ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-25 11:51:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

standardize TLS connection properties (#54315)

Browse source 
* openstack: standardize tls params

* tower: tower_verify_ssl->validate_certs

* docker: use standard tls config params

- cacert_path -> ca_cert
- cert_path -> client_cert
- key_path -> client_key
- tls_verify -> validate_certs

* k8s: standardize tls connection params

- verify_ssl -> validate_certs
- ssl_ca_cert -> ca_cert
- cert_file -> client_cert
- key_file -> client_key

* ingate: verify_ssl -> validate_certs

* manageiq: standardize tls params

- verify_ssl -> validate_certs
- ca_bundle_path -> ca_cert

* mysql: standardize tls params

- ssl_ca -> ca_cert
- ssl_cert -> client_cert
- ssl_key -> client_key

* nios: ssl_verify -> validate_certs

* postgresql: ssl_rootcert -> ca_cert

* rabbitmq: standardize tls params

- cacert -> ca_cert
- cert -> client_cert
- key -> client_key

* rackspace: verify_ssl -> validate_certs

* vca: verify_certs -> validate_certs

* kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs

* lxd: standardize tls params

- key_file -> client_key
- cert_file -> client_cert

* get_certificate: ca_certs -> ca_cert

* get_certificate.py: clarify one or more certs in a file

Co-Authored-By: jamescassell <code@james.cassell.me>

* zabbix: tls_issuer -> ca_cert

* bigip_device_auth_ldap: standardize tls params

- ssl_check_peer -> validate_certs
- ssl_client_cert -> client_cert
- ssl_client_key -> client_key
- ssl_ca_cert -> ca_cert

* vdirect: vdirect_validate_certs -> validate_certs

* mqtt: standardize tls params

- ca_certs -> ca_cert
- certfile -> client_cert
- keyfile -> client_key

* pulp_repo: standardize tls params

remove `importer_ssl` prefix

* rhn_register: sslcacert -> ca_cert

* yum_repository: standardize tls params

The fix for yum_repository is not straightforward since this module is
only a thin wrapper for the underlying commands and config.  In this
case, we add the new values as aliases, keeping the old as primary,
only due to the internal structure of the module.

Aliases added:
- sslcacert -> ca_cert
- sslclientcert -> client_cert
- sslclientkey -> client_key
- sslverify -> validate_certs

* gitlab_hook: enable_ssl_verification -> hook_validate_certs

* Adjust arguments for docker_swarm inventory plugin.

* foreman callback: standardize tls params

- ssl_cert -> client_cert
- ssl_key -> client_key

* grafana_annotations: validate_grafana_certs -> validate_certs

* nrdp callback: validate_nrdp_certs -> validate_certs

* kubectl connection: standardize tls params

- kubectl_cert_file -> client_cert
- kubectl_key_file -> client_key
- kubectl_ssl_ca_cert -> ca_cert
- kubectl_verify_ssl -> validate_certs

* oc connection: standardize tls params

- oc_cert_file -> client_cert
- oc_key_file -> client_key
- oc_ssl_ca_cert -> ca_cert
- oc_verify_ssl -> validate_certs

* psrp connection: cert_trust_path -> ca_cert

TODO: cert_validation -> validate_certs (multi-valued vs bool)

* k8s inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* openshift inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* tower inventory: verify_ssl -> validate_certs

* hashi_vault lookup: cacert -> ca_cert

* k8s lookup: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* laps_passord lookup: cacert_file -> ca_cert

* changelog for TLS parameter standardization
This commit is contained in:
James Cassell 2019-03-28 01:19:28 -04:00 committed by Adam Miller
parent 85d836171b
commit bc4ef99533
90 changed files with 556 additions and 411 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/ansible/modules/database/postgresql/postgresql_db.py
View file

@ -462,7 +462,7 @@ def main():
"login_password": "password",
"port": "port",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != '' and v is not None)
@ -479,7 +479,7 @@ def main():
if not raw_connection:
try:
pgutils.ensure_libs(sslrootcert=module.params.get('ssl_rootcert'))
pgutils.ensure_libs(sslrootcert=module.params.get('ca_cert'))
db_connection = psycopg2.connect(database=maintenance_db, **kw)
# Enable autocommit so we can create databases

11
lib/ansible/modules/database/postgresql/postgresql_ext.py
View file

@ -65,13 +65,14 @@ options:
choices: [allow, disable, prefer, require, verify-ca, verify-full]
type: str
version_added: '2.8'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s). If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: path
version_added: '2.8'
aliases: [ ssl_rootcert ]
port:
description:
- Database port to connect to.
@ -225,7 +226,7 @@ def main():
cascade=dict(type='bool', default=False),
ssl_mode=dict(type='str', default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type="path", default=None),
ca_cert=dict(type="path", default=None, aliases=['ssl_rootcert']),
session_role=dict(type="str"),
)
@ -242,7 +243,7 @@ def main():
schema = module.params["schema"]
state = module.params["state"]
cascade = module.params["cascade"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
changed = False
@ -256,7 +257,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -267,7 +268,7 @@ def main():
kw["host"] = module.params["login_unix_socket"]
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
try:
db_connection = psycopg2.connect(**kw)

11
lib/ansible/modules/database/postgresql/postgresql_idx.py
View file

@ -75,12 +75,13 @@ options:
type: str
default: prefer
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s). If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
state:
description:
- Index state.
@ -433,7 +434,7 @@ def main():
idxname=dict(type='str', required=True, aliases=['name']),
db=dict(type='str'),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
state=dict(type='str', default='present', choices=['absent', 'present']),
concurrent=dict(type='bool', default=True),
table=dict(type='str'),
@ -458,7 +459,7 @@ def main():
idxtype = module.params["idxtype"]
columns = module.params["columns"]
cond = module.params["cond"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
tablespace = module.params["tablespace"]
storage_params = module.params["storage_params"]
@ -495,7 +496,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -506,7 +507,7 @@ def main():
kw["host"] = module.params["login_unix_socket"]
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
if module.check_mode and concurrent:
module.fail_json(msg="Cannot concurrently create or drop index %s "

11
lib/ansible/modules/database/postgresql/postgresql_info.py
View file

@ -80,13 +80,14 @@ options:
type: str
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
default: prefer
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s).
- If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
notes:
- The default authentication assumes that you are either logging in as or
sudo'ing to the postgres account on the host.
@ -965,7 +966,7 @@ def main():
port=dict(type='int', default=5432, aliases=['login_port']),
filter=dict(type='list'),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
session_role=dict(type='str'),
)
module = AnsibleModule(
@ -977,7 +978,7 @@ def main():
module.fail_json(msg="The python psycopg2 module is required")
filter_ = module.params["filter"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
# To use defaults values, keyword arguments must be absent, so
@ -990,7 +991,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -1002,7 +1003,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order '
'to user the ssl_rootcert parameter')
'to user the ca_cert parameter')
db_conn_obj = PgDbConn(module, kw, session_role)

11
lib/ansible/modules/database/postgresql/postgresql_lang.py
View file

@ -101,12 +101,13 @@ options:
default: prefer
choices: ["disable", "allow", "prefer", "require", "verify-ca", "verify-full"]
version_added: '2.8'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s). If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
version_added: '2.8'
aliases: [ ssl_rootcert ]
notes:
- The default authentication assumes that you are either logging in as or
sudo'ing to the postgres account on the host.
@ -237,7 +238,7 @@ def main():
fail_on_drop=dict(type='bool', default='yes'),
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
ca_cert=dict(default=None, aliases=['ssl_rootcert']),
session_role=dict(),
),
supports_check_mode=True
@ -250,7 +251,7 @@ def main():
force_trust = module.params["force_trust"]
cascade = module.params["cascade"]
fail_on_drop = module.params["fail_on_drop"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
if not postgresqldb_found:
@ -266,7 +267,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -277,7 +278,7 @@ def main():
kw["host"] = module.params["login_unix_socket"]
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
try:
db_connection = psycopg2.connect(**kw)

13
lib/ansible/modules/database/postgresql/postgresql_ping.py
View file

@ -57,13 +57,14 @@ options:
type: str
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
default: prefer
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s).
- If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
notes:
- The default authentication assumes that you are either logging in as or
sudo'ing to the postgres account on the host.
@ -90,7 +91,7 @@ EXAMPLES = r'''
login_host: dbsrv
login_user: secret
login_password: secret_pass
ssl_rootcert: /root/root.crt
ca_cert: /root/root.crt
ssl_mode: verify-full
'''
@ -172,7 +173,7 @@ def main():
argument_spec.update(
db=dict(type='str'),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
)
module = AnsibleModule(
argument_spec=argument_spec,
@ -182,7 +183,7 @@ def main():
if not HAS_PSYCOPG2:
module.fail_json(msg="The python psycopg2 module is required")
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
# To use defaults values, keyword arguments must be absent, so
# check which values are empty and don't include in the **kw
@ -194,7 +195,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -206,7 +207,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order '
'to user the ssl_rootcert parameter')
'to user the ca_cert parameter')
# Set some default values:
cursor = False

13
lib/ansible/modules/database/postgresql/postgresql_privs.py
View file

@ -128,11 +128,12 @@ options:
default: prefer
choices: [disable, allow, prefer, require, verify-ca, verify-full]
version_added: '2.3'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
version_added: '2.3'
aliases: [ ssl_rootcert ]
notes:
- Default authentication assumes that postgresql_privs is run by the
C(postgres) user on the remote host. (Ansible's C(user) or C(sudo-user)).
@ -152,7 +153,7 @@ notes:
specified via I(login). If R has been granted the same privileges by
another user also, R can still access database objects via these privileges.
- When revoking privileges, C(RESTRICT) is assumed (see PostgreSQL docs).
- The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
- The ca_cert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
requirements: [psycopg2]
extends_documentation_fragment:
- postgres
@ -412,7 +413,7 @@ class Connection(object):
"port": "port",
"database": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], getattr(params, k)) for k in params_map
@ -423,9 +424,9 @@ class Connection(object):
if is_localhost and params.unix_socket != "":
kw["host"] = params.unix_socket
sslrootcert = params.ssl_rootcert
sslrootcert = params.ca_cert
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
raise ValueError('psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
raise ValueError('psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
self.connection = psycopg2.connect(**kw)
self.cursor = self.connection.cursor()
@ -856,7 +857,7 @@ def main():
password=dict(default='', aliases=['login_password'], no_log=True),
ssl_mode=dict(default="prefer",
choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
ca_cert=dict(default=None, aliases=['ssl_rootcert']),
fail_on_role=dict(type='bool', default=True),
),
supports_check_mode=True

11
lib/ansible/modules/database/postgresql/postgresql_query.py
View file

@ -86,13 +86,14 @@ options:
type: str
default: prefer
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s).
- If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
notes:
- The default authentication assumes that you are either logging in as or
sudo'ing to the postgres account on the host.
@ -220,7 +221,7 @@ def main():
query=dict(type='str'),
db=dict(type='str'),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
positional_args=dict(type='list'),
named_args=dict(type='dict'),
session_role=dict(type='str'),
@ -239,7 +240,7 @@ def main():
query = module.params["query"]
positional_args = module.params["positional_args"]
named_args = module.params["named_args"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
path_to_script = module.params["path_to_script"]
@ -265,7 +266,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != '' and v is not None)
@ -277,7 +278,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert:
module.fail_json(msg='psycopg2 must be at least 2.4.3 '
'in order to user the ssl_rootcert parameter')
'in order to user the ca_cert parameter')
db_connection = connect_to_db(module, kw)
cursor = db_connection.cursor(cursor_factory=psycopg2.extras.DictCursor)

11
lib/ansible/modules/database/postgresql/postgresql_schema.py
View file

@ -91,12 +91,13 @@ options:
default: prefer
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
version_added: '2.8'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
- If the file exists, the server's certificate will be verified to be signed by one of these authorities.
type: str
version_added: '2.8'
aliases: [ ssl_rootcert ]
notes:
- This module uses I(psycopg2), a Python PostgreSQL database adapter.
- You must ensure that psycopg2 is installed on the host before using this module.
@ -252,7 +253,7 @@ def main():
state=dict(type="str", default="present", choices=["absent", "present"]),
ssl_mode=dict(type="str", default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type="str", default=None),
ca_cert=dict(type="str", default=None, aliases=['ssl_rootcert']),
session_role=dict(type="str"),
)
@ -267,7 +268,7 @@ def main():
schema = module.params["schema"]
owner = module.params["owner"]
state = module.params["state"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
cascade_drop = module.params["cascade_drop"]
session_role = module.params["session_role"]
changed = False
@ -282,7 +283,7 @@ def main():
"port": "port",
"database": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -294,7 +295,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(
msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
msg='psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
try:
db_connection = psycopg2.connect(**kw)

