Release 3.13.0 commit (#705 )

User locking (#702 )
* function to check if a user is locked already Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add the location and logic of where I think user locking would happen. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix missing parameters for execute() Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add the locked attribute Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Initial user locking integration tests Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add attribute documentation Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * More descriptive names in the integration tests Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * - Changes requested/suggested by @Andersson007 - Example usage - Changelog fragment Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix user_is_locked and remove host_all option. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix host of user (was % should have been localhost after deleting `host:` earlier) Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Switch locked to named instead of positional. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode support. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode: true test cases Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix names that included `check_mode: true` Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add idempotence checks Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Switch calls to user_mod with sequences of None positional arguments to full named arguments Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * locked check should not run for roles. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * check_mode is set at the task level and not the module level Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add user locking to info module and test. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Handle DictCursor Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode feedback Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add another builtin account to the exclusion list Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Initial switch to default=None for locked, will need to add a test for it. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check that missing locked argument does not unlock a user Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> --------- Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com>
2025-04-04 17:50:32 -07:00 · 2025-03-21 07:02:43 +01:00 · 2025-03-19 14:40:59 +01:00 · 2025-03-10 18:55:42 +01:00
15 changed files with 404 additions and 64 deletions
--- a/.github/workflows/ansible-test-plugins.yml
+++ b/.github/workflows/ansible-test-plugins.yml
@ -13,7 +13,7 @@ on:  # yamllint disable-line rule:truthy
      - '.github/workflows/ansible-test-plugins.yml'
  schedule:
    - cron: '0 6 * * *'
-
+  workflow_dispatch:

 jobs:
  sanity:
@ -54,8 +54,8 @@ jobs:
        db_engine_version:
          - '8.0.38'
          - '8.4.1'
-          - '10.5.25'
          - '10.11.8'
+          - '11.4.5'
        connector_name:
          - pymysql
          - mysqlclient
@ -87,10 +87,10 @@ jobs:
        exclude:

          - db_engine_name: mysql
-            db_engine_version: '10.5.25'
+            db_engine_version: '10.11.8'

          - db_engine_name: mysql
-            db_engine_version: '10.11.8'
+            db_engine_version: '11.4.5'

          - db_engine_name: mariadb
            db_engine_version: '8.0.38'
@ -119,13 +119,13 @@ jobs:
          - db_engine_version: '8.0.38'
            ansible: stable-2.17

-          - db_engine_version: '10.5.25'
+          - db_engine_version: '10.11.8'
            ansible: stable-2.17

          - db_engine_version: '8.0.38'
            ansible: devel

-          - db_engine_version: '10.5.25'
+          - db_engine_version: '10.11.8'
            ansible: devel

          - db_engine_version: '8.4.1'
@ -162,7 +162,7 @@ jobs:
            db_engine_version: '8.0.38'

          - connector_version: '1.1.1'
-            db_engine_version: '10.5.25'
+            db_engine_version: '10.11.8'

    services:
      db_primary:
@ -175,7 +175,7 @@ jobs:
        # We write our own health-cmd because the mariadb container does not
        # provide a healthcheck
        options: >-
-          --health-cmd "mysqladmin ping -P 3306 -pmsandbox |grep alive || exit 1"
+          --health-cmd "${{ matrix.db_engine_name == 'mysql' && 'mysqladmin' || 'mariadb-admin' }} ping -P 3306 -pmsandbox |grep alive || exit 1"
          --health-start-period 10s
          --health-interval 10s
          --health-timeout 5s
@ -189,7 +189,7 @@ jobs:
        ports:
          - 3308:3306
        options: >-
-          --health-cmd "mysqladmin ping -P 3306 -pmsandbox |grep alive || exit 1"
+          --health-cmd "${{ matrix.db_engine_name == 'mysql' && 'mysqladmin' || 'mariadb-admin' }} ping -P 3306 -pmsandbox |grep alive || exit 1"
          --health-start-period 10s
          --health-interval 10s
          --health-timeout 5s
@ -203,7 +203,7 @@ jobs:
        ports:
          - 3309:3306
        options: >-
-          --health-cmd "mysqladmin ping -P 3306 -pmsandbox |grep alive || exit 1"
+          --health-cmd "${{ matrix.db_engine_name == 'mysql' && 'mysqladmin' || 'mariadb-admin' }} ping -P 3306 -pmsandbox |grep alive || exit 1"
          --health-start-period 10s
          --health-interval 10s
          --health-timeout 5s
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -6,6 +6,27 @@ Community MySQL and MariaDB Collection Release Notes

 This changelog describes changes after version 2.0.0.

