Add session_role to postgresql modules (#43650)

* Allow session_role to be set for PostgreSQL By implementing session_role it becomes possible to run the specific PostgreSQL commands as a different role. The usecase that is immediately served by this, is the one that one ansible playbook can be shared by multiple users, which all have their own PostgreSQL login_user. They do not need to share login credentials, as they can share the role within the PostgreSQL database. The following example may give some insight: $ psql -U jdoe -X -d postgres postgres=> CREATE DATABASE abc; ERROR: permission denied to create database postgres=> set role postgres; SET postgres=# CREATE DATABASE abc; CREATE DATABASE fixes #43592 * Tests for session_role in PostgreSQL * Bump version_added for session_role feature * Remove explicit encrypted parameter from tests
2025-04-24 19:31:26 -07:00 · 2019-02-02 19:12:14 +00:00 · 2019-02-02 19:12:14 +00:00 · 38e70ea317
commit 38e70ea317
parent e633b93f85
9 changed files with 339 additions and 1 deletions
--- a/lib/ansible/modules/database/postgresql/postgresql_ext.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_ext.py
@ -66,6 +66,11 @@ options:
    description:
      - Database port to connect to.
    default: 5432
+  session_role:
+    version_added: "2.8"
+    description: |
+      Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
+      Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
  state:
    description:
      - The database extension state
@ -116,6 +121,7 @@ else:
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.six import iteritems
 from ansible.module_utils._text import to_native
+from ansible.module_utils.database import pg_quote_identifier


 class NotSupportedError(Exception):
@ -176,6 +182,7 @@ def main():
            ssl_mode=dict(default='prefer', choices=[
                          'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
            ssl_rootcert=dict(default=None),
+            session_role=dict(),
        ),
        supports_check_mode=True
    )
@ -189,6 +196,7 @@ def main():
    state = module.params["state"]
    cascade = module.params["cascade"]
    sslrootcert = module.params["ssl_rootcert"]
+    session_role = module.params["session_role"]
    changed = False

    # To use defaults values, keyword arguments must be absent, so
@ -235,6 +243,12 @@ def main():
    except Exception as e:
        module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())

+    if session_role:
+        try:
+            cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
+        except Exception as e:
+            module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
+
    try:
        if module.check_mode:
            if state == "present":