postgresql_privs fails with type=default_privs, privs=ALL, objs=ALL_DEFAULT

[vonschultz]

SUMMARY

With Ansible 6.6.0 postgresql_privs fails when running with type=default_privs, privs=ALL, objs=ALL_DEFAULT. The issue appears to have been introduced in commit eed4e1f which added SCHEMAS to the VALID_DEFAULT_OBJS variable and thereby to the ALL_DEFAULT objs, despite SCHEMAS not being supported with privs=ALL.

ISSUE TYPE

• Bug Report

COMPONENT NAME

postgresql_privs

ANSIBLE VERSION

$ ansible  --version
ansible [core 2.13.6]
  config file = /home/von/.ansible.cfg
  configured module search path = ['/home/von/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/von/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/von/src/embedl/ci/provisioning/.tox/ansible/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

$ pip show ansible
Name: ansible
Version: 6.6.0
Summary: Radically simple IT automation
Home-page: https://ansible.com/
Author: Ansible, Inc.
Author-email: [email protected]
License: GPLv3+
Location: /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.8/site-packages
Requires: ansible-core
Required-by: 

Note that the problem is not exhibited in ansible version 6.5.0.

COLLECTION VERSION

$ ansible-galaxy collection list community.postgresql

# /home/von/src/embedl/ci/provisioning/.tox/ansible/lib/python3.8/site-packages/ansible_collections
Collection           Version
-------------------- -------
community.postgresql 2.3.0  

CONFIGURATION

ansible-config dump --only-changed reports no changes

OS / ENVIRONMENT

Ubuntu 20.04, Postgresql 13.

STEPS TO REPRODUCE

This is the exact task that's failing for me with ansible version 6.6.0, but which works fine for ansible version 6.5.0:

- name: "ALTER DEFAULT PRIVILEGES FOR ROLE {{ username }}"
  postgresql_privs:
    db: "{{ item }}"
    objs: ALL_DEFAULT
    privs: ALL
    type: default_privs
    role: "{{ item }}"
    target_roles: "{{ username }}"
    ca_cert: "{{ ca_cert }}"
    ssl_mode: verify-full
    login_host: "{{ postgres_public_hostname }}"
    login_password: "{{ postgres_admin_password }}"
  loop: "{{ user_accounts[username]['postgres_roles'] }}"

I think you'll find that this example in the documentation exhibits the same problem:

# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian
  community.postgresql.postgresql_privs:
    db: library
    objs: ALL_DEFAULT
    privs: ALL
    type: default_privs
    role: librarian
    grant_option: true

EXPECTED RESULTS

Task runs without error on latest version of ansible (given that it runs without error on ansible 6.5.0).

ACTUAL RESULTS

failed: [localhost] (item=embedl) => {
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "ca_cert": "/etc/ssl/certs/ISRG_Root_X1.pem",
            "connect_params": {},
            "database": "embedl",
            "db": "embedl",
            "fail_on_role": true,
            "grant_option": null,
            "host": "postgres.embedl.dev",
            "login": "postgres",
            "login_host": "postgres.embedl.dev",
            "login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "login_unix_socket": "",
            "login_user": "postgres",
            "objs": "ALL_DEFAULT",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": 5432,
            "privs": "ALL",
            "role": "embedl",
            "roles": "embedl",
            "schema": null,
            "session_role": null,
            "ssl_mode": "verify-full",
            "state": "present",
            "target_roles": "daniel",
            "trust_input": true,
            "type": "default_privs",
            "unix_socket": "",
            "usage_on_types": true
        }
    },
    "item": "embedl",
    "msg": "Invalid priv specified. Valid object for priv: frozenset({'SEQUENCES', 'TYPES', 'TABLES', 'FUNCTIONS'}). Objects: frozenset({'TYPES', 'FUNCTIONS', 'SEQUENCES', 'TABLES', 'SCHEMAS'})"
}

[vonschultz]

Github is not cooperating with me. I was still writing when I accidentally posted the issue. I'll have another look before I maybe open the issue again.