+v3.13.0
+=======
+
+Release Summary
+---------------
+
+This is a minor release of the ``community.mysql`` collection.
+This changelog contains all changes to the modules and plugins in this
+collection that have been made after the previous release.
+
+Minor Changes
+-------------
+
+- Integration tests for MariaDB 11.4 have replaced those for 10.5. The previous version is now 10.11.
+- mysql_user - add ``locked`` option to lock/unlock users, this is mainly used to have users that will act as definers on stored procedures.
+
+Bugfixes
+--------
+
+- mysql_db - fix dump and import to find MariaDB binaries (mariadb and mariadb-dump) when MariaDB 11+ is used and symbolic links to MySQL binaries are absent.
+
 v3.12.0
 =======

--- a/23
+++ b/23
@ -11,6 +11,17 @@ ifdef continue_on_errors
 	_continue_on_errors = --continue-on-error
 endif

+# Set command variables based on database engine
+# Required for MariaDB 11+ which no longer includes mysql named compatible
+# executable symlinks
+ifeq ($(db_engine_name),mysql)
+	_command = mysqld
+	_health_cmd = mysqladmin
+else
+	_command = mariadbd
+	_health_cmd = mariadb-admin
+endif
+
 .PHONY: test-integration
 test-integration:
 	@echo -n $(db_engine_name) > tests/integration/db_engine_name
@ -29,9 +40,9 @@ test-integration:
 		--env MYSQL_ROOT_PASSWORD=msandbox \
 		--network podman \
 		--publish 3307:3306 \
-		--health-cmd 'mysqladmin ping -P 3306 -pmsandbox | grep alive || exit 1' \
+		--health-cmd '$(_health_cmd) ping -P 3306 -pmsandbox | grep alive || exit 1' \
 		docker.io/library/$(db_engine_name):$(db_engine_version) \
-		mysqld
+		$(_command)
 	podman run \
 		--detach \
 		--replace \
@ -40,9 +51,9 @@ test-integration:
 		--env MYSQL_ROOT_PASSWORD=msandbox \
 		--network podman \
 		--publish 3308:3306 \
-		--health-cmd 'mysqladmin ping -P 3306 -pmsandbox | grep alive || exit 1' \
+		--health-cmd '$(_health_cmd) ping -P 3306 -pmsandbox | grep alive || exit 1' \
 		docker.io/library/$(db_engine_name):$(db_engine_version) \
-		mysqld
+		$(_command)
 	podman run \
 		--detach \
 		--replace \
@ -51,9 +62,9 @@ test-integration:
 		--env MYSQL_ROOT_PASSWORD=msandbox \
 		--network podman \
 		--publish 3309:3306 \
-		--health-cmd 'mysqladmin ping -P 3306 -pmsandbox | grep alive || exit 1' \
+		--health-cmd '$(_health_cmd) ping -P 3306 -pmsandbox | grep alive || exit 1' \
 		docker.io/library/$(db_engine_name):$(db_engine_version) \
-		mysqld
+		$(_command)
 	# Setup replication and restart containers using the same subshell to keep variables alive
 	db_ver=$(db_engine_version); \
 	maj="$${db_ver%.*.*}"; \
--- a/README.md
+++ b/README.md
@ -112,10 +112,10 @@ For MariaDB, only Long Term releases are tested. When multiple LTS are available
 - mariadb:10.3.34 (collection version < 3.5.1)
 - mariadb:10.4.24 (collection version >= 3.5.2, < 3.10.0)
 - mariadb:10.5.18 (collection version >= 3.5.2, < 3.10.0)
- mariadb:10.5.25 (collection version >= 3.10.0)
+- mariadb:10.5.25 (collection version >= 3.10.0, <3.13.0)
 - mariadb:10.6.11 (collection version >= 3.5.2, < 3.10.0)
 - mariadb:10.11.8 (collection version >= 3.10.0)
-
+- mariadb:11.4.5 (collection version >= 3.13.0)

