msg": "Error granting privileges, invalid priv string: ALL" #462
Comments
|
Same issue with MariaDB 10.5.15 Anyone ? |
|
I can confirm this is a bug when you trying to install mysql user on a Debian 11 machine. It's working as it should in Rocky Linux v9 without any problems. |
|
If the Basically you name the privileges in a ---
- name: prepare nextcloud container
hosts: localhost
connection: local
tasks:
- name: test
vars:
mysql_parameters: &mysql_params
login_user: root
login_password: mariadb
login_host: 127.0.0.1
login_port: 33066
ALL: "ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,DROP,EVENT,EXECUTE,INDEX,INSERT,LOCK TABLES,REFERENCES,SELECT,SHOW VIEW,TRIGGER,UPDATE"
block:
- name: start nextcloud container
register: out
community.docker.docker_container:
name: mariadb_test_container
image: mariadb:10.5.15
state: started
auto_remove: true
recreate: true
container_default_behavior: no_defaults
published_ports:
- "127.0.0.1:{{ mysql_parameters.login_port }}:3306"
env:
MARIADB_ROOT_PASSWORD: "{{ mysql_parameters.login_password }}"
- name: mariadb container needs some sec for initialization
pause:
seconds: 10
- name: create user with two grants
mysql_user:
<<: *mysql_params
name: testuser
password: testpassword
update_password: on_create
priv: "{{ '*.*:ALL' | replace('ALL', ALL) }}"
state: present
always:
- name: stop mariadb test container
community.docker.docker_container:
name: mariadb_test_container
state: absentSo imho, this is not a community.mysql issue at first place. |
|
@razerrazer have you tried with |
|
For what is worth I had this error but the issue was related to the account ansible was using to login to MySQL (v8) to try to grant that |
@redeyesdemonkyo thanks for sharing the solution! So
|
|
In my case, this particular instance of mysql was part of a replication cluster In that case, no Ansible commands can be run on it
|
|
I see this error now with Tried both
|
|
Hi @pschiffe and thanks for reporting the issue on 11.3. I believe we test only long term support versions, which are atm 10.4, 10.5, 10.6 and 10.11. The v11 is still kind of a beta. I'm not saying we won't fix an issue on v11, because at some point they will release a LTS on that branch too. Just saying we haven't tested it yet. @pschiffe, could you paste the whole community.mysql.mysql_user task so we can see what you tried to achieve please. It could be that the user you're using doesn't have enough rights to create a new user? |
|
Yeah, I understand, thanks for getting back to me. Here's the task. The user is - name: Create db users
community.mysql.mysql_user:
name: '{{ item.key }}'
password: '{{ item.value }}'
host: '%'
priv: '{{ item.key }}.*:ALL'
login_user: root
login_password: '{{ mariadb_root_pw }}'
login_host: '{{ db_result.container.NetworkSettings.Networks[mariadb_network_name].IPAddress }}'
state: present
loop: '{{ mariadb_users | dict2items }}' |
|
What grants do root@'%' have? |
|
Mariadb 11.2: Mariadb 11.3: Amazing, this is the same DB on a volume, I've changed only the image. |
|
Interesting! @pschiffe have you created the root@'%' user using the Ansible module community.mysql.mysql_user in both cases? Or did you created it by other means? |
|
The |
|
@pschiffe I'm not able to reproduce what you experienced above. Maybe you altered one of the root accounts at some point? podman run -d -ti --env MARIADB_ROOT_PASSWORD=manager --name mariadb112 mariadb:11.2
podman exec -it mariadb112 bash
root@9d0b8edb089e:/# mariadb -pmanager
MariaDB [(none)]> select user, host from mysql.user;
+-------------+-----------+
| User | Host |
+-------------+-----------+
| root | % |
| healthcheck | 127.0.0.1 |
| healthcheck | ::1 |
| healthcheck | localhost |
| mariadb.sys | localhost |
| root | localhost |
+-------------+-----------+
6 rows in set (0.001 sec)
MariaDB [(none)]> show grants for root@'%';
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `root`@`%` IDENTIFIED BY PASSWORD '*7D2ABFF56C15D67445082FBB4ACD2DCD26C0ED57' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'%' WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> show grants for root@localhost;
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED BY PASSWORD '*7D2ABFF56C15D67445082FBB4ACD2DCD26C0ED57' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.001 sec)podman run -d -ti --env MARIADB_ROOT_PASSWORD=manager --name mariadb113 mariadb:11.3
podman exec -it mariadb113 bash
root@746a6dc0605e:/# mariadb -pmanager
MariaDB [(none)]> select user, host from mysql.user;
+-------------+-----------+
| User | Host |
+-------------+-----------+
| root | % |
| healthcheck | 127.0.0.1 |
| healthcheck | ::1 |
| healthcheck | localhost |
| mariadb.sys | localhost |
| root | localhost |
+-------------+-----------+
6 rows in set (0.002 sec)
MariaDB [(none)]> show grants for root@'%';
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `root`@`%` IDENTIFIED BY PASSWORD '*7D2ABFF56C15D67445082FBB4ACD2DCD26C0ED57' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'%' WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> show grants for root@localhost;
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED BY PASSWORD '*7D2ABFF56C15D67445082FBB4ACD2DCD26C0ED57' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec) |
|
Thank you @laurent-indermuehle for taking the time to look into this. I can confirm I can see the same as you in this case. To reproduce my issue, do the following: So far, so good. Now exit the container and continue: Even after running |
|
@pschiffe thank you for testing again. One thing I left out is that I downloaded the containers from docker.io. I don't know if it's the same image than Quay.io or other registries. I now see that you're creating the mysql schema with 11.2 then upgrade it to 11.3. But the question is, do the Ansible module fails to creates the new user if you start from a fresh 11.3? On a side note, it bother me to not be able to find a documentation about why the grants are differents in this case. I see nothing in the script that built the container 11.3: https://github.com/MariaDB/mariadb-docker/blob/master/11.3/Dockerfile neither in the changelog: https://mariadb.com/kb/en/changes-improvements-in-mariadb-11-3/#privileges |
|
I'm also using images from Docker Hub.
Ansible module works fine when starting from fresh 11.3. I also didn't find any changes related to this behavior. I'm starting to believe that this is a bug in MariaDB directly :( |
|
I've reported it to the MariaDB bug tracker: https://jira.mariadb.org/browse/MDEV-33554 |
According to the report, this was fixed in MariaDB 11.4.2. Can this be closed? |
|
@lahwaacz hello, thanks for letting us know! What the other folks thinks? Can we close the issue? |
|
@pschiffe can you confirm this bug is gone on 11.4.2+ ? |
|
Yep, this is fixed for me now. |
|
Thanks everyone! |
SUMMARY
When I run my playbook I try to set up a simple user with a database from your FAQ.
Creating a database : works
But when it tries to set a user with privileges it doesn't work.
I've tried like 100 different types of 'bob.*:ALL' etc.. but nothing works
with and without "" and ''
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: