mysql_user: Grant all privileges result in missing dynamic privileges in every second run in MySQL 8 #120
Description
SUMMARY
In MySQL 8 are dynamic privileges new. The GRANT ALL includes per default these dynamic privileges. The dynamic privileges are stored in mysql.global_grants. At restart the dynamic privileges are assigned to the user by reading the mysql.global_grants table.
dynamic privileges docs
As in #77 mentioned a priv: "*.*:ALL,GRANT" results in a change for the user. The ALL is executed with the following SQL statements
SHOW GRANTS FOR 'testing_admin'@'localhost'
REVOKE GRANT OPTION ON *.* FROM 'testing_admin'@'localhost'
REVOKE SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,RELOAD,SHUTDOWN,PROCESS,FILE,REFERENCES,INDEX,ALTER,SHOW DATABASES,SUPER,CREATE TEMPORARY TABLES,LOCK TABLES,EXECUTE,REPLICATION SLAVE,REPLICATION CLIENT,CREATE VIEW,SHOW VIEW,CREATE ROUTINE,ALTER ROUTINE,CREATE USER,EVENT,TRIGGER,CREATE TABLESPACE,CREATE ROLE,DROP ROLE,APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* FROM 'testing_admin'@'localhost'
GRANT ALL ON *.* TO 'testing_admin'@'localhost' WITH GRANT OPTION
The main problem is that the dynamic privileges need a FLUSH PRIVILEGES. Now the dynmaic privileges are only on every second run available. This happens because the REVOKE cleans the dynmaic privileges in mysql.global_grants the direct following GRANT ALL does not affect the table because of a missing FLUSH PRIVILEGES. The SHOW GRANTS FOR 'testing_admin'@'localhost' is correct to the next restart. After the restart mysql assign the dynamic privileges from mysql.global_grants and this does not work because the table is empty for the specific user.
After many test I assume the main reason should be the GRANT without it all workes even without the FLUSH PRIVILEGES
This is a issue because the dynamic privileges are needed for a user who should be able to maintain a InnoDB Cluster. By playing around with the cluster I mentioned this behavior because on every second deployment my user was not able to run the mysqlsh cluster commands because of missing privileges.
I hope I described the problem good enough for understanding it. A FLUSH PRIVILEGES at the end in the privilege_revoke method could fix this issue. But I´m not sure if this could have a negative effect on other parts of the module.
ISSUE TYPE
- Bug Report
COMPONENT NAME
mysql_user
ANSIBLE VERSION
ansible 2.9.18
config file = /home/bigo/Dokumente/git/config/Ansible/ansible.cfg
configured module search path = ['/home/bigo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.9.2 (default, Feb 20 2021, 00:00:00) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)]
CONFIGURATION
OS / ENVIRONMENT
mysql_user.py from main branch copied into the collaction path.
Original found this on RHEL8 with MySQL 8.0.23 Commercial, Testing was on Fedora 33 with MySQL 8.0.23 community
STEPS TO REPRODUCE
The behavor can be proofed by only execute the following SQL comands:
CREATE USER 'testing_admin'@'localhost' IDENTIFIED BY 'testing123!'