 ### Database connectors

--- a/TESTING.md
+++ b/TESTING.md
@ -65,8 +65,8 @@ The Makefile accept the following options
  - Choices:
    - "8.0.38" <- mysql
    - "8.4.1" <- mysql (NOT WORKING YET, ansible-test uses Ubuntu 20.04 which is too old to install mysql-community-client 8.4)
-    - "10.5.25" <- mariadb
    - "10.11.8" <- mariadb
+    - "11.4.5" <- mariadb
  - Description: The tag of the container to use for the service containers that will host a primary database and two replicas. Do not use short version, like `mysql:8` (don't do that) because our tests expect a full version to filter tests precisely. For instance: `when: db_version is version ('8.0.22', '>')`. You can use any tag available on [hub.docker.com/_/mysql](https://hub.docker.com/_/mysql) and [hub.docker.com/_/mariadb](https://hub.docker.com/_/mariadb) but GitHub Action will only use the versions listed above.

 - `connector_name`
@ -121,7 +121,7 @@ make ansible="stable-2.16" db_engine_name="mysql" db_engine_version="8.0.31" con
 make ansible="stable-2.17" db_engine_name="mysql" db_engine_version="8.0.31" connector_name="mysqlclient" connector_version="2.0.3" target="test_mysql_query" keep_containers_alive=1 continue_on_errors=1

