Try SpotterAdds or removes a user from a MySQL database.
| "added in version" 0.6 of ansible.builtin"
Authors: Jonathan Mainguy (@Jmainguy)
preview | supported by community
pipInstall with pip install ansible==2.3.3.0.post1
Adds or removes a user from a MySQL database.
# Removes anonymous user account for localhost
- mysql_user:
name: ''
host: localhost
state: absent
# Removes all anonymous user accounts
- mysql_user:
name: ''
host_all: yes
state: absent
# Create database user with name 'bob' and password '12345' with all database privileges
- mysql_user:
name: bob
password: 12345
priv: '*.*:ALL'
state: present
# Create database user with name 'bob' and previously hashed mysql native password '*EE0D72C1085C46C5278932678FBE2C6A782821B4' with all database privileges
- mysql_user:
name: bob
password: '*EE0D72C1085C46C5278932678FBE2C6A782821B4'
encrypted: yes
priv: '*.*:ALL'
state: present
# Creates database user 'bob' and password '12345' with all database privileges and 'WITH GRANT OPTION'
- mysql_user:
name: bob
password: 12345
priv: '*.*:ALL,GRANT'
state: present
# Modify user Bob to require SSL connections. Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
- mysql_user:
name: bob
append_privs: true
priv: '*.*:REQUIRESSL'
state: present
# Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials.
- mysql_user:
login_user: root
login_password: 123456
name: sally
state: absent
# Ensure no user named 'sally' exists at all
- mysql_user:
name: sally
host_all: yes
state: absent
# Specify grants composed of more than one word
- mysql_user:
name: replication
password: 12345
priv: "*.*:REPLICATION CLIENT"
state: present
# Revoke all privileges for user 'bob' and password '12345'
- mysql_user:
name: bob
password: 12345
priv: "*.*:USAGE"
state: present
# Example privileges string format
# mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL
# Example using login_unix_socket to connect to server
- mysql_user:
name: root
password: abc123
login_unix_socket: /var/run/mysqld/mysqld.sock
# Example of skipping binary logging while adding user 'bob'
- mysql_user:
name: bob
password: 12345
priv: "*.*:USAGE"
state: present
sql_log_bin: no
host:
default: localhost
description:
- the 'host' part of the MySQL username
required: false
name:
description:
- name of the user (role) to add or remove
required: true
priv:
default: null
description:
- 'MySQL privileges string in the format: C(db.table:priv1,priv2).'
- 'Multiple privileges can be specified by separating each one using a forward slash:
C(db.table:priv/db.table:priv).'
- The format is based on MySQL C(GRANT) statement.
- Database and table names can be quoted, MySQL-style.
- If column privileges are used, the C(priv1,priv2) part must be exactly as returned
by a C(SHOW GRANT) statement. If not followed, the module will always report changes.
It includes grouping columns by permission (C(SELECT(col1,col2)) instead of C(SELECT(col1),SELECT(col2))).
required: false
state:
choices:
- present
- absent
default: present
description:
- Whether the user should exist. When C(absent), removes the user.
required: false
ca_cert:
aliases:
- ssl_ca
description:
- The path to a Certificate Authority (CA) certificate. This option, if used, must
specify the same certificate as used by the server.
type: path
host_all:
choices:
- 'yes'
- 'no'
default: 'no'
description:
- override the host option, making ansible apply changes to all hostnames for a given
user. This option cannot be used when creating users
required: false
version_added: '2.1'
version_added_collection: ansible.builtin
password:
default: null
description:
- set the user's password.
required: false
encrypted:
choices:
- 'yes'
- 'no'
default: 'no'
description:
- Indicate that the 'password' field is a `mysql_native_password` hash
required: false
version_added: '2.0'
version_added_collection: ansible.builtin
client_key:
aliases:
- ssl_key
description:
- The path to the client private key.
type: path
login_host:
default: localhost
description:
- Host running the database.
- In some cases for local connections the I(login_unix_socket=/path/to/mysqld/socket),
that is usually C(/var/run/mysqld/mysqld.sock), needs to be used instead of I(login_host=localhost).
type: str
login_port:
default: 3306
description:
- Port of the MySQL server. Requires I(login_host) be defined as other than localhost
if login_port is used.
type: int
login_user:
description:
- The username used to authenticate with.
type: str
client_cert:
aliases:
- ssl_cert
description:
- The path to a client public key certificate.
type: path
config_file:
default: ~/.my.cnf
description:
- Specify a config file from which user and password are to be read.
type: path
sql_log_bin:
choices:
- 'yes'
- 'no'
default: 'yes'
description:
- Whether binary logging should be enabled or disabled for the connection.
required: false
version_added: '2.1'
version_added_collection: ansible.builtin
append_privs:
choices:
- 'yes'
- 'no'
default: 'no'
description:
- Append the privileges defined by priv to the existing ones for this user instead
of overwriting existing ones.
required: false
version_added: '1.4'
version_added_collection: ansible.builtin
check_hostname:
description:
- Whether to validate the server host name when an SSL connection is required.
- Setting this to C(false) disables hostname verification. Use with caution.
- Requires pymysql >= 0.7.11.
- This optoin has no effect on MySQLdb.
type: bool
version_added: 1.1.0
version_added_collection: community.mysql
login_password:
description:
- The password used to authenticate with.
type: str
connect_timeout:
default: 30
description:
- The connection timeout when connecting to the MySQL server.
type: int
update_password:
choices:
- always
- on_create
default: always
description:
- C(always) will update passwords if they differ. C(on_create) will only set the
password for newly created users.
required: false
version_added: '2.0'
version_added_collection: ansible.builtin
login_unix_socket:
description:
- The path to a Unix domain socket for local connections.
type: str
check_implicit_admin:
choices:
- 'yes'
- 'no'
default: 'no'
description:
- Check if mysql allows login as root/nopassword before trying supplied credentials.
required: false
version_added: '1.3'
version_added_collection: ansible.builtin