GRANT ALL on *.* TO 'testing_admin'@'localhost' WITH GRANT OPTION;
SELECT * FROM mysql.global_grants;
REVOKE GRANT OPTION ON *.* FROM 'testing_admin'@'localhost';
REVOKE SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,RELOAD,SHUTDOWN,PROCESS,FILE,REFERENCES,INDEX,ALTER,SHOW DATABASES,SUPER,CREATE TEMPORARY TABLES,LOCK TABLES,EXECUTE,REPLICATION SLAVE,REPLICATION CLIENT,CREATE VIEW,SHOW VIEW,CREATE ROUTINE,ALTER ROUTINE,CREATE USER,EVENT,TRIGGER,CREATE TABLESPACE,CREATE ROLE,DROP ROLE,APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* FROM 'testing_admin'@'localhost';
GRANT ALL ON *.* TO 'testing_admin'@'localhost' WITH GRANT OPTION;
SELECT * FROM mysql.global_grants;
After the first SELECT * FROM mysql.global_grants; the result should be
+---------------+-----------+----------------------------+-------------------+
| USER | HOST | PRIV | WITH_GRANT_OPTION |
+---------------+-----------+----------------------------+-------------------+
| testing_admin | localhost | APPLICATION_PASSWORD_ADMIN | Y |
| testing_admin | localhost | AUDIT_ADMIN | Y |
| testing_admin | localhost | BACKUP_ADMIN | Y |
| testing_admin | localhost | BINLOG_ADMIN | Y |
| testing_admin | localhost | BINLOG_ENCRYPTION_ADMIN | Y |
| testing_admin | localhost | CLONE_ADMIN | Y |
| testing_admin | localhost | CONNECTION_ADMIN | Y |
| testing_admin | localhost | ENCRYPTION_KEY_ADMIN | Y |
| testing_admin | localhost | FLUSH_OPTIMIZER_COSTS | Y |
| testing_admin | localhost | FLUSH_STATUS | Y |
| testing_admin | localhost | FLUSH_TABLES | Y |
| testing_admin | localhost | FLUSH_USER_RESOURCES | Y |
| testing_admin | localhost | GROUP_REPLICATION_ADMIN | Y |
| testing_admin | localhost | INNODB_REDO_LOG_ARCHIVE | Y |
| testing_admin | localhost | INNODB_REDO_LOG_ENABLE | Y |
| testing_admin | localhost | PERSIST_RO_VARIABLES_ADMIN | Y |
| testing_admin | localhost | REPLICATION_APPLIER | Y |
| testing_admin | localhost | REPLICATION_SLAVE_ADMIN | Y |
| testing_admin | localhost | RESOURCE_GROUP_ADMIN | Y |
| testing_admin | localhost | RESOURCE_GROUP_USER | Y |
| testing_admin | localhost | ROLE_ADMIN | Y |
| testing_admin | localhost | SERVICE_CONNECTION_ADMIN | Y |
| testing_admin | localhost | SESSION_VARIABLES_ADMIN | Y |
| testing_admin | localhost | SET_USER_ID | Y |
| testing_admin | localhost | SHOW_ROUTINE | Y |
| testing_admin | localhost | SYSTEM_USER | Y |
| testing_admin | localhost | SYSTEM_VARIABLES_ADMIN | Y |
| testing_admin | localhost | TABLE_ENCRYPTION_ADMIN | Y |
| testing_admin | localhost | XA_RECOVER_ADMIN | Y |
+---------------+-----------+----------------------------+-------------------+
After both REVOKE and the GRANT ALL the output of SELECT * FROM mysql.global_grants; sould be exactly as above but its empty. After a restart of the MySQL the user is missing all this dynamic privileges to the next GRANT ALL.
---
- name: testing privilege problem
hosts: localhost
tasks:
- name: create user with privs
community.mysql.mysql_user:
login_user: root
name: testing_admin
password: testing123!
host: localhost
priv: "*.*:ALL,GRANT"
state: present
become: yes
- name: show user grants
shell: mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'
become: yes
register: user_grants
- name: show dynamic privileges for user
shell: mysql -e 'SELECT * FROM mysql.global_grants WHERE USER="testing_admin"'
become: yes
register: dynamic_privs
- name: print user_grants
debug:
msg: "{{ user_grants['stdout'] }}"
- name: print dynamic_privs
debug:
msg: "{{ dynamic_privs['stdout'] }}"
- name: mysqld_restarted
service:
name: mysqld
state: restarted
enabled: yes
become: yes
- name: show user grants
shell: mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'
become: yes
register: user_grants
- name: show dynamic privileges for user
shell: mysql -e 'SELECT * FROM mysql.global_grants WHERE USER="testing_admin"'
become: yes
register: dynamic_privs
- name: print user_grants
debug:
msg: "{{ user_grants['stdout'] }}"
- name: print dynamic_privs
debug:
msg: "{{ dynamic_privs['stdout'] }}"
EXPECTED RESULTS
normale i would expect to have every time the ALL,GRANT for the user.
