ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-25 11:51:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Add session_role to postgresql modules (#43650)

Browse source 
* Allow session_role to be set for PostgreSQL

By implementing session_role it becomes possible to run the specific
PostgreSQL commands as a different role.
The usecase that is immediately served by this, is the one that one
ansible playbook can be shared by multiple users, which all have
their
own PostgreSQL login_user. They do not need to share login
credentials,
as they can share the role within the PostgreSQL database.

The following example may give some insight:

$ psql -U jdoe -X -d postgres

postgres=> CREATE DATABASE abc;
ERROR:  permission denied to create database
postgres=> set role postgres;
SET
postgres=# CREATE DATABASE abc;
CREATE DATABASE

fixes #43592

* Tests for session_role in PostgreSQL

* Bump version_added for session_role feature

* Remove explicit encrypted parameter from tests
This commit is contained in:
Feike Steenbergen 2019-02-02 19:12:14 +00:00 committed by Dag Wieers
parent e633b93f85
commit 38e70ea317
9 changed files with 339 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/ansible/modules/database/postgresql/postgresql_db.py
View file

@ -41,6 +41,11 @@ options:
description:
- Character classification (LC_CTYPE) to use in the database (e.g. lower, upper, ...) Must match LC_CTYPE of template database unless C(template0)
is used as template.
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
state:
description: |
The database state. present implies that the database should be created if necessary.
@ -370,6 +375,7 @@ def main():
target=dict(default="", type="path"),
target_opts=dict(default=""),
maintenance_db=dict(default="postgres"),
session_role=dict(),
))
module = AnsibleModule(
@ -391,6 +397,7 @@ def main():
state = module.params["state"]
changed = False
maintenance_db = module.params['maintenance_db']
session_role = module.params["session_role"]
# To use defaults values, keyword arguments must be absent, so
# check which values are empty and don't include in the **kw
@ -439,6 +446,12 @@ def main():
except Exception as e:
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
if session_role:
try:
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
try:
if module.check_mode:
if state == "absent":

14
lib/ansible/modules/database/postgresql/postgresql_ext.py
View file

@ -66,6 +66,11 @@ options:
description:
- Database port to connect to.
default: 5432
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
state:
description:
- The database extension state
@ -116,6 +121,7 @@ else:
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.six import iteritems
from ansible.module_utils._text import to_native
from ansible.module_utils.database import pg_quote_identifier
class NotSupportedError(Exception):
@ -176,6 +182,7 @@ def main():
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
session_role=dict(),
),
supports_check_mode=True
)
@ -189,6 +196,7 @@ def main():
state = module.params["state"]
cascade = module.params["cascade"]
sslrootcert = module.params["ssl_rootcert"]
session_role = module.params["session_role"]
changed = False
# To use defaults values, keyword arguments must be absent, so
@ -235,6 +243,12 @@ def main():
except Exception as e:
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
if session_role:
try:
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
try:
if module.check_mode:
if state == "present":

14
lib/ansible/modules/database/postgresql/postgresql_lang.py
View file

@ -77,6 +77,11 @@ options:
description:
- Host running PostgreSQL where you want to execute the actions.
default: localhost
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
state:
description:
- The state of the language for the selected database
@ -163,6 +168,7 @@ else:
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.six import iteritems
from ansible.module_utils._text import to_native
from ansible.module_utils.database import pg_quote_identifier
def lang_exists(cursor, lang):
@ -230,6 +236,7 @@ def main():
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
session_role=dict(),
),
supports_check_mode=True
)
@ -242,6 +249,7 @@ def main():
cascade = module.params["cascade"]
fail_on_drop = module.params["fail_on_drop"]
sslrootcert = module.params["ssl_rootcert"]
session_role = module.params["session_role"]
if not postgresqldb_found:
module.fail_json(msg="the python psycopg2 module is required")
@ -281,6 +289,12 @@ def main():
except Exception as e:
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
if session_role:
try:
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
changed = False
kw = {'db': db, 'lang': lang, 'trust': trust}

12
lib/ansible/modules/database/postgresql/postgresql_privs.py
View file

@ -70,6 +70,11 @@ options:
for the implicitly defined PUBLIC group.
- 'Alias: I(role)'
required: yes
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
grant_option:
description:
- Whether C(role) may grant/revoke the specified privileges/group
@ -668,6 +673,7 @@ def main():
objs=dict(required=False, aliases=['obj']),
schema=dict(required=False),
roles=dict(required=True, aliases=['role']),
session_role=dict(required=False),
grant_option=dict(required=False, type='bool',
aliases=['admin_option']),
host=dict(default='', aliases=['login_host']),
@ -722,6 +728,12 @@ def main():
# We raise this when the psycopg library is too old
module.fail_json(msg=to_native(e))
if p.session_role:
try:
conn.cursor.execute('SET ROLE %s' % pg_quote_identifier(p.session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch to role %s: %s" % (p.session_role, to_native(e)), exception=traceback.format_exc())
try:
# privs
if p.privs:

13
lib/ansible/modules/database/postgresql/postgresql_schema.py
View file

@ -49,6 +49,11 @@ options:
description:
- Database port to connect to.
default: 5432
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
state:
description:
- The schema state.
@ -218,6 +223,7 @@ def main():
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
session_role=dict(),
),
supports_check_mode=True
)
@ -230,6 +236,7 @@ def main():
state = module.params["state"]
sslrootcert = module.params["ssl_rootcert"]
cascade_drop = module.params["cascade_drop"]
session_role = module.params["session_role"]
changed = False
# To use defaults values, keyword arguments must be absent, so
@ -277,6 +284,12 @@ def main():
except Exception as e:
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
if session_role:
try:
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
try:
if module.check_mode:
if state == "absent":

15
lib/ansible/modules/database/postgresql/postgresql_user.py
View file

@ -86,6 +86,11 @@ options:
- "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER."
- Note that '[NO]CREATEUSER' is deprecated.
choices: ["[NO]SUPERUSER", "[NO]CREATEROLE", "[NO]CREATEDB", "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", "[NO]BYPASSRLS"]
session_role:
version_added: "2.8"
description: |
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
state:
description:
- The user (role) state.
@ -743,7 +748,8 @@ def main():
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
conn_limit=dict(type='int', default=None)
conn_limit=dict(type='int', default=None),
session_role=dict(),
))
module = AnsibleModule(
argument_spec=argument_spec,
@ -755,6 +761,7 @@ def main():
state = module.params["state"]
fail_on_user = module.params["fail_on_user"]
db = module.params["db"]
session_role = module.params["session_role"]
if db == '' and module.params["priv"] is not None:
module.fail_json(msg="privileges require a database to be specified")
privs = parse_privs(module.params["priv"], db)
@ -808,6 +815,12 @@ def main():
except Exception as e:
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
if session_role:
try:
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
except Exception as e:
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
try:
role_attr_flags = parse_role_attrs(cursor, module.params["role_attr_flags"])
except InvalidFlagsError as e: