mysql_role, mysql_user: when subtract_privileges, don't grant unwanted privileges and don't revoke USAGE implicitly

2025-08-29 01:11:46 -07:00 · 2022-04-13 18:14:15 +02:00 · 2022-04-13 18:14:15 +02:00 · 52eb368e30
commit 52eb368e30
parent 47b2ba5b88
3 changed files with 8 additions and 4 deletions
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@ -1034,7 +1034,7 @@ def main():
            module.fail_json(msg=to_native(e))

        try:
-            priv = privileges_unpack(priv, mode)
+            priv = privileges_unpack(priv, mode, ensure_usage=not subtract_privs)
        except Exception as e:
            module.fail_json(msg='Invalid privileges string: %s' % to_native(e))

@ -1063,6 +1063,8 @@ def main():
    try:
        if state == 'present':
            if not role.exists:
+                if subtract_privs:
+                    priv = None  # avoid granting unwanted privileges
                changed = role.add(members, priv, module.check_mode, admin,
                                   set_default_role_all)