From 8859a7cf8e6b953cb0696508a3f505e7e464bff0 Mon Sep 17 00:00:00 2001 From: Robin Miller Date: Tue, 5 May 2015 17:54:02 -0500 Subject: [PATCH] Only revoke actually granted permissions, not 'ALL'. This prevents errors when the login_user does not have 'ALL' permissions, and the 'priv' value contains fewer permissions than are held by an existing user. This is particularly an issue when using an Amazon Web Services RDS instance, as there is no (accessible) user with 'ALL' permissions on *.*. --- lib/ansible/modules/database/mysql/mysql_user.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/ansible/modules/database/mysql/mysql_user.py b/lib/ansible/modules/database/mysql/mysql_user.py index 1b8be880cd..c35070963a 100644 --- a/lib/ansible/modules/database/mysql/mysql_user.py +++ b/lib/ansible/modules/database/mysql/mysql_user.py @@ -242,7 +242,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): grant_option = True if db_table not in new_priv: if user != "root" and "PROXY" not in priv and not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,priv,grant_option) changed = True # If the user doesn't currently have any privileges on a db.table, then @@ -259,7 +259,7 @@ def user_mod(cursor, user, host, password, new_priv, append_privs): priv_diff = set(new_priv[db_table]) ^ set(curr_priv[db_table]) if (len(priv_diff) > 0): if not append_privs: - privileges_revoke(cursor, user,host,db_table,grant_option) + privileges_revoke(cursor, user,host,db_table,curr_priv[db_table],grant_option) privileges_grant(cursor, user,host,db_table,new_priv[db_table]) changed = True @@ -339,7 +339,7 @@ def privileges_unpack(priv): return output -def privileges_revoke(cursor, user,host,db_table,grant_option): +def privileges_revoke(cursor, user,host,db_table,priv,grant_option): # Escape '%' since mysql db.execute() uses a format string db_table = db_table.replace('%', '%%') if grant_option: @@ -347,7 +347,8 @@ def privileges_revoke(cursor, user,host,db_table,grant_option): query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host)) - query = ["REVOKE ALL PRIVILEGES ON %s" % mysql_quote_identifier(db_table, 'table')] + priv_string = ",".join(filter(lambda x: x not in [ 'GRANT', 'REQUIRESSL' ], priv)) + query = ["REVOKE %s ON %s" % (priv_string, mysql_quote_identifier(db_table, 'table'))] query.append("FROM %s@%s") query = ' '.join(query) cursor.execute(query, (user, host))