ACTUAL RESULTS
As explaind earlier every second run of the playbook the user testing_admin as no dynamic privileges.
ansible-playbook 2.9.18
config file = /home/bigo/Dokumente/git/config/Ansible/ansible.cfg
configured module search path = ['/home/bigo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.9.2 (default, Feb 20 2021, 00:00:00) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)]
Using /home/bigo/Dokumente/git/config/Ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/bigo/Dokumente/git/config/Ansible/inventory/inventory as it did not pass its verify_file() method
script declined parsing /home/bigo/Dokumente/git/config/Ansible/inventory/inventory as it did not pass its verify_file() method
auto declined parsing /home/bigo/Dokumente/git/config/Ansible/inventory/inventory as it did not pass its verify_file() method
Parsed /home/bigo/Dokumente/git/config/Ansible/inventory/inventory inventory source with ini plugin
Loading callback plugin debug of type stdout, v2.0 from /usr/lib/python3.9/site-packages/ansible/plugins/callback/debug.py
Skipping callback 'actionable', as we already have a stdout callback.
Skipping callback 'counter_enabled', as we already have a stdout callback.
Skipping callback 'debug', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'full_skip', as we already have a stdout callback.
Skipping callback 'json', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'null', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Loading callback plugin profile_tasks of type aggregate, v2.0 from /usr/lib/python3.9/site-packages/ansible/plugins/callback/profile_tasks.py
Skipping callback 'selective', as we already have a stdout callback.
Skipping callback 'skippy', as we already have a stdout callback.
Skipping callback 'stderr', as we already have a stdout callback.
Skipping callback 'unixy', as we already have a stdout callback.
Skipping callback 'yaml', as we already have a stdout callback.
PLAYBOOK: mysql_test.yml **********************************************************************************************************************************************************************************************************************
Positional arguments: playbooks/mysql_test.yml
verbosity: 4
private_key_file: /home/bigo/.ssh/id_ed25519
remote_user: bigo
connection: smart
timeout: 15
become_method: sudo
tags: ('all',)
inventory: ('/home/bigo/Dokumente/git/config/Ansible/inventory/inventory',)
forks: 5
1 plays in playbooks/mysql_test.yml
PLAY [testing privilege problem] **************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:2
Monday 15 March 2021 15:27:08 +0100 (0:00:00.023) 0:00:00.023 **********
Using module file /usr/lib/python3.9/site-packages/ansible/modules/system/setup.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 && sleep 0'
ok: [localhost]
META: ran handlers
TASK [create user with privs] *****************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:5
Monday 15 March 2021 15:27:09 +0100 (0:00:01.285) 0:00:01.308 **********
Using module file /home/bigo/.ansible/collections/ansible_collections/community/mysql/plugins/modules/mysql_user.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-yqbkaxehgpwvrtaktoitttwgrnyfijkr ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"invocation": {
"module_args": {
"append_privs": false,
"ca_cert": null,
"check_hostname": null,
"check_implicit_admin": false,
"client_cert": null,
"client_key": null,
"config_file": "/root/.my.cnf",
"connect_timeout": 30,
"encrypted": false,
"host": "localhost",
"host_all": false,
"login_host": "localhost",
"login_password": null,
"login_port": 3306,
"login_unix_socket": null,
"login_user": "root",
"name": "testing_admin",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"plugin": null,
