mysql_role, mysql_user: when subtract_privileges, don't grant unwanted privileges and don't revoke USAGE implicitly

2025-08-28 08:51:46 -07:00 · 2022-04-13 18:14:15 +02:00 · 2022-04-13 18:14:15 +02:00 · 52eb368e30
commit 52eb368e30
parent 47b2ba5b88
3 changed files with 8 additions and 4 deletions
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -560,7 +560,7 @@ def sort_column_order(statement):
    return '%s(%s)' % (priv_name, ', '.join(columns))


-def privileges_unpack(priv, mode):
+def privileges_unpack(priv, mode, ensure_usage=True):
    """ Take a privileges string, typically passed as a parameter, and unserialize
    it into a dictionary, the same format as privileges_get() above. We have this
    custom format to avoid using YAML/JSON strings inside YAML playbooks. Example
@ -606,7 +606,7 @@ def privileges_unpack(priv, mode):
        # Handle cases when there's privs like GRANT SELECT (colA, ...) in privs.
        output[pieces[0]] = normalize_col_grants(output[pieces[0]])

-    if '*.*' not in output:
+    if ensure_usage and '*.*' not in output:
        output['*.*'] = ['USAGE']

    return output
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@ -1034,7 +1034,7 @@ def main():
            module.fail_json(msg=to_native(e))

        try:
-            priv = privileges_unpack(priv, mode)
+            priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
        except Exception as e:
            module.fail_json(msg='Invalid privileges string: %s' % to_native(e))

@ -1063,6 +1063,8 @@ def main():
    try:
        if state == 'present':
            if not role.exists:
+                if subtract_privs:
+                    priv = None  # avoid granting unwanted privileges
                changed = role.add(members, priv, module.check_mode, admin,
                                   set_default_role_all)

--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -443,7 +443,7 @@ def main():
            mode = get_mode(cursor)
        except Exception as e:
            module.fail_json(msg=to_native(e))
-        priv = privileges_unpack(priv, mode)
+        priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)

    if state == "present":
        if user_exists(cursor, user, host, host_all):
@ -463,6 +463,8 @@ def main():
            if host_all:
                module.fail_json(msg="host_all parameter cannot be used when adding a user")
            try:
+                if subtract_privs:
+                    priv = None  # avoid granting unwanted privileges
                changed = user_add(cursor, user, host, host_all, password, encrypted,
                                   plugin, plugin_hash_string, plugin_auth_string,
                                   priv, tls_requires, module.check_mode)