mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 13:34:01 -07:00 
			
		
		
		
	
		
			
				
	
	
		
			427 lines
		
	
	
	
		
			15 KiB
		
	
	
	
		
			Python
		
	
	
		
			Executable file
		
	
	
	
	
			
		
		
	
	
			427 lines
		
	
	
	
		
			15 KiB
		
	
	
	
		
			Python
		
	
	
		
			Executable file
		
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| # This file is part of Ansible
 | |
| #
 | |
| # Ansible is free software: you can redistribute it and/or modify
 | |
| # it under the terms of the GNU General Public License as published by
 | |
| # the Free Software Foundation, either version 3 of the License, or
 | |
| # (at your option) any later version.
 | |
| #
 | |
| # Ansible is distributed in the hope that it will be useful,
 | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| # GNU General Public License for more details.
 | |
| #
 | |
| # You should have received a copy of the GNU General Public License
 | |
| # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: postgresql_user
 | |
| short_description: Adds or removes a users (roles) from a PostgreSQL database.
 | |
| description:
 | |
|    - Add or remove PostgreSQL users (roles) from a remote host and, optionally,
 | |
|      grant the users access to an existing database or tables.
 | |
|    - The fundamental function of the module is to create, or delete, roles from
 | |
|      a PostgreSQL cluster. Privilege assignment, or removal, is an optional
 | |
|      step, which works on one database at a time. This allows for the module to
 | |
|      be called several times in the same module to modify the permissions on
 | |
|      different databases, or to grant permissions to already existing users.
 | |
|    - A user cannot be removed untill all the privileges have been stripped from
 | |
|      the user. In such situation, if the module tries to remove the user it
 | |
|      will fail. To avoid this from happening the fail_on_user option signals
 | |
|      the module to try to remove the user, but if not possible keep going; the
 | |
|      module will report if changes happened and separately if the user was
 | |
|      removed or not.
 | |
| version_added: "0.6"
 | |
| options:
 | |
|   name:
 | |
|     description:
 | |
|       - name of the user (role) to add or remove
 | |
|     required: true
 | |
|     default: null
 | |
|   password:
 | |
|     description:
 | |
|       - set the user's password
 | |
|     required: true
 | |
|     default: null
 | |
|   db:
 | |
|     description:
 | |
|       - name of database where permissions will be granted
 | |
|     required: false
 | |
|     default: null
 | |
|   fail_on_user:
 | |
|     description:
 | |
|       - if yes, fail when user can't be removed. Otherwise just log and continue
 | |
|     required: false
 | |
|     default: yes
 | |
|     choices: [ "yes", "no" ]
 | |
|   login_user:
 | |
|     description:
 | |
|       - User (role) used to authenticate with PostgreSQL
 | |
|     required: false
 | |
|     default: postgres
 | |
|   login_password:
 | |
|     description:
 | |
|       - Password used to authenticate with PostgreSQL
 | |
|     required: false
 | |
|     default: null
 | |
|   login_host:
 | |
|     description:
 | |
|       - Host running PostgreSQL.
 | |
|     required: false
 | |
|     default: localhost
 | |
|   priv:
 | |
|     description:
 | |
|       - "PostgreSQL privileges string in the format: C(table:priv1,priv2)"
 | |
|     required: false
 | |
|     default: null
 | |
|   role_attr_flags:
 | |
|     description:
 | |
|       - "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER"
 | |
|     required: false
 | |
|     default: null
 | |
|     choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
 | |
|                     "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ]
 | |
|   state:
 | |
|     description:
 | |
|       - The database state
 | |
|     required: false
 | |
|     default: present
 | |
|     choices: [ "present", "absent" ]
 | |
| examples:
 | |
|    - code: "postgresql_user: db=acme user=django password=ceec4eif7ya priv=CONNECT/products:ALL"
 | |
|      description: Create django user and grant access to database and products table
 | |
|    - code: "postgresql_user: user=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER"
 | |
|      description: Create rails user, grant privilege to create other databases and demote rails from super user status
 | |
|    - code: "postgresql_user: db=acme user=test priv=ALL/products:ALL state=absent fail_on_user=no"
 | |
|      description: Remove test user privileges from acme
 | |
|    - code: "postgresql_user: db=test user=test priv=ALL state=absent"
 | |
|      description: Remove test user from test database and the cluster
 | |
|    - code: INSERT,UPDATE/table:SELECT/anothertable:ALL
 | |
|      description: Example privileges string format
 | |
| notes:
 | |
|    - The default authentication assumes that you are either logging in as or
 | |
|      sudo'ing to the postgres account on the host.
 | |
|    - This module uses psycopg2, a Python PostgreSQL database adapter. You must
 | |
