Add session_role to postgresql modules (#43650)

* Allow session_role to be set for PostgreSQL By implementing session_role it becomes possible to run the specific PostgreSQL commands as a different role. The usecase that is immediately served by this, is the one that one ansible playbook can be shared by multiple users, which all have their own PostgreSQL login_user. They do not need to share login credentials, as they can share the role within the PostgreSQL database. The following example may give some insight: $ psql -U jdoe -X -d postgres postgres=> CREATE DATABASE abc; ERROR: permission denied to create database postgres=> set role postgres; SET postgres=# CREATE DATABASE abc; CREATE DATABASE fixes #43592 * Tests for session_role in PostgreSQL * Bump version_added for session_role feature * Remove explicit encrypted parameter from tests
2025-04-25 03:41:25 -07:00 · 2019-02-02 19:12:14 +00:00 · 2019-02-02 19:12:14 +00:00 · 38e70ea317
commit 38e70ea317
parent e633b93f85
9 changed files with 339 additions and 1 deletions
--- a/lib/ansible/modules/database/postgresql/postgresql_db.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_db.py
@ -41,6 +41,11 @@ options:
    description:
      - Character classification (LC_CTYPE) to use in the database (e.g. lower, upper, ...) Must match LC_CTYPE of template database unless C(template0)
        is used as template.
+  session_role:
+    version_added: "2.8"
+    description: |
+      Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
+      Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
  state:
    description: |
        The database state. present implies that the database should be created if necessary.
@ -370,6 +375,7 @@ def main():
        target=dict(default="", type="path"),
        target_opts=dict(default=""),
        maintenance_db=dict(default="postgres"),
+        session_role=dict(),
    ))

    module = AnsibleModule(
@ -391,6 +397,7 @@ def main():
    state = module.params["state"]
    changed = False
    maintenance_db = module.params['maintenance_db']
+    session_role = module.params["session_role"]

    # To use defaults values, keyword arguments must be absent, so
    # check which values are empty and don't include in the **kw
@ -439,6 +446,12 @@ def main():
    except Exception as e:
        module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())

+    if session_role:
+        try:
+            cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
+        except Exception as e:
+            module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
+
    try:
        if module.check_mode:
            if state == "absent":