mysql-formula/mysql/salt-user.sls

include:
  - .server

{%- set os_family = salt['grains.get']('os_family', None) %}
{%- set mysql_salt_user = salt['pillar.get']('mysql:salt_user:salt_user_name', 'salt') %}
{%- set mysql_salt_pass = salt['pillar.get']('mysql:salt_user:salt_user_password', salt['grains.get']('server_id')) %}
{%- set mysql_salt_grants = salt['pillar.get']('mysql:salt_user:grants', []) %}
{%- set mysql_root_user = salt['pillar.get']('mysql:server:root_user', 'root') %}
{%- set mysql_root_pass = salt['pillar.get']('mysql:server:root_password', salt['grains.get']('server_id')) %}
{%- set mysql_root_hash = salt['pillar.get']('mysql:server:root_password_hash', None) %}

{%- set mysql_host = salt['pillar.get']('mysql:server:host', 'localhost') %}
{%- if mysql_host == 'localhost' %}
{%- set host = 'localhost' %}
{%- else %}
{%- set host = grains['fqdn'] %}
{%- endif %}

mysql_salt_user_with_salt_user:
  mysql_user.present:
    - name: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - password: '{{ mysql_salt_pass }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_salt_user }}'
    - connection_pass: '{{ mysql_salt_pass }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_salt_user }} --password='{{ mysql_salt_pass|yaml_dquote }}' -h {{ mysql_host }} --execute="SELECT 1;" 2>&1
      - VALUE=$(mysql --user {{ mysql_salt_user }} --password='{{ mysql_salt_pass|yaml_dquote }}' -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'Y' ]; then /bin/true; else /bin/false; fi
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}

{%- if mysql_salt_grants != [] %}
mysql_salt_user_with_salt_user_grants:
  mysql_grants.present:
    - name: {{ mysql_salt_user }}
    - grant: {{ mysql_salt_grants|join(",") }}
    - database: '*.*'
    - grant_option: True
    - user: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_salt_user }}'
    - connection_pass: '{{ mysql_salt_pass }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_salt_user }} --password='{{ mysql_salt_pass|yaml_dquote }}' -h {{ mysql_host }} --execute="SELECT 1;" 2>/dev/null
      - VALUE=$(mysql --user {{ mysql_salt_user }} --password='{{ mysql_salt_pass|yaml_dquote }}' -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'Y' ]; then /bin/true; else /bin/false; fi
    - require:
      - mysql_user: mysql_salt_user_with_salt_user
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}
{%- endif %}

mysql_salt_user_with_root_user:
  mysql_user.present:
    - name: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - password: '{{ mysql_salt_pass }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_root_user }}'
    - connection_pass: '{{ mysql_root_pass }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_root_user }} --password='{{ mysql_root_pass|yaml_dquote }}' -h {{ mysql_host }} --execute="SELECT 1;" 2>/dev/null
      - VALUE=$(mysql --user {{ mysql_root_user }} --password='{{ mysql_root_pass|yaml_dquote }}' -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'N' -o -z "$VALUE" ]; then /bin/true; else /bin/false; fi
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}

{%- if mysql_salt_grants != [] %}
mysql_salt_user_with_root_user_grants:
  mysql_grants.present:
    - name: {{ mysql_salt_user }}
    - grant: {{ mysql_salt_grants|join(",") }}
    - database: '*.*'
    - grant_option: True
    - user: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_root_user }}'
    - connection_pass: '{{ mysql_root_pass }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_root_user }} --password='{{ mysql_root_pass|yaml_dquote }}' -h {{ mysql_host }} --execute="SELECT 1;" 2>/dev/null
      - VALUE=$(mysql --user {{ mysql_root_user }} --password='{{ mysql_root_pass|yaml_dquote }}' -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'N' -o -z "$VALUE" ]; then /bin/true; else /bin/false; fi
    - require:
      - mysql_user: mysql_salt_user_with_root_user
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}
{%- endif %}

mysql_salt_user_with_passwordless_root_user:
  mysql_user.present:
    - name: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - password: '{{ mysql_salt_pass }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_root_user }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_root_user }} -h {{ mysql_host }} --execute="SELECT 1;" 2>/dev/null
      - VALUE=$(mysql --user {{ mysql_root_user }} -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'N' -o -z "$VALUE" ]; then /bin/true; else /bin/false; fi
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}

{%- if mysql_salt_grants != [] %}
mysql_salt_user_with_passwordless_root_user_grants:
  mysql_grants.present:
    - name: {{ mysql_salt_user }}
    - grant: {{ mysql_salt_grants|join(",") }}
    - database: '*.*'
    - grant_option: True
    - user: {{ mysql_salt_user }}
    - host: '{{ host }}'
    - connection_host: '{{ mysql_host }}'
    - connection_user: '{{ mysql_root_user }}'
    - connection_charset: utf8
    - onlyif:
      - mysql --user {{ mysql_root_user }} -h {{ mysql_host }} --execute="SELECT 1;" 2>/dev/null
      - VALUE=$(mysql --user {{ mysql_root_user }} -ss -e "SELECT Grant_priv FROM mysql.user WHERE user = '{{ mysql_salt_user }}' AND host = '{{ host }}';" 2>/dev/null); if [ "$VALUE" = 'N' -o -z "$VALUE" ]; then /bin/true; else /bin/false; fi
    - require:
      - mysql_user: mysql_salt_user_with_passwordless_root_user
{%- if os_family in ['RedHat', 'Suse'] %}
    - require_in:
      - mysql_user: mysql_root_password
{%- endif %}
{%- endif %}

{%- if os_family in ['RedHat', 'Suse'] %}
extend:
  mysql_root_password:
    cmd.run:
      - name: /bin/true
      - unless: /bin/true
    mysql_user.present:
      - name: {{ mysql_root_user }}
      - host: 'localhost'
      {%- if mysql_root_hash != None %}
      - password_hash: '{{ mysql_root_hash }}'
      {%- elif mysql_root_pass != None %}
      - password: '{{ mysql_root_pass }}'
      {%- else %}
      - allow_passwordless: True
      {%- endif %}
      - connection_host: '{{ mysql_host }}'
      - connection_user: '{{ mysql_salt_user }}'
      - connection_pass: '{{ mysql_salt_pass }}'
      - connection_charset: utf8
{%- endif %}