|      ensure that psycopg2 is installed on the host before using this module. If
 | |
|      the remote host is the PostgreSQL server (which is the default case), then
 | |
|      PostgreSQL must also be installed on the remote host. For Ubuntu-based
 | |
|      systems, install the postgresql, libpq-dev, and python-psycopg2 packages
 | |
|      on the remote host before using this module.
 | |
| requirements: [ psycopg2 ]
 | |
| author: Lorin Hochstein
 | |
| '''
 | |
| 
 | |
| import re
 | |
| 
 | |
| try:
 | |
|     import psycopg2
 | |
| except ImportError:
 | |
|     postgresqldb_found = False
 | |
| else:
 | |
|     postgresqldb_found = True
 | |
| 
 | |
| # ===========================================
 | |
| # PostgreSQL module specific support methods.
 | |
| #
 | |
| 
 | |
| 
 | |
| def user_exists(cursor, user):
 | |
|     query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"
 | |
|     cursor.execute(query, {'user': user})
 | |
|     return cursor.rowcount > 0
 | |
| 
 | |
| 
 | |
| def user_add(cursor, user, password, role_attr_flags):
 | |
|     """Create a new user with write access to the database"""
 | |
|     query = "CREATE USER %(user)s with PASSWORD '%(password)s' %(role_attr_flags)s"
 | |
|     cursor.execute(query % {"user": user, "password": password, "role_attr_flags": role_attr_flags})
 | |
|     return True
 | |
| 
 | |
| def user_alter(cursor, user, password, role_attr_flags):
 | |
|     """Change user password"""
 | |
|     changed = False
 | |
| 
 | |
|     # Handle passwords.
 | |
|     if password is not None or role_attr_flags is not None:
 | |
|         # Define columns for select.
 | |
|         columns = 'rolpassword,rolsuper,rolinherit,rolcreaterole,rolcreatedb,rolcanlogin,rolreplication'
 | |
|         # Select password and all flag-like columns in order to verify changes.
 | |
|         # rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate |
 | |
|         # rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil
 | |
|         # Not sure how to interpolate properly in python yet...
 | |
|         select = "SELECT " + columns + " FROM pg_authid where rolname=%(user)s"
 | |
|         cursor.execute(select, {"columns": columns, "user": user})
 | |
|         # Grab current role attributes.
 | |
|         current_role_attrs = cursor.fetchone()
 | |
| 
 | |
|         if password is not None:
 | |
|             # Update the role attributes, including password.
 | |
|             alter = "ALTER USER %(user)s WITH PASSWORD '%(password)s' %(role_attr_flags)s"
 | |
|             cursor.execute(alter % {"user": user, "password": password, "role_attr_flags": role_attr_flags})
 | |
|         else:
 | |
|             # Update the role attributes, excluding password.
 | |
|             alter = "ALTER USER %(user)s WITH %(role_attr_flags)s"
 | |
|             cursor.execute(alter % {"user": user, "role_attr_flags": role_attr_flags})
 | |
|         # Grab new role attributes.
 | |
|         cursor.execute(select, {"columns": columns, "user": user})
 | |
|         new_role_attrs = cursor.fetchone()
 | |
| 
 | |
|         # Detect any differences between current_ and new_role_attrs.
 | |
|         for i in range(len(current_role_attrs)):
 | |
|             if current_role_attrs[i] != new_role_attrs[i]:
 | |
|                 changed = True
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def user_delete(cursor, user):
 | |
|     """Try to remove a user. Returns True if successful otherwise False"""
 | |
|     cursor.execute("SAVEPOINT ansible_pgsql_user_delete")
 | |
|     try:
 | |
|         cursor.execute("DROP USER %s" % user)
 | |
|     except:
 | |
|         cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_user_delete")
 | |
|         cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
 | |
|         return False
 | |
| 
 | |
|     cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
 | |
|     return True
 | |
| 
 | |
| def has_table_privilege(cursor, user, table, priv):
 | |
|     query = 'SELECT has_table_privilege(%s, %s, %s)'
 | |
|     cursor.execute(query, (user, table, priv))
 | |
|     return cursor.fetchone()[0]
 | |
| 
 | |
| def get_table_privileges(cursor, user, table):
 | |
|     if '.' in table:
 | |
|         schema, table = table.split('.', 1)
 | |
|     else:
 | |
|         schema = 'public'
 | |
|     query = '''SELECT privilege_type FROM information_schema.role_table_grants
 | |
|     WHERE grantee=%s AND table_name=%s AND table_schema=%s'''
 | |
|     cursor.execute(query, (user, table, schema))
 | |
|     return set([x[0] for x in cursor.fetchall()])
 | |
| 
 | |
| 
 | |
| def grant_table_privilege(cursor, user, table, priv):
 | |
|     prev_priv = get_table_privileges(cursor, user, table)
 | |
|     query = 'GRANT %s ON TABLE %s TO %s' % (priv, table, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_table_privileges(cursor, user, table)
 | |
|     return len(curr_priv) > len(prev_priv)
 | |
| 
 | |
| def revoke_table_privilege(cursor, user, table, priv):
 | |
|     prev_priv = get_table_privileges(cursor, user, table)
 | |
