From 8a579b42e3491d826b0035514ef4ff392bc1e2d5 Mon Sep 17 00:00:00 2001
From: hubiongithub <79990207+hubiongithub@users.noreply.github.com>
Date: Tue, 3 Jan 2023 09:47:11 +0100
Subject: [PATCH] add service name to plugin pam/auth_pam usage (#445)

* add service name to plugin pam/auth_pam usage

* typo fixed

* MySLQ is using identified with auth_pam by ...  instead of identified with pam using ... like mariadb does

* a : in description lines breaks yaml syntax

* clearify documentation and add changelog fragment

* Update changelogs/fragments/445_add_service_name_to_plugin_pam_auth_pam_usage.yml

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* Update plugins/module_utils/user.py

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
---
 ...add_service_name_to_plugin_pam_auth_pam_usage.yml |  3 +++
 plugins/module_utils/user.py                         | 12 ++++++++++--
 plugins/modules/mysql_user.py                        |  3 ++-
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/445_add_service_name_to_plugin_pam_auth_pam_usage.yml

diff --git a/changelogs/fragments/445_add_service_name_to_plugin_pam_auth_pam_usage.yml b/changelogs/fragments/445_add_service_name_to_plugin_pam_auth_pam_usage.yml
new file mode 100644
index 00000000..2b9a5235
--- /dev/null
+++ b/changelogs/fragments/445_add_service_name_to_plugin_pam_auth_pam_usage.yml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - mysql_user - add plugin_auth_string as optional parameter to use a specific pam service if pam/auth_pam plugin is used (https://github.com/ansible-collections/community.mysql/pull/445).
diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py
index e80bccf8..e36aa571 100644
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@@ -170,7 +170,11 @@ def user_add(cursor, user, host, host_all, password, encrypted,
     elif plugin and plugin_hash_string:
         query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
     elif plugin and plugin_auth_string:
-        query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
+        # Mysql and MariaDB differ in naming pam plugin and Syntax to set it
+        if plugin == 'pam':  # Used by MariaDB which requires the USING keyword, not BY
+            query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
+        else:
+            query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
     elif plugin:
         query_with_args = "CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
     else:
@@ -305,7 +309,11 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                 if plugin_hash_string:
                     query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
                 elif plugin_auth_string:
-                    query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
+                    # Mysql and MariaDB differ in naming pam plugin and syntax to set it
+                    if plugin == 'pam':
+                        query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
+                    else:
+                        query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
                 else:
                     query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
 
diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py
index 849aa8de..ed7dde04 100644
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@@ -117,7 +117,7 @@
   update_password:
     description:
       - C(always) will update passwords if they differ. This affects I(password) and the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string).
-      - C(on_create) will only set the password or the combination of plugin, plugin_hash_string, plugin_auth_string for newly created users.
+      - C(on_create) will only set the password or the combination of I(plugin), I(plugin_hash_string), I(plugin_auth_string) for newly created users.
       - "C(on_new_username) works like C(on_create), but it tries to reuse an existing password: If one different user
         with the same username exists, or multiple different users with the same username and equal C(plugin) and
         C(authentication_string) attribute, the existing C(plugin) and C(authentication_string) are used for the
@@ -138,6 +138,7 @@
   plugin_auth_string:
     description:
       - User's plugin auth_string (``CREATE USER user IDENTIFIED WITH plugin BY plugin_auth_string``).
+      - If I(plugin) is ``pam`` (MariaDB) or ``auth_pam`` (MySQL) an optional I(plugin_auth_string) can be used to choose a specific PAM service.
     type: str
     version_added: '0.1.0'
   resource_limits: