mariadb: declarative roles and users #16
Description
If user/role is not in nix expressions, it should be deleted from the mysql database (done for roles only, for users this behaviour should be optional). A role/user gets only privileges specified in nix expressions, other privileges, if any, are revoked (done for roles granted of other roles).
Only legit MySQL statements must be used (GRANT / REVOKE), editing the mysql database is prohibited, while SELECT is ok.
User passwords, if any, must not be altered
REVOKE ALL, GRANT OPTION ... is not allowed, because of time gap when user has no privileges, or, if it's a role, many users can't work. Same for deleting and recreating a role.