User locking

changelogs/fragments/702-user_locking.yaml

@@ -0,0 +1,2 @@
+minor_changes:
+- mysql_user - add ``locked`` option to lock/unlock users, this is mainly used to have users that will act as definers on stored procedures.

plugins/module_utils/user.py

@@ -52,6 +52,25 @@ def user_exists(cursor, user, host, host_all):
     return count[0] > 0
 
 
+def user_is_locked(cursor, user, host):
+    cursor.execute("SHOW CREATE USER %s@%s", (user, host))
+
+    # Per discussions on irc:libera.chat:#maria the query may return up to 2 rows but "ACCOUNT LOCK" should always be in the first row.
+    result = cursor.fetchone()
+
+    # ACCOUNT LOCK does not have to be the last option in the CREATE USER query.
+    # Need to handle both DictCursor and non-DictCursor
+    if isinstance(result, list):
+        if result[0] and result[0].find('ACCOUNT LOCK') > 0:
+            return True
+    elif isinstance(result, dict):
+        for res in result.values():
+            if res.find('ACCOUNT LOCK') > 0:
+                return True
+
+    return False
+
+
 def sanitize_requires(tls_requires):
     sanitized_requires = {}
     if tls_requires:
@@ -160,7 +179,7 @@ def get_existing_authentication(cursor, user, host=None):
 def user_add(cursor, user, host, host_all, password, encrypted,
              plugin, plugin_hash_string, plugin_auth_string, salt, new_priv,
              attributes, tls_requires, reuse_existing_password, module,
-             password_expire, password_expire_interval):
+             password_expire, password_expire_interval, locked=False):
     # If attributes are set, perform a sanity check to ensure server supports user attributes before creating user
     if attributes and not get_attribute_support(cursor):
         module.fail_json(msg="user attributes were specified but the server does not support user attributes")
@@ -250,6 +269,9 @@ def user_add(cursor, user, host, host_all, password, encrypted,
         cursor.execute("ALTER USER %s@%s ATTRIBUTE %s", (user, host, json.dumps(attributes)))
         final_attributes = attributes_get(cursor, user, host)
 
+    if locked:
+        cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host))
+
     return {'changed': True, 'password_changed': not used_existing_password, 'attributes': final_attributes}
 
 
@@ -264,7 +286,7 @@ def is_hash(password):
 def user_mod(cursor, user, host, host_all, password, encrypted,
              plugin, plugin_hash_string, plugin_auth_string, salt, new_priv,
              append_privs, subtract_privs, attributes, tls_requires, module,
-             password_expire, password_expire_interval, role=False, maria_role=False):
+             password_expire, password_expire_interval, locked=False, role=False, maria_role=False):
     changed = False
     msg = "User unchanged"
     grant_option = False
@@ -536,6 +558,22 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
             if attribute_support:
                 final_attributes = attributes_get(cursor, user, host)
 
+        if not role and user_is_locked(cursor, user, host) != locked:
+            if not module.check_mode:
+                if locked:
+                    cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host))
+                    msg = 'User locked'
+                else:
+                    cursor.execute("ALTER USER %s@%s ACCOUNT UNLOCK", (user, host))
+                    msg = 'User unlocked'
+            else:
+                if locked:
+                    msg = 'User will be locked'
+                else:
+                    msg = 'User will be unlocked'
+
+            changed = True
+
         if role:
             continue
 

plugins/modules/mysql_info.py

@@ -318,6 +318,7 @@
     get_resource_limits,
     get_existing_authentication,
     get_user_implementation,
+    user_is_locked,
 )
 from ansible.module_utils.six import iteritems
 from ansible.module_utils._text import to_native
@@ -652,8 +653,10 @@ def __get_users_info(self):
             if authentications:
                 output_dict.update(authentications[0])
 
+            if line.get('is_role') and line['is_role'] == 'N':
+                output_dict['locked'] = user_is_locked(self.cursor, user, host)
+
             # TODO password_option
-            # TODO lock_option
             # but both are not supported by mysql_user atm. So no point yet.
 
