Fix: grant revoked priv (#434)

* Fix: exclude mysql 8 from test_mysql_user's 'Assert that priv did not change' test * Add tests to verify that GRANT permission is present after user modification * Fix: do not revoke GRANT permission when it's already allowed and present in priv parameter * Deduplicate tests name Easier to debug this way * Fix assertions named 'GRANT permission is present' * Only revoke grant option if it exists and absence is requested * Fix assertion comments * Fix: Only revoke grant option if it exists and absence is requested * Avoid pointless revocations when ALL are granted * Assert that priv did not change on mariadb also * Fix: sanity and unity tests * Format long lines * Add changelog fragment Co-authored-by: Laurent Indermühle <laurent.indermuehle@pm.me>
2025-04-20 01:11:27 -07:00 · 2022-09-02 13:40:06 +02:00 · 2022-09-02 13:40:06 +02:00 · cc5cf98368
commit cc5cf98368
parent aef6a2040c
3 changed files with 83 additions and 4 deletions
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -359,9 +359,20 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                    revoke_privs = list(set(new_priv[db_table]) & set(curr_priv[db_table]))
                else:
                    # When replacing (neither append_privs nor subtract_privs), grant all missing privileges
-                    # and revoke existing privileges that were not requested.
+                    # and revoke existing privileges that were not requested...
                    grant_privs = list(set(new_priv[db_table]) - set(curr_priv[db_table]))
                    revoke_privs = list(set(curr_priv[db_table]) - set(new_priv[db_table]))
+
+                    # ... avoiding pointless revocations when ALL are granted
+                    if 'ALL' in grant_privs or 'ALL PRIVILEGES' in grant_privs:
+                        revoke_privs = list(set(['GRANT', 'PROXY']).intersection(set(revoke_privs)))
+
+                    # Only revoke grant option if it exists and absence is requested
+                    #
+                    # For more details
+                    # https://github.com/ansible-collections/community.mysql/issues/77#issuecomment-1209693807
+                    grant_option = 'GRANT' in revoke_privs and 'GRANT' not in grant_privs
+
                if grant_privs == ['GRANT']:
                    # USAGE grants no privileges, it is only needed because 'WITH GRANT OPTION' cannot stand alone
                    grant_privs.append('USAGE')