"plugin_auth_string": null,
"plugin_hash_string": null,
"priv": "*.*:ALL,GRANT",
"resource_limits": null,
"sql_log_bin": true,
"state": "present",
"tls_requires": null,
"update_password": "always",
"user": "testing_admin"
}
},
"user": "testing_admin"
}
MSG:
Privileges updated
TASK [show user grants] ***********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:15
Monday 15 March 2021 15:27:09 +0100 (0:00:00.440) 0:00:01.749 **********
Using module file /usr/lib/python3.9/site-packages/ansible/modules/commands/command.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-enuzukrrjrhnwcpvwzjkggxcjssetpwf ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"cmd": "mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'",
"delta": "0:00:00.009372",
"end": "2021-03-15 15:27:10.309675",
"invocation": {
"module_args": {
"_raw_params": "mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"rc": 0,
"start": "2021-03-15 15:27:10.300303"
}
STDOUT:
Grants for testing_admin@localhost
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
TASK [show dynamic privileges for user] *******************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:20
Monday 15 March 2021 15:27:10 +0100 (0:00:00.365) 0:00:02.114 **********
Using module file /usr/lib/python3.9/site-packages/ansible/modules/commands/command.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-pmfyhcrzkxdtczkscufinbmleunrqwzl ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"cmd": "mysql -e 'SELECT * FROM mysql.global_grants WHERE USER=\"testing_admin\"'",
"delta": "0:00:00.009211",
"end": "2021-03-15 15:27:10.548459",
"invocation": {
"module_args": {
"_raw_params": "mysql -e 'SELECT * FROM mysql.global_grants WHERE USER=\"testing_admin\"'",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"rc": 0,
"start": "2021-03-15 15:27:10.539248"
}
TASK [print user_grants] **********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:25
Monday 15 March 2021 15:27:10 +0100 (0:00:00.243) 0:00:02.357 **********
ok: [localhost] => {}
MSG:
Grants for testing_admin@localhost
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
TASK [print dynamic_privs] ********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:29
Monday 15 March 2021 15:27:10 +0100 (0:00:00.061) 0:00:02.419 **********
ok: [localhost] => {}
TASK [mysqld_restarted] ***********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:33
Monday 15 March 2021 15:27:10 +0100 (0:00:00.050) 0:00:02.470 **********
Running systemd
Using module file /usr/lib/python3.9/site-packages/ansible/modules/system/systemd.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-thtyyshkfrkefsiivwnhpodeeykhokkt ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"enabled": true,
"invocation": {
"module_args": {
"daemon_reexec": false,
"daemon_reload": false,
"enabled": true,
"force": null,
"masked": null,
"name": "mysqld",
"no_block": false,
"scope": null,
"state": "restarted",
"user": null
}
},
"name": "mysqld",
"state": "started",
"status": {
"ActiveEnterTimestamp": "Mon 2021-03-15 15:27:05 CET",
"ActiveEnterTimestampMonotonic": "62423320324",
"ActiveExitTimestamp": "Mon 2021-03-15 15:27:03 CET",
"ActiveExitTimestampMonotonic": "62421567141",
"ActiveState": "active",
"After": "systemd-journald.socket syslog.target basic.target system.slice -.mount network.target tmp.mount sysinit.target systemd-tmpfiles-setup.service",
"AllowIsolate": "no",
"AllowedCPUs": "",
"AllowedMemoryNodes": "",
"AmbientCapabilities": "",
"AssertResult": "yes",
"AssertTimestamp": "Mon 2021-03-15 15:27:04 CET",
"AssertTimestampMonotonic": "62422657449",
"Before": "shutdown.target multi-user.target",
"BlockIOAccounting": "no",
"BlockIOWeight": "[not set]",
