Fix: grant revoked priv

plugins/module_utils/user.py

@@ -359,9 +359,18 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                     revoke_privs = list(set(new_priv[db_table]) & set(curr_priv[db_table]))
                 else:
                     # When replacing (neither append_privs nor subtract_privs), grant all missing privileges
-                    # and revoke existing privileges that were not requested.
+                    # and revoke existing privileges that were not requested...
                     grant_privs = list(set(new_priv[db_table]) - set(curr_priv[db_table]))
                     revoke_privs = list(set(curr_priv[db_table]) - set(new_priv[db_table]))
+
+                    # ... but do not revoke GRANT option when it's already allowed
+                    # and already in privs.
+                    #
+                    # For more details
+                    # https://github.com/ansible-collections/community.mysql/issues/77#issuecomment-1209693807
+                    if 'GRANT' in new_priv[db_table] and 'GRANT' in curr_priv[db_table]:
+                        grant_privs.append('GRANT')
+
                 if grant_privs == ['GRANT']:
                     # USAGE grants no privileges, it is only needed because 'WITH GRANT OPTION' cannot stand alone
                     grant_privs.append('USAGE')

tests/integration/targets/test_mysql_user/tasks/test_privs.yml

@@ -173,12 +173,62 @@
         state: present
       register: result
 
-    # FIXME: on mariadb >=10.5.2 there's always a change because the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
+    # FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
     - name: Assert that priv did not change
       assert:
         that:
           - result is not changed
-      when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.2', '=='))
+      when: (install_type == 'mysql' and mysql_version is version('8', '<')) or (install_type == 'mariadb' and mariadb_version is version('10.2', '=='))
+
+    # ============================================================
+    - name: grant all privileges with grant option
+      mysql_user:
+        <<: *mysql_params
+        name: '{{ user_name_2 }}'
+        password: '{{ user_password_2 }}'
+        priv: '*.*:ALL,GRANT'
+        state: present
+      register: result
+
+    - name: Assert that priv changed
+      assert:
+        that:
+          - "\"granted ['ALL', 'GRANT']\" in result.msg"
+
+    - name: Assert that 'GRANT' permission is present
+      assert:
+        that:
+          - "\"granted ['ALL', 'GRANT']\" in result.msg"
+
+    - name: Test idempotency (expect ok)
+      mysql_user:
+        <<: *mysql_params
+        name: '{{ user_name_2 }}'
+        password: '{{ user_password_2 }}'
+        priv: '*.*:ALL,GRANT'
+        state: present
+      register: result
+
+    # FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
+    - name: Assert that priv did not change
+      assert:
+        that:
+          - result is not changed
+      when: (install_type == 'mysql' and mysql_version is version('8', '<')) or (install_type == 'mariadb' and mariadb_version is version('10.2', '=='))
+
+    - name: Assert that 'GRANT' permission is present
+      assert:
+        that:
+          - "\"granted ['ALL', 'GRANT']\" in result.msg"
+
+    - name: drop database using user
+      mysql_db:
+        login_user: '{{ user_name_2 }}'
+        login_password: '{{ user_password_2 }}'
+        login_host: '{{ mysql_host }}'
+        login_port: '{{ mysql_primary_port }}'
+        name: '{{ db_name }}'
+        state: absent
 
     # ============================================================
     - name: update user with invalid privileges