Add session_role to postgresql modules (#43650)

* Allow session_role to be set for PostgreSQL By implementing session_role it becomes possible to run the specific PostgreSQL commands as a different role. The usecase that is immediately served by this, is the one that one ansible playbook can be shared by multiple users, which all have their own PostgreSQL login_user. They do not need to share login credentials, as they can share the role within the PostgreSQL database. The following example may give some insight: $ psql -U jdoe -X -d postgres postgres=> CREATE DATABASE abc; ERROR: permission denied to create database postgres=> set role postgres; SET postgres=# CREATE DATABASE abc; CREATE DATABASE fixes #43592 * Tests for session_role in PostgreSQL * Bump version_added for session_role feature * Remove explicit encrypted parameter from tests
2025-06-11 02:39:09 -07:00 · 2019-02-02 19:12:14 +00:00 · 2019-02-02 19:12:14 +00:00 · 38e70ea317
commit 38e70ea317
parent e633b93f85
9 changed files with 339 additions and 1 deletions
--- a/lib/ansible/modules/database/postgresql/postgresql_user.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_user.py
@ -86,6 +86,11 @@ options:
      - "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER."
      - Note that '[NO]CREATEUSER' is deprecated.
    choices: ["[NO]SUPERUSER", "[NO]CREATEROLE", "[NO]CREATEDB", "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", "[NO]BYPASSRLS"]
+  session_role:
+    version_added: "2.8"
+    description: |
+      Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
+      Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
  state:
    description:
      - The user (role) state.
@ -743,7 +748,8 @@ def main():
        ssl_mode=dict(default='prefer', choices=[
            'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
        ssl_rootcert=dict(default=None),
-        conn_limit=dict(type='int', default=None)
+        conn_limit=dict(type='int', default=None),
+        session_role=dict(),
    ))
    module = AnsibleModule(
        argument_spec=argument_spec,
@ -755,6 +761,7 @@ def main():
    state = module.params["state"]
    fail_on_user = module.params["fail_on_user"]
    db = module.params["db"]
+    session_role = module.params["session_role"]
    if db == '' and module.params["priv"] is not None:
        module.fail_json(msg="privileges require a database to be specified")
    privs = parse_privs(module.params["priv"], db)
@ -808,6 +815,12 @@ def main():
    except Exception as e:
        module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())

+    if session_role:
+        try:
+            cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
+        except Exception as e:
+            module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
+
    try:
        role_attr_flags = parse_role_attrs(cursor, module.params["role_attr_flags"])
    except InvalidFlagsError as e: