Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use postgresql_privs module #266

Merged
merged 4 commits into from
Jan 7, 2025
Merged

use postgresql_privs module #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
93fd472
issue #254 - use postgresql_privs module
zerwes Jan 6, 2025
39c20fc
issue #254 - defaults and doc for postgresql_privs module
zerwes Jan 6, 2025
f788159
issue #254 - test postgresql_privs module
zerwes Jan 6, 2025
4152a84
issue #254 - improve test for postgresql_privs module
zerwes Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@
# - name: jdoe #required; the rest are optional
# password: # defaults to not set
# encrypted: # defaults to not set
# priv: # defaults to not set
# role_attr_flags: # defaults to not set
# db: # defaults to not set
# login_host: # defaults to 'localhost'
Expand All @@ -68,5 +67,25 @@
# port: # defaults to not set
# state: # defaults to 'present'

# Privileges to configure
# see https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_privs_module.html#ansible-collections-community-postgresql-postgresql-privs-module

Check warning on line 71 in defaults/main.yml

View workflow job for this annotation

GitHub Actions / Lint 

71:121 [line-length] line too long (172 > 120 characters)
postgresql_privs: []
# - db: exampledb # database (required)
# roles: jdoe # role(s) the privs apply to (required)
# privs: # comma separated list of privileges - defaults to not set
# type: # type of database object to set privileges on - defaults to not set
# objs: # list of database objects to set privileges on - defaults to not set
# schema: # defaults to not set
# session_role: # defaults to not set
# fail_on_role: # defaults to true
# grant_option: # defaults to not set
# target_roles: # defaults to not set
# login_host: # defaults to 'localhost'
# login_password: # defaults to not set
# login_user: # defaults to '{{ postgresql_user }}'
# login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
# port: # defaults to not set
# state: # defaults to 'present'

# Whether to output user data when managing users.
postgres_users_no_log: true
10 changes: 10 additions & 0 deletions molecule/default/converge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@
- name: example
postgresql_users:
- name: jdoe
- name: longjohnsilver
postgresql_privs:
- db: example
roles: jdoe
type: database
privs: ALL
- db: example
roles: longjohnsilver
objs: ALL_IN_SCHEMA
privs: ALL

pre_tasks:
# The Fedora 30+ container images have only C.UTF-8 installed
Expand Down
35 changes: 34 additions & 1 deletion tasks/users_props.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
name: "{{ item.name }}"
password: "{{ item.password | default(omit) }}"
encrypted: "{{ item.encrypted | default(omit) }}"
priv: "{{ item.priv | default(omit) }}"
role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
db: "{{ item.db | default(omit) }}"
login_host: "{{ item.login_host | default('localhost') }}"
Expand All @@ -22,3 +21,37 @@
ansible_ssh_pipelining: true
environment:
PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"

- name: Ensure PostgreSQL users do not use deprecated privileges settings
debug:
msg "Postgresql user {{ item.name }} uses deprecated privileges settings. See https://github.com/geerlingguy/ansible-role-postgresql/issues/254"

Check warning on line 27 in tasks/users_props.yml

View workflow job for this annotation

GitHub Actions / Lint 

27:121 [line-length] line too long (148 > 120 characters)
with_items: "{{ postgresql_users }}"
when: item.priv is defined

- name: Ensure PostgreSQL users privileges are configured correctly.
postgresql_privs:
roles: "{{ item.roles }}"
db: "{{ item.db }}"
privs: "{{ item.privs | default(omit) }}"
type: "{{ item.type | default(omit) }}"
objs: "{{ item.objs | default(omit) }}"
schema: "{{ item.schema | default(omit) }}"
session_role: "{{ item.session_role | default(omit) }}"
login_host: "{{ item.login_host | default('localhost') }}"
login_password: "{{ item.login_password | default(omit) }}"
login_user: "{{ item.login_user | default(postgresql_user) }}"
login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
port: "{{ item.port | default(omit) }}"
state: "{{ item.state | default('present') }}"
fail_on_role: "{{ item.fail_on_role | default(true) }}"
grant_option: "{{ item.grant_option | default(omit) }}"
target_roles: "{{ item.target_roles | default(omit) }}"
with_items: "{{ postgresql_privs }}"
no_log: "{{ postgres_users_no_log }}"
become: true
become_user: "{{ postgresql_user }}"
# See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
vars:
ansible_ssh_pipelining: true
environment:
PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"
Loading