"CPUAccounting": "no",
"CPUAffinity": "",
"CPUAffinityFromNUMA": "no",
"CPUQuotaPerSecUSec": "infinity",
"CPUQuotaPeriodUSec": "infinity",
"CPUSchedulingPolicy": "0",
"CPUSchedulingPriority": "0",
"CPUSchedulingResetOnFork": "no",
"CPUShares": "[not set]",
"CPUUsageNSec": "[not set]",
"CPUWeight": "[not set]",
"CacheDirectoryMode": "0755",
"CanFreeze": "yes",
"CanIsolate": "no",
"CanReload": "no",
"CanStart": "yes",
"CanStop": "yes",
"CapabilityBoundingSet": "cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore",
"CleanResult": "success",
"CollectMode": "inactive",
"ConditionResult": "yes",
"ConditionTimestamp": "Mon 2021-03-15 15:27:04 CET",
"ConditionTimestampMonotonic": "62422657447",
"ConfigurationDirectoryMode": "0755",
"Conflicts": "shutdown.target",
"ControlGroup": "/system.slice/mysqld.service",
"ControlPID": "0",
"CoredumpFilter": "0x33",
"DefaultDependencies": "yes",
"DefaultMemoryLow": "0",
"DefaultMemoryMin": "0",
"Delegate": "no",
"Description": "MySQL 8.0 database server",
"DevicePolicy": "auto",
"DynamicUser": "no",
"EffectiveCPUs": "",
"EffectiveMemoryNodes": "",
"Environment": "MYSQLD_PARENT_PID=1",
"ExecMainCode": "0",
"ExecMainExitTimestampMonotonic": "0",
"ExecMainPID": "126796",
"ExecMainStartTimestamp": "Mon 2021-03-15 15:27:04 CET",
"ExecMainStartTimestampMonotonic": "62422723857",
"ExecMainStatus": "0",
"ExecStart": "{ path=/usr/libexec/mysqld ; argv[]=/usr/libexec/mysqld --basedir=/usr ; ignore_errors=no ; start_time=[Mon 2021-03-15 15:27:04 CET] ; stop_time=[n/a] ; pid=126796 ; code=(null) ; status=0/0 }",
"ExecStartEx": "{ path=/usr/libexec/mysqld ; argv[]=/usr/libexec/mysqld --basedir=/usr ; flags= ; start_time=[Mon 2021-03-15 15:27:04 CET] ; stop_time=[n/a] ; pid=126796 ; code=(null) ; status=0/0 }",
"ExecStartPre": "{ path=/usr/libexec/mysql-prepare-db-dir ; argv[]=/usr/libexec/mysql-prepare-db-dir mysqld.service ; ignore_errors=no ; start_time=[Mon 2021-03-15 15:27:04 CET] ; stop_time=[Mon 2021-03-15 15:27:04 CET] ; pid=126761 ; code=exited ; status=0 }",
"ExecStartPreEx": "{ path=/usr/libexec/mysql-prepare-db-dir ; argv[]=/usr/libexec/mysql-prepare-db-dir mysqld.service ; flags= ; start_time=[Mon 2021-03-15 15:27:04 CET] ; stop_time=[Mon 2021-03-15 15:27:04 CET] ; pid=126761 ; code=exited ; status=0 }",
"ExecStopPost": "{ path=/usr/libexec/mysql-wait-stop ; argv[]=/usr/libexec/mysql-wait-stop ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }",
"ExecStopPostEx": "{ path=/usr/libexec/mysql-wait-stop ; argv[]=/usr/libexec/mysql-wait-stop ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }",
"FailureAction": "none",
"FileDescriptorStoreMax": "0",
"FinalKillSignal": "9",
"FragmentPath": "/usr/lib/systemd/system/mysqld.service",
"FreezerState": "running",
"GID": "27",
"Group": "mysql",
"GuessMainPID": "yes",
"IOAccounting": "no",
"IOReadBytes": "18446744073709551615",
"IOReadOperations": "18446744073709551615",
"IOSchedulingClass": "0",
"IOSchedulingPriority": "0",
"IOWeight": "[not set]",
"IOWriteBytes": "18446744073709551615",
"IOWriteOperations": "18446744073709551615",
"IPAccounting": "no",
"IPEgressBytes": "[no data]",
"IPEgressPackets": "[no data]",
"IPIngressBytes": "[no data]",
"IPIngressPackets": "[no data]",
"Id": "mysqld.service",
"IgnoreOnIsolate": "no",
"IgnoreSIGPIPE": "yes",
"InactiveEnterTimestamp": "Mon 2021-03-15 15:27:04 CET",
"InactiveEnterTimestampMonotonic": "62422656283",
"InactiveExitTimestamp": "Mon 2021-03-15 15:27:04 CET",
"InactiveExitTimestampMonotonic": "62422659235",
"InvocationID": "632a24964dd34ebd8d55abf047ae893a",
"JobRunningTimeoutUSec": "infinity",
"JobTimeoutAction": "none",
"JobTimeoutUSec": "infinity",
"KeyringMode": "private",
"KillMode": "control-group",
"KillSignal": "15",
"LimitAS": "infinity",
