nishiki/ansible-role-postgresql
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Wiki Activity Actions

break: new system for user and privileges

Browse source
This commit is contained in:
Adrien Waksberg 2022-02-21 10:13:57 +01:00
parent 6abc37e270
commit 0f38b36715
5 changed files with 92 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -5,6 +5,10 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
## [Unreleased]
### Changed
- break: new variable for privileges
### Added
- add variable postrgresql_primary

55
README.md
View file

@ -21,7 +21,8 @@ Install and configure Postgresql
| postgresql_primary | bool | no | false | set true to create user and database on this server |
| postgresql_config | dict | no | | add option config file |
| postgresql_databases | array | no | | the database to manage |
| postgresql_users | array | no | | the users to manage |
| postgresql_users | dict | no | | the users to manage |
| postgresql_privileges | array | no | | set the privileges for roles |
| postgresql_hba | array | no | | the hba authorizations |
### postgresql_config
@ -62,27 +63,46 @@ Example:
| Name | Type | Required | Default | Comment |
|------------|-------|----------|---------|---------------------------------------------------------------|
| name | str | yes | | the user name |
| key | str | yes | | the user name |
| password | str | yes | | the password to logon |
| database | str | yes | | the database where user's permissions will be granted |
| privileges | array | yes | | list with the user's privileges |
| attributes | array | yes | | list with the user's attributes (REPLICATION, SUPERUSER, ...) |
|statee | str | no | present | if absent the user is deleted |
| attributes | array | no | | list with the user's attributes (REPLICATION, SUPERUSER, ...) |
| state | str | no | present | if absent the user is deleted |
Example:
```
- name: user1
user1:
password: secret
database: test
privileges:
- SELECT
- table1:INSERT
attributes:
- REPLICATION
state: present
```
### postgresql_privileges
| Name | Type | Required | Default | Comment |
|------------|-------|----------|-------------------|---------------------------------------------------------------|
| roles | str | yes | | the roles with this privileges |
| database | str | yes | | the database where to apply the privileges |
| type | str | no | table | the type of privileges (table, function, schema, ...) |
| objets | array | yes | ["ALL_IN_SCHEMA"] | list with the objets (ex: table name) |
| privileges | array | yes | | list with the privileges (SELECT, UPDATE, INSERT, ALL, ...) |
| state | str | no | present | if absent the privileges is deleted |
Example:
```
- role: user1
database: test
type: table
objets:
- mytable
privileges:
- SELECT
- INSERT
state: present
```
### postgresql_hba
| Name | Type | Required | Default | Comment |
@ -117,12 +137,21 @@ Example:
postgresql_databases:
- name: test
postgresql_users
- name: user1
user1:
password: secret
postgresql_privilges:
- role: user1
database: test
type: table
privileges:
- SELECT
- table1:INSERT
- role: user1
database: test
type: table
objets:
- table1
privileges:
- INSERT
```
## Development

18
molecule/default/converge.yml
View file

@ -9,25 +9,31 @@
postgresql_config:
listen_addresses: '*'
postgresql_hba:
- type: hostssl
- type: local
databases:
- myappli
- myappli2
users: all
subnet: samenet
method: md5
postgresql_databases:
- name: myappli
- name: myappli2
postgresql_users:
- name: myuser
database: myappli
test:
password: secret
myuser:
password: secret
privileges:
- ALL
attributes:
- REPLICATION
- INHERIT
postgresql_privileges:
- role: myuser
type: database
database: myappli
objets:
- myappli
privileges:
- ALL
pre_tasks:
- name: update apt cache

17
molecule/default/tests/test_default.py
View file

@ -21,7 +21,7 @@ def test_hba_file(host):
assert path.user == 'root'
assert path.group == 'root'
assert path.mode == 0o644
assert path.contains('hostssl "myappli","myappli2" all samenet md5')
assert path.contains('local "myappli","myappli2" all md5')
def test_service(host):
service = host.service('postgresql@13-main')
@ -33,9 +33,16 @@ def test_socket(host):
assert socket.is_listening
def test_database(host):
output = host.check_output('su - postgres -c "psql -c \'\\l\'"')
assert 'myappli' in output
cmd = host.run('su - postgres -c "psql -c \'\\l\'"')
assert cmd.succeeded
assert 'myappli' in cmd.stdout
def test_user(host):
output = host.check_output('su - postgres -c "psql -c \'\\du\'"')
assert 'myuser' in output
cmd = host.run('su - postgres -c "psql -c \'\\du\'"')
assert cmd.succeeded
assert 'myuser' in cmd.stdout
def test_grants(host):
cmd = host.run('PGPASSWORD=secret psql -U myuser -d myappli -c \'create table test ( col text);\'')
assert cmd.succeeded
assert 'CREATE TABLE' in cmd.stdout

30
tasks/main.yml
View file

@ -56,15 +56,29 @@
- name: manage users
community.general.postgresql_user:
name: '{{ item.name }}'
password: '{{ item.password }}'
db: '{{ item.database }}'
priv: '{{ item.privileges|join("/") }}'
role_attr_flags: '{{ item.attributes|default([])|join(",") }}'
state: '{{ item.state|default("present") }}'
loop: '{{ postgresql_users }}'
name: '{{ item.key }}'
password: '{{ item.value.password }}'
role_attr_flags: '{{ item.value.attributes|default([])|join(",") }}'
state: '{{ item.value.state|default("present") }}'
loop: '{{ postgresql_users|dict2items }}'
loop_control:
label: '{{ item.name }}/{{ item.database }}'
label: '{{ item.key }}'
become: true
become_user: postgres
when: postgresql_primary
tags: postgresql
- name: manage user's privileges
community.postgresql.postgresql_privs:
db: '{{ item.database }}'
roles: '{{ item.role }}'
type: '{{ item.type|default("table") }}'
objs: '{{ item.objets|default(["ALL_IN_SCHEMA"])|join(",") }}'
privs: '{{ item.privileges|join(",") }}'
state: '{{ item.state|default("present") }}'
loop: '{{ postgresql_privileges }}'
loop_control:
label: '{{ item.role }}/{{ item.database }}'
become: true
become_user: postgres
when: postgresql_primary