we should rework the privileges handling logic and call a fixed version of privileges_unpack only if the privileges are being specified as a string.

[Andersson007]

Good spot! I added the dict form of passing privs to the module long time after someone added the initial string implementation, so didn't want to touch code parts that were not necessary to touch for the sake of safety:)
I like the idea of code refactoring, though we should be sure all related things are covered by integration tests (i would also suggest adding unit tests if possible).

[Jorge-Rodriguez]

@Andersson007 @parseword In light of the reason for closing PR #137 I've migrated this issue into a discussion to flesh out an action plan regarding my comment above and so that we can create a dedicated issue if we feel that's necessary.

[Jorge-Rodriguez]

BTW, On further inspection, it would seem that the offending lines were:

output[pieces[0]] = pieces[1].upper().split(',')
privs = output[pieces[0]]

Where we are asigning a list to another, which is a recipe for disaster because we are assigning two variables to the same memory address opening the door for all sorts of nasty side effects:

>>> a = []
>>> b = []
>>> a = b
>>> a
[]
>>> b
[]
>>> a.append(1)
>>> a
[1]
>>> b
[1]
>>> b.append(2)
>>> a
[1, 2]
>>> b
[1, 2]

[Andersson007]

Good catch!