From 1e588d8edbefec04b63a9a32661a2df1e28a71f7 Mon Sep 17 00:00:00 2001 From: Jesus Manuel Gallego Romero Date: Thu, 15 Jun 2023 11:21:02 +0200 Subject: [PATCH 1/3] skip ldap users when removing roles --- tasks/config/perms_and_privs.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tasks/config/perms_and_privs.yml b/tasks/config/perms_and_privs.yml index e98c3e5..e8feb37 100644 --- a/tasks/config/perms_and_privs.yml +++ b/tasks/config/perms_and_privs.yml @@ -1,8 +1,21 @@ --- +- name: CLICKHOUSE | Get all LDAP users for grants cleaning (Optional step) + command: "clickhouse-client -u {{ clickhouse_admin_user }} --password {{ clickhouse_admin_password }} -q \" + SELECT name FROM system.users WHERE storage == 'ldap'; + \"" + register: ldap_user_list + changed_when: False + when: clickhouse_custom_grants_previous_cleanup + no_log: True + tags: + - clickhouse_grants + - select + - SQL_driven + - name: CLICKHOUSE | Previous grants cleaning (Optional step) command: "clickhouse-client -u {{ clickhouse_admin_user }} --password {{ clickhouse_admin_password }} -q \" - REVOKE ALL ON *.* FROM ALL EXCEPT {{ (clickhouse_default_users | default([]) + clickhouse_admin_users | default([]) + clickhouse_custom_users_xml | default([])) | map(attribute='name') | join(', ') }}; + REVOKE ALL ON *.* FROM ALL EXCEPT {{ ((clickhouse_default_users | default([]) + clickhouse_admin_users | default([]) + clickhouse_custom_users_xml | default([])) | map(attribute='name') | list + (ldap_user_list.stdout_lines | default([]))) | join(', ') }}; \"" changed_when: False when: clickhouse_custom_grants_previous_cleanup From f8eab5edde22c5711aaf441641c6a7fd2efe419b Mon Sep 17 00:00:00 2001 From: Jesus Manuel Gallego Romero Date: Thu, 15 Jun 2023 11:21:44 +0200 Subject: [PATCH 2/3] allow roles with strange characters '-' --- tasks/config/roles.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/config/roles.yml b/tasks/config/roles.yml index 902d71e..00f3ad5 100644 --- a/tasks/config/roles.yml +++ b/tasks/config/roles.yml @@ -11,7 +11,7 @@ - SQL_driven - name: CLICKHOUSE | Drop roles (SQL-driven) - command: "clickhouse-client -u {{ clickhouse_admin_user }} --password {{ clickhouse_admin_password }} -q \"DROP ROLE IF EXISTS {{ item }} ;\"" + command: "clickhouse-client -u {{ clickhouse_admin_user }} --password {{ clickhouse_admin_password }} -q \"DROP ROLE IF EXISTS '{{ item }}' ;\"" with_items: "{{ clickhouse_existing_sql_roles.stdout_lines }}" when: - clickhouse_existing_sql_roles is defined From 0330e74efd304c047bc3a19a53ddd9f412fd653f Mon Sep 17 00:00:00 2001 From: Jesus Manuel Gallego Romero Date: Thu, 15 Jun 2023 13:45:13 +0200 Subject: [PATCH 3/3] update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc3a8bf..d32516f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a ch ## [Unreleased](https://github.com/idealista/clickhouse_role/tree/develop) +## [3.3.6(https://github.com/idealista/clickhouse_role/tree/3.3.6 (2023-06-09) + +### :hammer_and_wrench: Fixed + +- [#59](https://github.com/idealista/clickhouse_role/issues/59) Fix role wiping when there are users from readonly storage + ## [3.3.5(https://github.com/idealista/clickhouse_role/tree/3.3.5 (2023-06-09) ### :heavy_plus_sign: Added