 # If your system has an usupported version of Python:
-make local_python_version="3.10" ansible="stable-2.17" db_engine_name="mariadb" db_engine_version="10.6.11" connector_name="pymysql" connector_version="1.0.2"
+make local_python_version="3.10" ansible="stable-2.17" db_engine_name="mariadb" db_engine_version="11.4.5" connector_name="pymysql" connector_version="1.0.2"
 ```


--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@ -247,6 +247,26 @@ releases:
    - 3.12.0.yml
    - 696-mysql-db-add-zstd-support.yml
    release_date: '2025-01-17'
+  3.13.0:
+    changes:
+      bugfixes:
+      - mysql_db - fix dump and import to find MariaDB binaries (mariadb and mariadb-dump)
+        when MariaDB 11+ is used and symbolic links to MySQL binaries are absent.
+      minor_changes:
+      - Integration tests for MariaDB 11.4 have replaced those for 10.5. The previous
+        version is now 10.11.
+      - mysql_user - add ``locked`` option to lock/unlock users, this is mainly used
+        to have users that will act as definers on stored procedures.
+      release_summary: 'This is a minor release of the ``community.mysql`` collection.
+
+        This changelog contains all changes to the modules and plugins in this
+
+        collection that have been made after the previous release.'
+    fragments:
+    - 3.13.0.yml
+    - 702-user_locking.yaml
+    - tests_mariadb_11_4.yml
+    release_date: '2025-03-21'
  3.2.0:
    changes:
      bugfixes:
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,7 +1,7 @@
 ---
 namespace: community
 name: mysql
-version: 3.12.0
+version: 3.13.0
 readme: README.md
 authors:
  - Ansible community
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@ -52,6 +52,25 @@ def user_exists(cursor, user, host, host_all):
    return count[0] > 0


+def user_is_locked(cursor, user, host):
+    cursor.execute("SHOW CREATE USER %s@%s", (user, host))
+
+    # Per discussions on irc:libera.chat:#maria the query may return up to 2 rows but "ACCOUNT LOCK" should always be in the first row.
+    result = cursor.fetchone()
+
+    # ACCOUNT LOCK does not have to be the last option in the CREATE USER query.
+    # Need to handle both DictCursor and non-DictCursor
+    if isinstance(result, tuple):
+        if result[0].find('ACCOUNT LOCK') > 0:
+            return True
+    elif isinstance(result, dict):
+        for res in result.values():
+            if res.find('ACCOUNT LOCK') > 0:
+                return True
+
+    return False
+
+
 def sanitize_requires(tls_requires):
    sanitized_requires = {}
    if tls_requires:
@ -160,7 +179,7 @@ def get_existing_authentication(cursor, user, host=None):
 def user_add(cursor, user, host, host_all, password, encrypted,
             plugin, plugin_hash_string, plugin_auth_string, salt, new_priv,
             attributes, tls_requires, reuse_existing_password, module,
-             password_expire, password_expire_interval):
+             password_expire, password_expire_interval, locked=False):
    # If attributes are set, perform a sanity check to ensure server supports user attributes before creating user
    if attributes and not get_attribute_support(cursor):
        module.fail_json(msg="user attributes were specified but the server does not support user attributes")
@ -250,6 +269,9 @@ def user_add(cursor, user, host, host_all, password, encrypted,
        cursor.execute("ALTER USER %s@%s ATTRIBUTE %s", (user, host, json.dumps(attributes)))
        final_attributes = attributes_get(cursor, user, host)

+    if locked:
+        cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host))
+
    return {'changed': True, 'password_changed': not used_existing_password, 'attributes': final_attributes}


@ -264,7 +286,7 @@ def is_hash(password):
 def user_mod(cursor, user, host, host_all, password, encrypted,
             plugin, plugin_hash_string, plugin_auth_string, salt, new_priv,
             append_privs, subtract_privs, attributes, tls_requires, module,
-             password_expire, password_expire_interval, role=False, maria_role=False):
+             password_expire, password_expire_interval, locked=None, role=False, maria_role=False):
    changed = False
    msg = "User unchanged"
    grant_option = False
@ -536,6 +558,22 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
            if attribute_support:
                final_attributes = attributes_get(cursor, user, host)

+        if not role and locked is not None and user_is_locked(cursor, user, host) != locked:
+            if not module.check_mode:
+                if locked:
+                    cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host))
+                    msg = 'User locked'
+                else:
+                    cursor.execute("ALTER USER %s@%s ACCOUNT UNLOCK", (user, host))
+                    msg = 'User unlocked'
+            else:
+                if locked:
+                    msg = 'User will be locked'
+                else:
+                    msg = 'User will be unlocked'
+
+            changed = True
+
        if role:
            continue

--- a/plugins/modules/mysql_db.py
+++ b/plugins/modules/mysql_db.py
@ -386,67 +386,75 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,
            encoding=None, force=False, master_data=0, skip_lock_tables=False,
