break: new system for user and privileges

CHANGELOG.md

@@ -5,6 +5,10 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
 ## [Unreleased]
 
+### Changed
+
+- break: new variable for privileges
+
 ### Added
 
 - add variable postrgresql_primary

README.md

@@ -21,7 +21,8 @@ Install and configure Postgresql
 | postgresql_primary                 | bool  | no       | false  | set true to create user and database on this server |
 | postgresql_config                  | dict  | no       |        | add option config file                              |
 | postgresql_databases               | array | no       |        | the database to manage                              |
-| postgresql_users                   | array | no       |        | the users to manage                                 |
+| postgresql_users                   | dict  | no       |        | the users to manage                                 |
+| postgresql_privileges              | array | no       |        | set the privileges for roles                        |
 | postgresql_hba                     | array | no       |        | the hba authorizations                              |
 
 ### postgresql_config
@@ -62,27 +63,46 @@ Example:
 
 | Name       | Type  | Required | Default | Comment                                                       |
 |------------|-------|----------|---------|---------------------------------------------------------------|
-| name       | str   | yes      |         | the user name                                                 |
+| key        | str   | yes      |         | the user name                                                 |
 | password   | str   | yes      |         | the password to logon                                         |
-| database   | str   | yes      |         | the database where user's permissions will be granted         |
+| attributes | array | no       |         | list with the user's attributes (REPLICATION, SUPERUSER, ...) |
-| privileges | array | yes      |         | list with the user's privileges                               |
+| state      | str   | no       | present | if absent the user is deleted                                 |
-| attributes | array | yes      |         | list with the user's attributes (REPLICATION, SUPERUSER, ...) |
-|statee      | str   | no       | present | if absent the user is deleted                                 |
 
 Example:
 
 ```
-  - name: user1
+  user1:
     password: secret
-    database: test
-    privileges:
-      - SELECT
-      - table1:INSERT
     attributes:
       - REPLICATION
     state: present
 ```
 
+### postgresql_privileges
+
+| Name       | Type  | Required | Default           | Comment                                                       |
+|------------|-------|----------|-------------------|---------------------------------------------------------------|
+| roles      | str   | yes      |                   | the roles with this privileges                                |
+| database   | str   | yes      |                   | the database where to apply the privileges                    |
+| type       | str   | no       | table             | the type of privileges (table, function, schema, ...)         |
+| objets     | array | yes      | ["ALL_IN_SCHEMA"] | list with the objets (ex: table name)                         |
+| privileges | array | yes      |                   | list with the privileges (SELECT, UPDATE, INSERT, ALL, ...)   |
+| state      | str   | no       | present           | if absent the privileges is deleted                           |
+
+Example:
+
+```
+  - role: user1
+    database: test
+    type: table
+    objets:
+      - mytable
+    privileges:
+      - SELECT
+      - INSERT
+    state: present
+```
+
 ### postgresql_hba
 
 | Name      | Type  | Required | Default | Comment                                               |
@@ -117,12 +137,21 @@ Example:
     postgresql_databases:
       - name: test
     postgresql_users
-      - name: user1
+      user1:
         password: secret
+    postgresql_privilges:
+      - role: user1
         database: test
+        type: table
         privileges:
           - SELECT
-          - table1:INSERT
+      - role: user1
+        database: test
+        type: table
+        objets:
+          - table1
+        privileges:
+          - INSERT
 ```
 
 ## Development

molecule/default/converge.yml

@@ -9,25 +9,31 @@
     postgresql_config:
       listen_addresses: '*'
     postgresql_hba:
-      - type: hostssl
+      - type: local
         databases:
           - myappli
           - myappli2
         users: all
-        subnet: samenet
         method: md5
     postgresql_databases:
       - name: myappli
       - name: myappli2
     postgresql_users:
-      - name: myuser
+      test:
-        database: myappli
+        password: secret
+      myuser:
         password: secret
-        privileges:
-          - ALL
         attributes:
           - REPLICATION
           - INHERIT
+    postgresql_privileges:
+      - role: myuser
+        type: database
+        database: myappli
+        objets:
+          - myappli
+        privileges:
+          - ALL
 
   pre_tasks:
     - name: update apt cache

molecule/default/tests/test_default.py

@@ -21,7 +21,7 @@ def test_hba_file(host):
   assert path.user == 'root'
   assert path.group == 'root'
   assert path.mode == 0o644
-  assert path.contains('hostssl "myappli","myappli2" all samenet md5')
+  assert path.contains('local "myappli","myappli2" all md5')
 
 def test_service(host):
   service = host.service('postgresql@13-main')
@@ -33,9 +33,16 @@ def test_socket(host):
   assert socket.is_listening
 
 def test_database(host):
-  output = host.check_output('su - postgres -c "psql -c \'\\l\'"')
+  cmd = host.run('su - postgres -c "psql -c \'\\l\'"')
-  assert 'myappli' in output
+  assert cmd.succeeded
+  assert 'myappli' in cmd.stdout
 
 def test_user(host):
-  output = host.check_output('su - postgres -c "psql -c \'\\du\'"')
+  cmd = host.run('su - postgres -c "psql -c \'\\du\'"')
-  assert 'myuser' in output
+  assert cmd.succeeded
+  assert 'myuser' in cmd.stdout
+
+def test_grants(host):
+  cmd = host.run('PGPASSWORD=secret psql -U myuser -d myappli -c \'create table test ( col text);\'')
+  assert cmd.succeeded
+  assert 'CREATE TABLE' in cmd.stdout

tasks/main.yml

@@ -56,15 +56,29 @@
 
 - name: manage users
   community.general.postgresql_user:
-    name: '{{ item.name }}'
+    name: '{{ item.key }}'
-    password: '{{ item.password }}'
+    password: '{{ item.value.password }}'
-    db: '{{ item.database }}'
+    role_attr_flags: '{{ item.value.attributes|default([])|join(",") }}'
-    priv: '{{ item.privileges|join("/") }}'
+    state: '{{ item.value.state|default("present") }}'
-    role_attr_flags: '{{ item.attributes|default([])|join(",") }}'
+  loop: '{{ postgresql_users|dict2items }}'
-    state: '{{ item.state|default("present") }}'
-  loop: '{{ postgresql_users }}'
   loop_control:
-    label: '{{ item.name }}/{{ item.database }}'
+    label: '{{ item.key }}'
+  become: true
+  become_user: postgres
+  when: postgresql_primary
+  tags: postgresql
+
+- name: manage user's privileges
+  community.postgresql.postgresql_privs:
+    db: '{{ item.database }}'
+    roles: '{{ item.role }}'
+    type: '{{ item.type|default("table") }}'
+    objs: '{{ item.objets|default(["ALL_IN_SCHEMA"])|join(",") }}'
+    privs: '{{ item.privileges|join(",") }}'
+    state: '{{ item.state|default("present") }}'
+  loop: '{{ postgresql_privileges }}'
+  loop_control:
+    label: '{{ item.role }}/{{ item.database }}'
   become: true
   become_user: postgres
   when: postgresql_primary