add service name to plugin pam/auth_pam usage

2025-08-03 20:54:25 -07:00 · 2022-09-13 15:20:38 +02:00 · 2022-09-13 15:20:38 +02:00 · a9299d57e0
commit a9299d57e0
parent 7defd8e728
2 changed files with 13 additions and 3 deletions
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -170,6 +170,10 @@ def user_add(cursor, user, host, host_all, password, encrypted,
    elif plugin and plugin_hash_string:
        query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
    elif plugin and plugin_auth_string:
+        # Mysql and MariaDB differ in naming pam plugin
+        if plugin = 'pam' or plugin = 'auth_pam':  
+            query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
+        else:
            query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
    elif plugin:
        query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
@ -305,6 +309,10 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                if plugin_hash_string:
                    query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
                elif plugin_auth_string:
+                    # Mysql and MariaDB differ in naming pam plugin
+                    if plugin = 'pam' or plugin = 'auth_pam':  
+                        query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
+                    else:
                        query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
                else:
                    query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -117,7 +117,7 @@ options:
  update_password:
    description:
      - C(always) will update passwords if they differ. This affects I(password) and the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string).
-      - C(on_create) will only set the password or the combination of plugin, plugin_hash_string, plugin_auth_string for newly created users.
+      - C(on_create) will only set the password or the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string) for newly created users.
      - "C(on_new_username) works like C(on_create), but it tries to reuse an existing password: If one different user
        with the same username exists, or multiple different users with the same username and equal C(plugin) and
        C(authentication_string) attribute, the existing C(plugin) and C(authentication_string) are used for the
@ -138,6 +138,8 @@ options:
  plugin_auth_string:
    description:
      - User's plugin auth_string (``CREATE USER user IDENTIFIED WITH plugin BY plugin_auth_string``).
+      - If I(plugin) is ``pam`` or ``auth_pam`` I(plugin_auth_string) can be used to determine the pam service  (``CREATE USER user IDENTIFIED WITH plugin USING plugin_auth_string``).
+        This was chosen because MySQL and MariaDB store the ``USING plugin_auth_string`` part in the ``authentication_string`` column in ``mysql.user``.
    type: str
    version_added: '0.1.0'
  resource_limits: