mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-24 19:31:26 -07:00
38e70ea317
* Allow session_role to be set for PostgreSQL By implementing session_role it becomes possible to run the specific PostgreSQL commands as a different role. The usecase that is immediately served by this, is the one that one ansible playbook can be shared by multiple users, which all have their own PostgreSQL login_user. They do not need to share login credentials, as they can share the role within the PostgreSQL database. The following example may give some insight: $ psql -U jdoe -X -d postgres postgres=> CREATE DATABASE abc; ERROR: permission denied to create database postgres=> set role postgres; SET postgres=# CREATE DATABASE abc; CREATE DATABASE fixes #43592 * Tests for session_role in PostgreSQL * Bump version_added for session_role feature * Remove explicit encrypted parameter from tests
273 lines
9 KiB
Python
273 lines
9 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
# Copyright: Ansible Project
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
'status': ['preview'],
|
|
'supported_by': 'community'}
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: postgresql_ext
|
|
short_description: Add or remove PostgreSQL extensions from a database.
|
|
description:
|
|
- Add or remove PostgreSQL extensions from a database.
|
|
version_added: "1.9"
|
|
options:
|
|
name:
|
|
description:
|
|
- name of the extension to add or remove
|
|
required: true
|
|
db:
|
|
description:
|
|
- name of the database to add or remove the extension to/from
|
|
required: true
|
|
schema:
|
|
description:
|
|
- name of the schema to add the extension to
|
|
version_added: "2.8"
|
|
login_user:
|
|
description:
|
|
- The username used to authenticate with
|
|
login_password:
|
|
description:
|
|
- The password used to authenticate with
|
|
login_host:
|
|
description:
|
|
- Host running the database
|
|
default: localhost
|
|
login_unix_socket:
|
|
description:
|
|
- Path to a Unix domain socket for local connections.
|
|
version_added: '2.8'
|
|
ssl_mode:
|
|
description:
|
|
- Determines whether or with what priority a secure SSL TCP/IP connection
|
|
will be negotiated with the server.
|
|
- See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for
|
|
more information on the modes.
|
|
- Default of C(prefer) matches libpq default.
|
|
default: prefer
|
|
choices: ["disable", "allow", "prefer", "require", "verify-ca", "verify-full"]
|
|
version_added: '2.8'
|
|
ssl_rootcert:
|
|
description:
|
|
- Specifies the name of a file containing SSL certificate authority (CA)
|
|
certificate(s). If the file exists, the server's certificate will be
|
|
verified to be signed by one of these authorities.
|
|
version_added: '2.8'
|
|
port:
|
|
description:
|
|
- Database port to connect to.
|
|
default: 5432
|
|
session_role:
|
|
version_added: "2.8"
|
|
description: |
|
|
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
|
|
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
|
|
state:
|
|
description:
|
|
- The database extension state
|
|
default: present
|
|
choices: [ "present", "absent" ]
|
|
cascade:
|
|
description:
|
|
- Automatically install/remove any extensions that this extension depends on
|
|
that are not already installed/removed (supported since PostgreSQL 9.6).
|
|
type: bool
|
|
default: no
|
|
version_added: '2.8'
|
|
notes:
|
|
- The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host.
|
|
- This module uses I(psycopg2), a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on
|
|
the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed
|
|
on the remote host. For Ubuntu-based systems, install the C(postgresql), C(libpq-dev), and C(python-psycopg2) packages on the remote host before using
|
|
this module.
|
|
requirements: [ psycopg2 ]
|
|
author:
|
|
- "Daniel Schep (@dschep)"
|
|
- "Thomas O'Donnell (@andytom)"
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
# Adds postgis to the database "acme"
|
|
- postgresql_ext:
|
|
name: postgis
|
|
db: acme
|
|
schema: extensions
|
|
|
|
# Adds earthdistance to the database "template1"
|
|
- postgresql_ext:
|
|
name: earthdistance
|
|
db: template1
|
|
cascade: true
|
|
'''
|
|
import traceback
|
|
|
|
try:
|
|
import psycopg2
|
|
import psycopg2.extras
|
|
except ImportError:
|
|
postgresqldb_found = False
|
|
else:
|
|
postgresqldb_found = True
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible.module_utils.six import iteritems
|
|
from ansible.module_utils._text import to_native
|
|
from ansible.module_utils.database import pg_quote_identifier
|
|
|
|
|
|
class NotSupportedError(Exception):
|
|
pass
|
|
|
|
|
|
# ===========================================
|
|
# PostgreSQL module specific support methods.
|
|
#
|
|
|
|
def ext_exists(cursor, ext):
|
|
query = "SELECT * FROM pg_extension WHERE extname=%(ext)s"
|
|
cursor.execute(query, {'ext': ext})
|
|
return cursor.rowcount == 1
|
|
|
|
|
|
def ext_delete(cursor, ext, cascade):
|
|
if ext_exists(cursor, ext):
|
|
query = "DROP EXTENSION \"%s\"" % ext
|
|
if cascade:
|
|
query += " CASCADE"
|
|
cursor.execute(query)
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
|
|
def ext_create(cursor, ext, schema, cascade):
|
|
if not ext_exists(cursor, ext):
|
|
query = "CREATE EXTENSION \"%s\"" % ext
|
|
if schema:
|
|
query += " WITH SCHEMA \"%s\"" % schema
|
|
if cascade:
|
|
query += " CASCADE"
|
|
cursor.execute(query)
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
# ===========================================
|
|
# Module execution.
|
|
#
|
|
|
|
|
|
def main():
|
|
module = AnsibleModule(
|
|
argument_spec=dict(
|
|
login_user=dict(default="postgres"),
|
|
login_password=dict(default="", no_log=True),
|
|
login_host=dict(default=""),
|
|
login_unix_socket=dict(default=""),
|
|
port=dict(default="5432"),
|
|
db=dict(required=True),
|
|
ext=dict(required=True, aliases=['name']),
|
|
schema=dict(default=""),
|
|
state=dict(default="present", choices=["absent", "present"]),
|
|
cascade=dict(type='bool', default=False),
|
|
ssl_mode=dict(default='prefer', choices=[
|
|
'disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
|
|
ssl_rootcert=dict(default=None),
|
|
session_role=dict(),
|
|
),
|
|
supports_check_mode=True
|
|
)
|
|
|
|
if not postgresqldb_found:
|
|
module.fail_json(msg="the python psycopg2 module is required")
|
|
|
|
db = module.params["db"]
|
|
ext = module.params["ext"]
|
|
schema = module.params["schema"]
|
|
state = module.params["state"]
|
|
cascade = module.params["cascade"]
|
|
sslrootcert = module.params["ssl_rootcert"]
|
|
session_role = module.params["session_role"]
|
|
changed = False
|
|
|
|
# To use defaults values, keyword arguments must be absent, so
|
|
# check which values are empty and don't include in the **kw
|
|
# dictionary
|
|
params_map = {
|
|
"login_host": "host",
|
|
"login_user": "user",
|
|
"login_password": "password",
|
|
"port": "port",
|
|
"db": "database",
|
|
"ssl_mode": "sslmode",
|
|
"ssl_rootcert": "sslrootcert"
|
|
}
|
|
kw = dict((params_map[k], v) for (k, v) in iteritems(module.params)
|
|
if k in params_map and v != "" and v is not None)
|
|
|
|
# If a login_unix_socket is specified, incorporate it here.
|
|
is_localhost = "host" not in kw or kw["host"] == "" or kw["host"] == "localhost"
|
|
if is_localhost and module.params["login_unix_socket"] != "":
|
|
kw["host"] = module.params["login_unix_socket"]
|
|
|
|
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
|
|
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
|
|
|
|
try:
|
|
db_connection = psycopg2.connect(**kw)
|
|
# Enable autocommit so we can create databases
|
|
if psycopg2.__version__ >= '2.4.2':
|
|
db_connection.autocommit = True
|
|
else:
|
|
db_connection.set_isolation_level(psycopg2
|
|
.extensions
|
|
.ISOLATION_LEVEL_AUTOCOMMIT)
|
|
cursor = db_connection.cursor(
|
|
cursor_factory=psycopg2.extras.DictCursor)
|
|
|
|
except TypeError as e:
|
|
if 'sslrootcert' in e.args[0]:
|
|
module.fail_json(
|
|
msg='Postgresql server must be at least version 8.4 to support sslrootcert')
|
|
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
|
|
|
|
except Exception as e:
|
|
module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc())
|
|
|
|
if session_role:
|
|
try:
|
|
cursor.execute('SET ROLE %s' % pg_quote_identifier(session_role, 'role'))
|
|
except Exception as e:
|
|
module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc())
|
|
|
|
try:
|
|
if module.check_mode:
|
|
if state == "present":
|
|
changed = not ext_exists(cursor, ext)
|
|
elif state == "absent":
|
|
changed = ext_exists(cursor, ext)
|
|
else:
|
|
if state == "absent":
|
|
changed = ext_delete(cursor, ext, cascade)
|
|
|
|
elif state == "present":
|
|
changed = ext_create(cursor, ext, schema, cascade)
|
|
except NotSupportedError as e:
|
|
module.fail_json(msg=to_native(e), exception=traceback.format_exc())
|
|
except Exception as e:
|
|
module.fail_json(msg="Database query failed: %s" % to_native(e), exception=traceback.format_exc())
|
|
|
|
module.exit_json(changed=changed, db=db, ext=ext)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|