From 52eb368e30d3a58e6dd8c7a701404a89f9f8973f Mon Sep 17 00:00:00 2001
From: Felix Hamme <felix.hamme@ionos.com>
Date: Wed, 13 Apr 2022 18:14:15 +0200
Subject: [PATCH] mysql_role, mysql_user: when subtract_privileges, don't grant
 unwanted privileges and don't revoke USAGE implicitly

---
 plugins/module_utils/user.py  | 4 ++--
 plugins/modules/mysql_role.py | 4 +++-
 plugins/modules/mysql_user.py | 4 +++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py
index 658b365..7497cf5 100644
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@@ -560,7 +560,7 @@ def sort_column_order(statement):
     return '%s(%s)' % (priv_name, ', '.join(columns))
 
 
-def privileges_unpack(priv, mode):
+def privileges_unpack(priv, mode, ensure_usage=True):
     """ Take a privileges string, typically passed as a parameter, and unserialize
     it into a dictionary, the same format as privileges_get() above. We have this
     custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
@@ -606,7 +606,7 @@ def privileges_unpack(priv, mode):
         # Handle cases when there's privs like GRANT SELECT (colA, ...) in privs.
         output[pieces[0]] = normalize_col_grants(output[pieces[0]])
 
-    if '*.*' not in output:
+    if ensure_usage and '*.*' not in output:
         output['*.*'] = ['USAGE']
 
     return output
diff --git a/plugins/modules/mysql_role.py b/plugins/modules/mysql_role.py
index ef022e1..48c4fdd 100644
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@@ -1034,7 +1034,7 @@ def main():
             module.fail_json(msg=to_native(e))
 
         try:
-            priv = privileges_unpack(priv, mode)
+            priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
         except Exception as e:
             module.fail_json(msg='Invalid privileges string: %s' % to_native(e))
 
@@ -1063,6 +1063,8 @@ def main():
     try:
         if state == 'present':
             if not role.exists:
+                if subtract_privs:
+                    priv = None  # avoid granting unwanted privileges
                 changed = role.add(members, priv, module.check_mode, admin,
                                    set_default_role_all)
 
diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py
index b5d08a2..0dedc26 100644
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@@ -443,7 +443,7 @@ def main():
             mode = get_mode(cursor)
         except Exception as e:
             module.fail_json(msg=to_native(e))
-        priv = privileges_unpack(priv, mode)
+        priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
 
     if state == "present":
         if user_exists(cursor, user, host, host_all):
@@ -463,6 +463,8 @@ def main():
             if host_all:
                 module.fail_json(msg="host_all parameter cannot be used when adding a user")
             try:
+                if subtract_privs:
+                    priv = None  # avoid granting unwanted privileges
                 changed = user_add(cursor, user, host, host_all, password, encrypted,
                                    plugin, plugin_hash_string, plugin_auth_string,
                                    priv, tls_requires, module.check_mode)