Merge pull request #266 from zerwes/master

use postgresql_privs module
geerlingguy · Jan 7, 2025 · aafbf26 · aafbf26
2 parents d18027f + 4152a84
commit aafbf26
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -58,7 +58,6 @@ postgresql_users: []
 # - name: jdoe #required; the rest are optional
 #   password: # defaults to not set
 #   encrypted: # defaults to not set
-#   priv: # defaults to not set
 #   role_attr_flags: # defaults to not set
 #   db: # defaults to not set
 #   login_host: # defaults to 'localhost'
@@ -68,5 +67,25 @@ postgresql_users: []
 #   port: # defaults to not set
 #   state: # defaults to 'present'
 
+# Privileges to configure
+# see https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_privs_module.html#ansible-collections-community-postgresql-postgresql-privs-module
+postgresql_privs: []
+# - db: exampledb # database (required)
+#   roles: jdoe  # role(s) the privs apply to (required)
+#   privs: # comma separated list of privileges - defaults to not set
+#   type: # type of database object to set privileges on - defaults to not set
+#   objs: # list of database objects to set privileges on - defaults to not set
+#   schema: # defaults to not set
+#   session_role: # defaults to not set
+#   fail_on_role: # defaults to true
+#   grant_option: # defaults to not set
+#   target_roles: # defaults to not set
+#   login_host: # defaults to 'localhost'
+#   login_password: # defaults to not set
+#   login_user: # defaults to '{{ postgresql_user }}'
+#   login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
+#   port: # defaults to not set
+#   state: # defaults to 'present'
+
 # Whether to output user data when managing users.
 postgres_users_no_log: true
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -8,6 +8,16 @@
       - name: example
     postgresql_users:
       - name: jdoe
+      - name: longjohnsilver
+    postgresql_privs:
+      - db: example
+        roles: jdoe
+        type: database
+        privs: ALL
+      - db: example
+        roles: longjohnsilver
+        objs: ALL_IN_SCHEMA
+        privs: ALL
 
   pre_tasks:
     # The Fedora 30+ container images have only C.UTF-8 installed

diff --git a/tasks/users_props.yml b/tasks/users_props.yml
@@ -4,7 +4,6 @@
     name: "{{ item.name }}"
     password: "{{ item.password | default(omit) }}"
     encrypted: "{{ item.encrypted | default(omit) }}"
-    priv: "{{ item.priv | default(omit) }}"
     role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
     db: "{{ item.db | default(omit) }}"
     login_host: "{{ item.login_host | default('localhost') }}"
@@ -22,3 +21,37 @@
     ansible_ssh_pipelining: true
   environment:
     PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"
+
+- name: Ensure PostgreSQL users do not use deprecated privileges settings
+  debug:
+    msg "Postgresql user {{ item.name }} uses deprecated privileges settings. See https://github.com/geerlingguy/ansible-role-postgresql/issues/254"
+  with_items: "{{ postgresql_users }}"
+  when: item.priv is defined
+
+- name: Ensure PostgreSQL users privileges are configured correctly.
+  postgresql_privs:
+    roles: "{{ item.roles }}"
+    db: "{{ item.db }}"
+    privs: "{{ item.privs | default(omit) }}"
+    type: "{{ item.type | default(omit) }}"
+    objs: "{{ item.objs | default(omit) }}"
+    schema: "{{ item.schema | default(omit) }}"
+    session_role: "{{ item.session_role | default(omit) }}"
+    login_host: "{{ item.login_host | default('localhost') }}"
+    login_password: "{{ item.login_password | default(omit) }}"
+    login_user: "{{ item.login_user | default(postgresql_user) }}"
+    login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
+    port: "{{ item.port | default(omit) }}"
+    state: "{{ item.state | default('present') }}"
+    fail_on_role: "{{ item.fail_on_role | default(true) }}"
+    grant_option: "{{ item.grant_option | default(omit) }}"
+    target_roles: "{{ item.target_roles | default(omit) }}"
+  with_items: "{{ postgresql_privs }}"
+  no_log: "{{ postgres_users_no_log }}"
+  become: true
+  become_user: "{{ postgresql_user }}"
+  # See: https://github.com/ansible/ansible/issues/16048#issuecomment-229012509
+  vars:
+    ansible_ssh_pipelining: true
+  environment:
+    PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"