            dump_extra_args=None, unsafe_password=False, restrict_config_file=False,
            check_implicit_admin=False, pipefail=False):
-    cmd = module.get_bin_path('mysqldump', True)
+
+    cmd_str = 'mysqldump'
+    if server_implementation == 'mariadb' and LooseVersion(server_version) >= LooseVersion("10.4.6"):
+        cmd_str = 'mariadb-dump'
+    try:
+        cmd = [module.get_bin_path(cmd_str, True)]
+    except Exception as e:
+        return 1, "", "Error determining dump command: %s" % str(e)
+
    # If defined, mysqldump demands --defaults-extra-file be the first option
    if config_file:
        if restrict_config_file:
-            cmd += " --defaults-file=%s" % shlex_quote(config_file)
+            cmd.append("--defaults-file=%s" % shlex_quote(config_file))
        else:
-            cmd += " --defaults-extra-file=%s" % shlex_quote(config_file)
+            cmd.append("--defaults-extra-file=%s" % shlex_quote(config_file))

    if check_implicit_admin:
-        cmd += " --user=root --password=''"
+        cmd.append("--user=root --password=''")
    else:
        if user is not None:
-            cmd += " --user=%s" % shlex_quote(user)
+            cmd.append("--user=%s" % shlex_quote(user))

        if password is not None:
            if not unsafe_password:
-                cmd += " --password=%s" % shlex_quote(password)
+                cmd.append("--password=%s" % shlex_quote(password))
            else:
-                cmd += " --password=%s" % password
+                cmd.append("--password=%s" % password)

    if ssl_cert is not None:
-        cmd += " --ssl-cert=%s" % shlex_quote(ssl_cert)
+        cmd.append("--ssl-cert=%s" % shlex_quote(ssl_cert))
    if ssl_key is not None:
-        cmd += " --ssl-key=%s" % shlex_quote(ssl_key)
+        cmd.append("--ssl-key=%s" % shlex_quote(ssl_key))
    if ssl_ca is not None:
-        cmd += " --ssl-ca=%s" % shlex_quote(ssl_ca)
+        cmd.append("--ssl-ca=%s" % shlex_quote(ssl_ca))
    if force:
-        cmd += " --force"
+        cmd.append("--force")
    if socket is not None:
-        cmd += " --socket=%s" % shlex_quote(socket)
+        cmd.append("--socket=%s" % shlex_quote(socket))
    else:
-        cmd += " --host=%s --port=%i" % (shlex_quote(host), port)
+        cmd.append("--host=%s --port=%i" % (shlex_quote(host), port))

    if all_databases:
-        cmd += " --all-databases"
+        cmd.append("--all-databases")
    elif len(db_name) > 1:
-        cmd += " --databases {0}".format(' '.join(db_name))
+        cmd.append("--databases {0}".format(' '.join(db_name)))
    else:
-        cmd += " %s" % shlex_quote(' '.join(db_name))
+        cmd.append("%s" % shlex_quote(' '.join(db_name)))

    if skip_lock_tables:
-        cmd += " --skip-lock-tables"
+        cmd.append("--skip-lock-tables")
    if (encoding is not None) and (encoding != ""):
-        cmd += " --default-character-set=%s" % shlex_quote(encoding)
+        cmd.append("--default-character-set=%s" % shlex_quote(encoding))
    if single_transaction:
-        cmd += " --single-transaction=true"
+        cmd.append("--single-transaction=true")
    if quick:
-        cmd += " --quick"
+        cmd.append("--quick")
    if ignore_tables:
        for an_ignored_table in ignore_tables:
-            cmd += " --ignore-table={0}".format(an_ignored_table)
+            cmd.append("--ignore-table={0}".format(an_ignored_table))
    if hex_blob:
-        cmd += " --hex-blob"
+        cmd.append("--hex-blob")
    if master_data:
        if (server_implementation == 'mysql' and
                LooseVersion(server_version) >= LooseVersion("8.2.0")):
-            cmd += " --source-data=%s" % master_data
+            cmd.append("--source-data=%s" % master_data)
        else:
-            cmd += " --master-data=%s" % master_data
+            cmd.append("--master-data=%s" % master_data)
    if dump_extra_args is not None:
-        cmd += " " + dump_extra_args
+        cmd.append(dump_extra_args)

    path = None
    if os.path.splitext(target)[-1] == '.gz':
@ -458,6 +466,8 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,
    elif os.path.splitext(target)[-1] == '.zst':
        path = module.get_bin_path('zstd', True)

+    cmd = ' '.join(cmd)
+
    if path:
        cmd = '%s | %s > %s' % (cmd, path, shlex_quote(target))
        if pipefail:
@ -476,13 +486,21 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,


 def db_import(module, host, user, password, db_name, target, all_databases, port, config_file,
-              socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None, encoding=None, force=False,
+              server_implementation, server_version, socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None,
+              encoding=None, force=False,
              use_shell=False, unsafe_password=False, restrict_config_file=False,
              check_implicit_admin=False):
    if not os.path.exists(target):
        return module.fail_json(msg="target %s does not exist on the host" % target)

-    cmd = [module.get_bin_path('mysql', True)]
+    cmd_str = 'mysql'
+    if server_implementation == 'mariadb' and LooseVersion(server_version) >= LooseVersion("10.4.6"):
+        cmd_str = 'mariadb'
+    try:
+        cmd = [module.get_bin_path(cmd_str, True)]
+    except Exception as e:
+        return 1, "", "Error determining mysql/mariadb command: %s" % str(e)