[vonschultz]

OK, now I think I have a proper issue. Sorry about the editing mess.

[hunleyd]

thanks for the report @vonschultz !

did you want to look into this @Andersson007 ?

[Andersson007]

@vonschultz @vonschultz hi, yes, thanks, when I feel better, I'll take a look

@vonschultz could you please run your tasks with -vvv and report the traceback (only a part with the sequence of function invocations)?

[vonschultz]

This is the output of the task when running with -vvv:

TASK [postgres_users : ALTER DEFAULT PRIVILEGES FOR ROLE daniel] ***************
task path: /tmp/postgres_privs/embedl/ci/provisioning/roles/postgres_users/tasks/setup_user.yaml:4
redirecting (type: modules) ansible.builtin.postgresql_privs to community.postgresql.postgresql_privs
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: von
<127.0.0.1> EXEC /bin/sh -c 'echo ~von && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/von/.ansible/tmp `"&& mkdir "` echo /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280 `" && echo ansible-tmp-1669213463.4540513-1094213-180970977225280="` echo /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.postgresql_privs to community.postgresql.postgresql_privs
Using module file /tmp/postgres_privs/embedl/ci/provisioning/.tox/ansible/lib/python3.8/site-packages/ansible_collections/community/postgresql/plugins/modules/postgresql_privs.py
<127.0.0.1> PUT /home/von/.ansible/tmp/ansible-local-1093342d6legofv/tmpyq40r5lw TO /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280/AnsiballZ_postgresql_privs.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280/ /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280/AnsiballZ_postgresql_privs.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/tmp/postgres_privs/embedl/ci/provisioning/.tox/ansible/bin/python /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280/AnsiballZ_postgresql_privs.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/von/.ansible/tmp/ansible-tmp-1669213463.4540513-1094213-180970977225280/ > /dev/null 2>&1 && sleep 0'
failed: [localhost] (item=embedl) => {
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "ca_cert": "/etc/ssl/certs/ISRG_Root_X1.pem",
            "connect_params": {},
            "database": "embedl",
            "db": "embedl",
            "fail_on_role": true,
            "grant_option": null,
            "host": "postgres.embedl.dev",
            "login": "postgres",
            "login_host": "postgres.embedl.dev",
            "login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "login_unix_socket": "",
            "login_user": "postgres",
            "objs": "ALL_DEFAULT",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": 5432,
            "privs": "ALL",
            "role": "embedl",
            "roles": "embedl",
            "schema": null,
            "session_role": null,
            "ssl_mode": "verify-full",
            "state": "present",
            "target_roles": "daniel",
            "trust_input": true,
            "type": "default_privs",
            "unix_socket": "",
            "usage_on_types": true
        }
    },
    "item": "embedl",
    "msg": "Invalid priv specified. Valid object for priv: frozenset({'FUNCTIONS', 'SEQUENCES', 'TABLES', 'TYPES'}). Objects: frozenset({'TYPES', 'SCHEMAS', 'FUNCTIONS', 'TABLES', 'SEQUENCES'})"
}

There's no traceback in the Python sense, just a sequence of shell commands and the failure.

[Andersson007]

@vonschultz thanks!
I've reproduced the bug in integration tests and created the PR #374

Could you folks please take a look?

[Andersson007]

@vonschultz thanks for the issue! The investigation really helped much.
I released a fixed version 2.3.1 and it's available on Galaxy for installation via the ansible-galaxy utility or manually (if you install it from Galaxy you need to update it manually from that point on).
You're feedback would be much appreciated.
Thanks!

[vonschultz]

I can confirm that version 2.3.1 installed through ansible-galaxy fixes the issue, and the task runs without error. Thank you very much, @Andersson007, @hunleyd.

[Andersson007]

@vonschultz great, thanks for the feedback!