diff --git a/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml b/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml new file mode 100644 index 0000000000..9ad0c083e5 --- /dev/null +++ b/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml @@ -0,0 +1,2 @@ +bugfixes: +- mysql_user - fix overriding password to the same (https://github.com/ansible-collections/community.general/issues/543). diff --git a/plugins/modules/database/mysql/mysql_user.py b/plugins/modules/database/mysql/mysql_user.py index d8ef5aa1f3..27565a1336 100644 --- a/plugins/modules/database/mysql/mysql_user.py +++ b/plugins/modules/database/mysql/mysql_user.py @@ -367,10 +367,19 @@ def user_add(cursor, user, host, host_all, password, encrypted, if check_mode: return True + # Determine what user management method server uses + old_user_mgmt = use_old_user_mgmt(cursor) + if password and encrypted: cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password)) elif password and not encrypted: - cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password)) + if old_user_mgmt: + cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password)) + else: + cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,)) + encrypted_password = cursor.fetchone()[0] + cursor.execute("CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password)) + elif plugin and plugin_hash_string: cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)) elif plugin and plugin_auth_string: diff --git a/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml b/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml index 1f126c48b5..a85e4edf04 100644 --- a/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml +++ b/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml @@ -46,18 +46,17 @@ register: user_password_old when: user_password_old_create is failed -# FIXME: not sure why this is failing, but it looks like it should expect changed=true -#- name: update user2 state=present with same password (expect changed=false) -# mysql_user: -# name: '{{ user_name_2 }}' -# password: '{{ user_password_2 }}' -# priv: '*.*:ALL' -# state: present -# login_unix_socket: '{{ mysql_socket }}' -# register: result -# -#- name: assert output user2 was not updated -# assert: { that: "result.changed == false" } +- name: update user2 state=present with same password (expect changed=false) + mysql_user: + name: '{{ user_name_2 }}' + password: '{{ user_password_2 }}' + priv: '*.*:ALL' + state: present + login_unix_socket: '{{ mysql_socket }}' + register: result + +- name: assert output user2 was not updated + assert: { that: "result.changed == false" } - include: assert_user.yml user_name={{user_name_2}} priv='ALL PRIVILEGES'