+
    # --defaults-file must go first, or errors out
    if config_file:
        if restrict_config_file:
@ -772,8 +790,8 @@ def main():
        rc, stdout, stderr = db_import(module, login_host, login_user,
                                       login_password, db, target,
                                       all_databases,
-                                       login_port, config_file,
-                                       socket, ssl_cert, ssl_key, ssl_ca,
+                                       login_port, config_file, server_implementation,
+                                       server_version, socket, ssl_cert, ssl_key, ssl_ca,
                                       encoding, force, use_shell, unsafe_login_password,
                                       restrict_config_file, check_implicit_admin)
        if rc != 0:
--- a/plugins/modules/mysql_info.py
+++ b/plugins/modules/mysql_info.py
@ -4,6 +4,7 @@
 # Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <andrew.a.klychkov@gmail.com>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

+
 from __future__ import absolute_import, division, print_function

 __metaclass__ = type
@ -318,6 +319,7 @@ from ansible_collections.community.mysql.plugins.module_utils.user import (
    get_resource_limits,
    get_existing_authentication,
    get_user_implementation,
+    user_is_locked,
 )
 from ansible.module_utils.six import iteritems
 from ansible.module_utils._text import to_native
@ -652,8 +654,10 @@ class MySQL_Info(object):
            if authentications:
                output_dict.update(authentications[0])

+            if line.get('is_role') and line['is_role'] == 'N':
+                output_dict['locked'] = user_is_locked(self.cursor, user, host)
+
            # TODO password_option
-            # TODO lock_option
            # but both are not supported by mysql_user atm. So no point yet.

            output.append(output_dict)
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@ -930,11 +930,12 @@ class Role():
                                                      set_default_role_all=set_default_role_all)

        if privs:
-            result = user_mod(self.cursor, self.name, self.host,
-                              None, None, None, None, None, None, None,
-                              privs, append_privs, subtract_privs, None, None,
-                              self.module, None, None, role=True,
-                              maria_role=self.is_mariadb)
+            result = user_mod(cursor=self.cursor, user=self.name, host=self.host,
+                              host_all=None, password=None, encrypted=None, plugin=None,
+                              plugin_auth_string=None, plugin_hash_string=None, salt=None,
+                              new_priv=privs, append_privs=append_privs, subtract_privs=subtract_privs,
+                              attributes=None, tls_requires=None, module=self.module, password_expire=None,
+                              password_expire_interval=None, role=True, maria_role=self.is_mariadb)
            changed = result['changed']

        if admin:
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -189,6 +189,15 @@ options:
        fields names in privileges.
    type: bool
    version_added: '3.8.0'
+
+  locked:
+    description:
+      - Lock account to prevent connections using it.
+      - This is primarily used for creating a user that will act as a DEFINER on stored procedures.
+      - If not specified leaves the lock state as is (for a new user creates unlocked).
+    type: bool
+    version_added: '3.13.0'
+
  attributes:
    description:
      - "Create, update, or delete user attributes (arbitrary 'key: value' comments) for the user."
@ -225,6 +234,7 @@ author:
 - Lukasz Tomaszkiewicz (@tomaszkiewicz)
 - kmarse (@kmarse)
 - Laurent Indermühle (@laurent-indermuehle)
+- E.S. Rosenberg (@Keeper-of-the-Keys)

 extends_documentation_fragment:
 - community.mysql.mysql
@ -400,6 +410,13 @@ EXAMPLES = r'''
    priv:
      'db1.*': DELETE

+- name: Create locked user to act as a definer on procedures
+  community.mysql.mysql_user:
+    name: readonly_procedures_locked
+    locked: true
+    priv:
+      db1.*: SELECT
+
 # Example .my.cnf file for setting the root password
 # [client]
 # user=root
@ -470,6 +487,7 @@ def main():
        column_case_sensitive=dict(type='bool', default=None),  # TODO 4.0.0 add default=True
        password_expire=dict(type='str', choices=['now', 'never', 'default', 'interval'], no_log=True),
        password_expire_interval=dict(type='int', required_if=[('password_expire', 'interval', True)], no_log=True),
+        locked=dict(type='bool'),
    )
    module = AnsibleModule(
        argument_spec=argument_spec,
@ -510,6 +528,7 @@ def main():
    column_case_sensitive = module.params["column_case_sensitive"]
    password_expire = module.params["password_expire"]
    password_expire_interval = module.params["password_expire_interval"]
+    locked = module.boolean(module.params['locked'])

    if priv and not isinstance(priv, (str, dict)):
        module.fail_json(msg="priv parameter must be str or dict but %s was passed" % type(priv))
@ -577,13 +596,15 @@ def main():
                    result = user_mod(cursor, user, host, host_all, password, encrypted,
                                      plugin, plugin_hash_string, plugin_auth_string, salt,
