Fix revoke only grant (#503)

* fix * test * changelog (cherry picked from commit b34c23d07d)
2025-04-05 10:10:32 -07:00 · 2023-02-08 09:24:35 +01:00 · 2023-02-08 09:24:35 +01:00 · f2efed4b84
commit f2efed4b84
parent ff94dcdf0f
4 changed files with 73 additions and 9 deletions
--- a/changelogs/fragments/503-fix-revoke-grant-only.yml
+++ b/changelogs/fragments/503-fix-revoke-grant-only.yml
@ -0,0 +1,2 @@
 bugfixes:
  - mysql_user - when revoke privs consists only of ``GRANT``, a 2nd revoke query is executed with empty privs to revoke that ended in an SQL exception (https://github.com/ansible-collections/community.mysql/pull/503).
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -680,17 +680,19 @@ def privileges_revoke(cursor, user, host, db_table, priv, grant_option, maria_ro
        query = ' '.join(query)
        cursor.execute(query, (user, host))
    priv_string = ",".join([p for p in priv if p not in ('GRANT', )])
    query = ["REVOKE %s ON %s" % (priv_string, db_table)]
-    if not maria_role:
+    if priv_string != "":
-        query.append("FROM %s@%s")
+        query = ["REVOKE %s ON %s" % (priv_string, db_table)]
        params = (user, host)
    else:
        query.append("FROM %s")
        params = (user,)
-    query = ' '.join(query)
+        if not maria_role:
-    cursor.execute(query, params)
+            query.append("FROM %s@%s")
            params = (user, host)
        else:
            query.append("FROM %s")
            params = (user,)
        query = ' '.join(query)
        cursor.execute(query, params)
    cursor.execute("FLUSH PRIVILEGES")
--- a/tests/integration/targets/test_mysql_user/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/main.yml
@ -289,3 +289,5 @@
    # https://github.com/ansible-collections/community.mysql/issues/231
    - include: test_user_grants_with_roles_applied.yml
    - include: revoke_only_grant.yml
--- a/tests/integration/targets/test_mysql_user/tasks/revoke_only_grant.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/revoke_only_grant.yml
@ -0,0 +1,58 @@
 ---
 - vars:
    mysql_parameters: &mysql_params
      login_user: '{{ mysql_user }}'
      login_password: '{{ mysql_password }}'
      login_host: 127.0.0.1
      login_port: '{{ mysql_primary_port }}'
  block:
    - name: Drop mysql user if exists
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_1 }}'
        state: absent
      ignore_errors: true
    - name: create user with two grants
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        update_password: on_create
        priv: '*.*:SELECT,GRANT'
    - name: user must have only on priv, grant priv must be dropped
      register: result
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        update_password: on_create
        priv: '*.*:SELECT'
    - assert:
        that:
          - result is not failed
          - result is changed
    - name: immutable - user must have only on priv, grant priv must be dropped
      register: result
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        update_password: on_create
        priv: '*.*:SELECT'
    - assert:
        that:
          - result is not failed
          - result is not changed
  always:
    - name: drop user
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_1 }}'
        state: absent
      ignore_errors: true
		`@ -0,0 +1,2 @@`
							`bugfixes:`
							- mysql_user - when revoke privs consists only of ``GRANT``, a 2nd revoke query is executed with empty privs to revoke that ended in an SQL exception (https://github.com/ansible-collections/community.mysql/pull/503).