             output.append(output_dict)

plugins/modules/mysql_role.py

@@ -930,11 +930,12 @@ def update(self, users, privs, check_mode=False,
                                                       set_default_role_all=set_default_role_all)
 
         if privs:
-            result = user_mod(self.cursor, self.name, self.host,
-                              None, None, None, None, None, None, None,
-                              privs, append_privs, subtract_privs, None, None,
-                              self.module, None, None, role=True,
-                              maria_role=self.is_mariadb)
+            result = user_mod(cursor=self.cursor, user=self.name, host=self.host,
+                              host_all=None, password=None, encrypted=None, plugin=None,
+                              plugin_auth_string=None, plugin_hash_string=None, salt=None,
+                              new_priv=privs, append_privs=append_privs, subtract_privs=subtract_privs,
+                              attributes=None, tls_requires=None, module=self.module, password_expire=None,
+                              password_expire_interval=None, role=True, maria_role=self.is_mariadb)
             changed = result['changed']
 
         if admin:

plugins/modules/mysql_user.py

@@ -189,6 +189,15 @@
         fields names in privileges.
     type: bool
     version_added: '3.8.0'
+
+  locked:
+    description:
+      - Lock account to prevent connections using it.
+      - This is primarily used for creating a user that will act as a DEFINER on stored procedures.
+    default: false
+    type: bool
+    version_added: '3.13.0'
+
   attributes:
     description:
       - "Create, update, or delete user attributes (arbitrary 'key: value' comments) for the user."
@@ -400,6 +409,13 @@
     priv:
       'db1.*': DELETE
 
+- name: Create locked user to act as a definer on procedures
+  community.mysql.mysql_user:
+    name: readonly_procedures_locked
+    locked: true
+    priv:
+      db1.*: SELECT
+
 # Example .my.cnf file for setting the root password
 # [client]
 # user=root
@@ -470,6 +486,7 @@ def main():
         column_case_sensitive=dict(type='bool', default=None),  # TODO 4.0.0 add default=True
         password_expire=dict(type='str', choices=['now', 'never', 'default', 'interval'], no_log=True),
         password_expire_interval=dict(type='int', required_if=[('password_expire', 'interval', True)], no_log=True),
+        locked=dict(type='bool', default='false'),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -510,6 +527,7 @@ def main():
     column_case_sensitive = module.params["column_case_sensitive"]
     password_expire = module.params["password_expire"]
     password_expire_interval = module.params["password_expire_interval"]
+    locked = module.boolean(module.params['locked'])
 
     if priv and not isinstance(priv, (str, dict)):
         module.fail_json(msg="priv parameter must be str or dict but %s was passed" % type(priv))
@@ -577,13 +595,15 @@ def main():
                     result = user_mod(cursor, user, host, host_all, password, encrypted,
                                       plugin, plugin_hash_string, plugin_auth_string, salt,
                                       priv, append_privs, subtract_privs, attributes, tls_requires, module,
-                                      password_expire, password_expire_interval)
+                                      password_expire, password_expire_interval, locked=locked)
 
                 else:
-                    result = user_mod(cursor, user, host, host_all, None, encrypted,
-                                      None, None, None, None,
-                                      priv, append_privs, subtract_privs, attributes, tls_requires, module,
-                                      password_expire, password_expire_interval)
+                    result = user_mod(cursor=cursor, user=user, host=host, host_all=host_all, password=None,
+                                      encrypted=encrypted, plugin=None, plugin_hash_string=None, plugin_auth_string=None,
+                                      salt=None, new_priv=priv, append_privs=append_privs, subtract_privs=subtract_privs,
+                                      attributes=attributes, tls_requires=tls_requires, module=module,
+                                      password_expire=password_expire, password_expire_interval=password_expire_interval,
+                                      locked=locked)
                 changed = result['changed']
                 msg = result['msg']
                 password_changed = result['password_changed']
@@ -601,7 +621,7 @@ def main():
                 result = user_add(cursor, user, host, host_all, password, encrypted,
                                   plugin, plugin_hash_string, plugin_auth_string, salt,
                                   priv, attributes, tls_requires, reuse_existing_password, module,
-                                  password_expire, password_expire_interval)
+                                  password_expire, password_expire_interval, locked=locked)
                 changed = result['changed']
                 password_changed = result['password_changed']
                 final_attributes = result['attributes']

tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml

@@ -261,6 +261,7 @@
         resource_limits: "{{ item.resource_limits | default(omit) }}"
         column_case_sensitive: true
         state: present
+        locked: "{{ item.locked | default(omit) }}"
       loop: "{{ result.users_info }}"
       loop_control:
         label: "{{ item.name }}@{{ item.host }}"

tests/integration/targets/test_mysql_user/tasks/main.yml

@@ -305,3 +305,7 @@
     - name: Mysql_user - test update_password
       ansible.builtin.import_tasks:
         file: test_update_password.yml
+
+    - name: Mysql_user - test user_locking
+      ansible.builtin.import_tasks:
+        file: test_user_locking.yml