                                      priv, append_privs, subtract_privs, attributes, tls_requires, module,
-                                      password_expire, password_expire_interval)
+                                      password_expire, password_expire_interval, locked=locked)

                else:
-                    result = user_mod(cursor, user, host, host_all, None, encrypted,
-                                      None, None, None, None,
-                                      priv, append_privs, subtract_privs, attributes, tls_requires, module,
-                                      password_expire, password_expire_interval)
+                    result = user_mod(cursor=cursor, user=user, host=host, host_all=host_all, password=None,
+                                      encrypted=encrypted, plugin=None, plugin_hash_string=None, plugin_auth_string=None,
+                                      salt=None, new_priv=priv, append_privs=append_privs, subtract_privs=subtract_privs,
+                                      attributes=attributes, tls_requires=tls_requires, module=module,
+                                      password_expire=password_expire, password_expire_interval=password_expire_interval,
+                                      locked=locked)
                changed = result['changed']
                msg = result['msg']
                password_changed = result['password_changed']
@ -601,7 +622,7 @@ def main():
                result = user_add(cursor, user, host, host_all, password, encrypted,
                                  plugin, plugin_hash_string, plugin_auth_string, salt,
                                  priv, attributes, tls_requires, reuse_existing_password, module,
-                                  password_expire, password_expire_interval)
+                                  password_expire, password_expire_interval, locked=locked)
                changed = result['changed']
                password_changed = result['password_changed']
                final_attributes = result['attributes']
--- a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml
+++ b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml
@ -261,6 +261,7 @@
        resource_limits: "{{ item.resource_limits | default(omit) }}"
        column_case_sensitive: true
        state: present
+        locked: "{{ item.locked | default(omit) }}"
      loop: "{{ result.users_info }}"
      loop_control:
        label: "{{ item.name }}@{{ item.host }}"
@ -275,6 +276,7 @@
        - item.name != 'mariadb.sys'
        - item.name != 'mysql.sys'
        - item.name != 'mysql.infoschema'
+        - item.name != 'mysql.session'


    # ================================== Cleanup ============================
--- a/tests/integration/targets/test_mysql_user/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/main.yml
@ -305,3 +305,7 @@
    - name: Mysql_user - test update_password
      ansible.builtin.import_tasks:
        file: test_update_password.yml
+
+    - name: Mysql_user - test user_locking
+      ansible.builtin.import_tasks:
+        file: test_user_locking.yml
--- a/tests/integration/targets/test_mysql_user/tasks/test_user_locking.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/test_user_locking.yml
@ -0,0 +1,200 @@
+---
+
+- vars:
+    mysql_parameters: &mysql_params
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: '{{ mysql_host }}'
+      login_port: '{{ mysql_primary_port }}'
+
+  block:
+
+    # ========================= Prepare =======================================
+    - name: Mysql_user Lock user | Create a test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: mysql_lock_user_test
+        state: present
+
+    # ========================== Tests ========================================
+
+    - name: Mysql_user Lock user | create locked | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: 'Mysql_user Lock user | create locked | Idempotence check'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create locked | Check that absense of locked does not unlock the user'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create locked | Unlock test user check_mode: true'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create locked | Unlock test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create locked | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+        
+    - name: Mysql_user Lock user | create unlocked | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: 'Mysql_user Lock user | create unlocked | Idempotence check'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create unlocked | Lock test user check_mode: true'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create unlocked | Lock test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create unlocked | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+
+    - name: Mysql_user Lock user | create default | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create default | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create default | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+
+    # ========================= Teardown ======================================
+
+    - name: Mysql_user Lock user | Delete test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: mysql_lock_user_test
+        state: absent