11
lib/ansible/modules/database/postgresql/postgresql_set.py
View file

@ -96,13 +96,14 @@ options:
type: str
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
default: prefer
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s).
- If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
notes:
- Supported version of PostgreSQL is 9.4 and later.
- Pay attention, change setting with 'postmaster' context can return changed is true
@ -338,7 +339,7 @@ def main():
db=dict(type='str', aliases=['login_db']),
port=dict(type='int', default=5432, aliases=['login_port']),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
value=dict(type='str'),
reset=dict(type='bool'),
session_role=dict(type='str'),
@ -354,7 +355,7 @@ def main():
name = module.params["name"]
value = module.params["value"]
reset = module.params["reset"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
# Allow to pass values like 1mb instead of 1MB, etc:
@ -379,7 +380,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != '' and v is not None)
@ -394,7 +395,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert:
module.fail_json(msg='psycopg2 must be at least 2.4.3 '
'in order to user the ssl_rootcert parameter')
'in order to user the ca_cert parameter')
db_connection = connect_to_db(module, kw, autocommit=True)
cursor = db_connection.cursor(cursor_factory=psycopg2.extras.DictCursor)

11
lib/ansible/modules/database/postgresql/postgresql_tablespace.py
View file

@ -112,13 +112,14 @@ options:
type: str
default: prefer
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s).
- If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
type: str
aliases: [ ssl_rootcert ]
notes:
- I(state=absent) and I(state=present) (the second one if the tablespace doesn't exist) do not
support check mode because the corresponding PostgreSQL DROP and CREATE TABLESPACE commands
@ -389,7 +390,7 @@ def main():
db=dict(type='str', aliases=['login_db']),
port=dict(type='int', default=5432, aliases=['login_port']),
ssl_mode=dict(type='str', default='prefer', choices=['allow', 'disable', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(type='str'),
ca_cert=dict(type='str', aliases=['ssl_rootcert']),
session_role=dict(type='str'),
)
@ -408,7 +409,7 @@ def main():
owner = module.params["owner"]
rename_to = module.params["rename_to"]
settings = module.params["set"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
session_role = module.params["session_role"]
if state == 'absent' and (location or owner or rename_to or settings):
@ -425,7 +426,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != '' and v is not None)
@ -437,7 +438,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert:
module.fail_json(msg='psycopg2 must be at least 2.4.3 '
'in order to user the ssl_rootcert parameter')
'in order to user the ca_cert parameter')
db_connection = connect_to_db(module, kw, autocommit=True)
cursor = db_connection.cursor(cursor_factory=psycopg2.extras.DictCursor)

13
lib/ansible/modules/database/postgresql/postgresql_user.py
View file

@ -138,12 +138,13 @@ options:
default: prefer
choices: ["disable", "allow", "prefer", "require", "verify-ca", "verify-full"]
version_added: '2.3'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA)
certificate(s). If the file exists, the server's certificate will be
verified to be signed by one of these authorities.
version_added: '2.3'
aliases: [ ssl_rootcert ]
conn_limit:
description:
- Specifies the user (role) connection limit.
@ -163,7 +164,7 @@ notes:
- If you specify PUBLIC as the user (role), then the privilege changes will apply
to all users (roles). You may not specify password or role_attr_flags when the
PUBLIC user is specified.
- The ssl_rootcert parameter requires at least Postgres version 8.4 and
- The ca_cert parameter requires at least Postgres version 8.4 and
I(psycopg2) version 2.4.3.
requirements: [ psycopg2 ]
author: "Ansible Core Team"
@ -759,7 +760,7 @@ def main():
expires=dict(default=None),
ssl_mode=dict(default='prefer', choices=[
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
ca_cert=dict(default=None, aliases=['ssl_rootcert']),
conn_limit=dict(type='int', default=None),
session_role=dict(),
))
@ -783,7 +784,7 @@ def main():
else:
encrypted = "UNENCRYPTED"
expires = module.params["expires"]
sslrootcert = module.params["ssl_rootcert"]
sslrootcert = module.params["ca_cert"]
conn_limit = module.params["conn_limit"]
if not postgresqldb_found:
@ -799,7 +800,7 @@ def main():
"port": "port",
"db": "database",
"ssl_mode": "sslmode",
"ssl_rootcert": "sslrootcert"
"ca_cert": "sslrootcert"
}
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != "" and v is not None)
@ -811,7 +812,7 @@ def main():
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(
msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
msg='psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter')
try:
db_connection = psycopg2.connect(**kw)