"LimitASSoft": "infinity",
"LimitCORE": "infinity",
"LimitCORESoft": "infinity",
"LimitCPU": "infinity",
"LimitCPUSoft": "infinity",
"LimitDATA": "infinity",
"LimitDATASoft": "infinity",
"LimitFSIZE": "infinity",
"LimitFSIZESoft": "infinity",
"LimitLOCKS": "infinity",
"LimitLOCKSSoft": "infinity",
"LimitMEMLOCK": "65536",
"LimitMEMLOCKSoft": "65536",
"LimitMSGQUEUE": "819200",
"LimitMSGQUEUESoft": "819200",
"LimitNICE": "0",
"LimitNICESoft": "0",
"LimitNOFILE": "10000",
"LimitNOFILESoft": "10000",
"LimitNPROC": "63418",
"LimitNPROCSoft": "63418",
"LimitRSS": "infinity",
"LimitRSSSoft": "infinity",
"LimitRTPRIO": "0",
"LimitRTPRIOSoft": "0",
"LimitRTTIME": "infinity",
"LimitRTTIMESoft": "infinity",
"LimitSIGPENDING": "63418",
"LimitSIGPENDINGSoft": "63418",
"LimitSTACK": "infinity",
"LimitSTACKSoft": "8388608",
"LoadState": "loaded",
"LockPersonality": "no",
"LogLevelMax": "-1",
"LogRateLimitBurst": "0",
"LogRateLimitIntervalUSec": "0",
"LogsDirectoryMode": "0755",
"MainPID": "126796",
"MemoryAccounting": "yes",
"MemoryCurrent": "353370112",
"MemoryDenyWriteExecute": "no",
"MemoryHigh": "infinity",
"MemoryLimit": "infinity",
"MemoryLow": "0",
"MemoryMax": "infinity",
"MemoryMin": "0",
"MemorySwapMax": "infinity",
"MountAPIVFS": "no",
"MountFlags": "",
"NFileDescriptorStore": "0",
"NRestarts": "0",
"NUMAMask": "",
"NUMAPolicy": "n/a",
"Names": "mysqld.service",
"NeedDaemonReload": "no",
"Nice": "0",
"NoNewPrivileges": "no",
"NonBlocking": "no",
"NotifyAccess": "main",
"OOMPolicy": "stop",
"OOMScoreAdjust": "0",
"OnFailureJobMode": "replace",
"Perpetual": "no",
"PrivateDevices": "no",
"PrivateMounts": "no",
"PrivateNetwork": "no",
"PrivateTmp": "yes",
"PrivateUsers": "no",
"ProtectClock": "no",
"ProtectControlGroups": "no",
"ProtectHome": "no",
"ProtectHostname": "no",
"ProtectKernelLogs": "no",
"ProtectKernelModules": "no",
"ProtectKernelTunables": "no",
"ProtectSystem": "no",
"RefuseManualStart": "no",
"RefuseManualStop": "no",
"ReloadResult": "success",
"RemainAfterExit": "no",
"RemoveIPC": "no",
"Requires": "-.mount system.slice sysinit.target tmp.mount",
"RequiresMountsFor": "/tmp /var/tmp",
"Restart": "on-failure",
"RestartKillSignal": "15",
"RestartPreventExitStatus": "1",
"RestartUSec": "100ms",
"RestrictNamespaces": "no",
"RestrictRealtime": "no",
"RestrictSUIDSGID": "no",
"Result": "success",
"RootDirectoryStartOnly": "no",
"RootHashSignature": "",
"RuntimeDirectoryMode": "0755",
"RuntimeDirectoryPreserve": "no",
"RuntimeMaxUSec": "infinity",
"SameProcessGroup": "no",
"SecureBits": "0",
"SendSIGHUP": "no",
"SendSIGKILL": "yes",
"Slice": "system.slice",
"StandardError": "inherit",
"StandardInput": "null",
"StandardInputData": "",
"StandardOutput": "journal",
"StartLimitAction": "none",
"StartLimitBurst": "5",
"StartLimitIntervalUSec": "10s",
"StartupBlockIOWeight": "[not set]",
"StartupCPUShares": "[not set]",
"StartupCPUWeight": "[not set]",
"StartupIOWeight": "[not set]",
"StateChangeTimestamp": "Mon 2021-03-15 15:27:05 CET",
"StateChangeTimestampMonotonic": "62423320324",
"StateDirectoryMode": "0755",
"StatusErrno": "0",
"StatusText": "Server is operational",
"StopWhenUnneeded": "no",
"SubState": "running",
"SuccessAction": "none",
"SyslogFacility": "3",
"SyslogLevel": "6",
"SyslogLevelPrefix": "yes",
"SyslogPriority": "30",
"SystemCallErrorNumber": "0",
"TTYReset": "no",
"TTYVHangup": "no",
"TTYVTDisallocate": "no",
"TasksAccounting": "yes",
"TasksCurrent": "39",
"TasksMax": "19025",
"TimeoutAbortUSec": "5min",
"TimeoutCleanUSec": "infinity",
"TimeoutStartFailureMode": "terminate",
"TimeoutStartUSec": "5min",
"TimeoutStopFailureMode": "terminate",
"TimeoutStopUSec": "5min",
"TimerSlackNSec": "50000",
"Transient": "no",
"Type": "notify",
"UID": "27",
"UMask": "0022",
"UnitFilePreset": "disabled",
"UnitFileState": "enabled",
"User": "mysql",
"UtmpMode": "init",
"WantedBy": "multi-user.target",
"WatchdogSignal": "6",
"WatchdogTimestampMonotonic": "0",
"WatchdogUSec": "0"
}
}
TASK [show user grants] ***********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:40
Monday 15 March 2021 15:27:13 +0100 (0:00:02.884) 0:00:05.354 **********
Using module file /usr/lib/python3.9/site-packages/ansible/modules/commands/command.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-pyjsmqirhvlnditpjwaaukrmprynxymr ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"cmd": "mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'",
"delta": "0:00:00.010054",
"end": "2021-03-15 15:27:13.807948",
"invocation": {
"module_args": {
"_raw_params": "mysql -e 'SHOW GRANTS FOR testing_admin@LOCALHOST'",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"rc": 0,
"start": "2021-03-15 15:27:13.797894"
}
STDOUT:
Grants for testing_admin@localhost
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
TASK [show dynamic privileges for user] *******************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:45
Monday 15 March 2021 15:27:13 +0100 (0:00:00.254) 0:00:05.608 **********
Using module file /usr/lib/python3.9/site-packages/ansible/modules/commands/command.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: bigo
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-ulopwohqvxqsoeyplufypycctrqebsxr ; /usr/bin/python3'"'"' && sleep 0'
changed: [localhost] => {
"changed": true,
"cmd": "mysql -e 'SELECT * FROM mysql.global_grants WHERE USER=\"testing_admin\"'",
"delta": "0:00:00.010359",
"end": "2021-03-15 15:27:14.056443",
"invocation": {
"module_args": {
"_raw_params": "mysql -e 'SELECT * FROM mysql.global_grants WHERE USER=\"testing_admin\"'",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"rc": 0,
"start": "2021-03-15 15:27:14.046084"
}
TASK [print user_grants] **********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:50
Monday 15 March 2021 15:27:14 +0100 (0:00:00.261) 0:00:05.870 **********
ok: [localhost] => {}
MSG:
Grants for testing_admin@localhost
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `testing_admin`@`localhost` WITH GRANT OPTION
TASK [print dynamic_privs] ********************************************************************************************************************************************************************************************************************
task path: /home/bigo/Dokumente/git/config/Ansible/playbooks/mysql_test.yml:54
Monday 15 March 2021 15:27:14 +0100 (0:00:00.065) 0:00:05.936 **********
ok: [localhost] => {}
META: ran handlers
META: ran handlers
PLAY RECAP ************************************************************************************************************************************************************************************************************************************
localhost : ok=11 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Monday 15 March 2021 15:27:14 +0100 (0:00:00.054) 0:00:05.990 **********
I hope this was all correct and is understandable and reproducable. My local fix would be a cursor.execute("FLUSH PRIVILEGES") at the end of the privileges_revoke method. But i need more testing time at some different OS and MySQL versions. Need to verify RHEL 7 and MySQL 5.7.21 and also RHEL 8 with MySQL 8.0.23 that nothing unexpected is happening in production. I Also tired a different workaround by not using ALL and list every needed privileg. But this is not working because the VALID_PRIVS do not have all privileges assigned by the GRANT ALL. The idea was that the SHOW GRANTS has the same result like the priv: "*.*:..." so the REVOKE is not needed.