|     query = 'REVOKE %s ON TABLE %s FROM %s' % (priv, table, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_table_privileges(cursor, user, table)
 | |
|     return len(curr_priv) < len(prev_priv)
 | |
| 
 | |
| 
 | |
| def get_database_privileges(cursor, user, db):
 | |
|     priv_map = {
 | |
|         'C':'CREATE',
 | |
|         'T':'TEMPORARY',
 | |
|         'c':'CONNECT',
 | |
|     }
 | |
|     query = 'SELECT datacl FROM pg_database WHERE datname = %s'
 | |
|     cursor.execute(query, (db,))
 | |
|     datacl = cursor.fetchone()[0]
 | |
|     if datacl is None:
 | |
|         return []
 | |
|     r = re.search('%s=(C?T?c?)/[a-z]+\,?' % user, datacl)
 | |
|     if r is None:
 | |
|         return []
 | |
|     o = []
 | |
|     for v in r.group(1):
 | |
|         o.append(priv_map[v])
 | |
|     return o
 | |
| 
 | |
| def has_database_privilege(cursor, user, db, priv):
 | |
|     query = 'SELECT has_database_privilege(%s, %s, %s)'
 | |
|     cursor.execute(query, (user, db, priv))
 | |
|     return cursor.fetchone()[0]
 | |
| 
 | |
| def grant_database_privilege(cursor, user, db, priv):
 | |
|     prev_priv = get_database_privileges(cursor, user, db)
 | |
|     query = 'GRANT %s ON DATABASE %s TO %s' % (priv, db, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_database_privileges(cursor, user, db)
 | |
|     return len(curr_priv) > len(prev_priv)
 | |
| 
 | |
| def revoke_database_privilege(cursor, user, db, priv):
 | |
|     prev_priv = get_database_privileges(cursor, user, db)
 | |
|     query = 'REVOKE %s ON DATABASE %s FROM %s' % (priv, db, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_database_privileges(cursor, user, db)
 | |
|     return len(curr_priv) < len(prev_priv)
 | |
| 
 | |
| def revoke_privileges(cursor, user, privs):
 | |
|     if privs is None:
 | |
|         return False
 | |
| 
 | |
|     changed = False
 | |
|     for type_ in privs:
 | |
|         revoke_func = {
 | |
|             'table':revoke_table_privilege,
 | |
|             'database':revoke_database_privilege
 | |
|         }[type_]
 | |
|         for name, privileges in privs[type_].iteritems():
 | |
|             for privilege in privileges:
 | |
|                 changed = revoke_func(cursor, user, name, privilege)\
 | |
|                         or changed
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def grant_privileges(cursor, user, privs):
 | |
|     if privs is None:
 | |
|         return False
 | |
| 
 | |
|     changed = False
 | |
|     for type_ in privs:
 | |
|         grant_func = {
 | |
|             'table':grant_table_privilege,
 | |
|             'database':grant_database_privilege
 | |
|         }[type_]
 | |
|         for name, privileges in privs[type_].iteritems():
 | |
|             for privilege in privileges:
 | |
|                 changed = grant_func(cursor, user, name, privilege)\
 | |
|                         or changed
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def parse_role_attrs(role_attr_flags):
 | |
|     """
 | |
|     Parse role attributes string for user creation.
 | |
|     Format:
 | |
| 
 | |
|         attributes[,attributes,...]
 | |
| 
 | |
|     Where:
 | |
| 
 | |
|         attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
 | |
|     """
 | |
|     if ',' not in role_attr_flags:
 | |
|         return role_attr_flags
 | |
|     flag_set = role_attr_flags.split(",")
 | |
|     o_flags = " ".join(flag_set)
 | |
|     return o_flags
 | |
| 
 | |
| def parse_privs(privs, db):
 | |
|     """
 | |
|     Parse privilege string to determine permissions for database db.
 | |
|     Format:
 | |
| 
 | |
|         privileges[/privileges/...]
 | |
| 
 | |
|     Where:
 | |
| 
 | |
|         privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] |
 | |
|             TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...]
 | |
|     """
 | |
|     if privs is None:
 | |
|         return privs
 | |
| 
 | |
|     o_privs = {
 | |
|         'database':{},
 | |
|         'table':{}
 | |
|     }
 | |
|     for token in privs.split('/'):
 | |
|         if ':' not in token:
 | |
|             type_ = 'database'
 | |
|             name = db
 | |
|             priv_set = set(x.strip() for x in token.split(','))
 | |
|         else:
 | |
|             type_ = 'table'
 | |
|             name, privileges = token.split(':', 1)
 | |
|             priv_set = set(x.strip() for x in privileges.split(','))
 | |
| 
 | |
|         o_privs[type_][name] = priv_set
 | |
| 
 | |
|     return o_privs
 | |
| 
 | |
| # ===========================================
 | |
| # Module execution.
 | |
| #
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         argument_spec=dict(
 | |
|             login_user=dict(default="postgres"),
 | |
|             login_password=dict(default=""),
 | |
|             login_host=dict(default=""),
 | |
|             user=dict(required=True, aliases=['name']),
 | |
|             password=dict(default=None),
 | |
|             state=dict(default="present", choices=["absent", "present"]),
 | |
|             priv=dict(default=None),
 | |
|             db=dict(default=''),
 | |
|             port=dict(default='5432'),
 | |
|             fail_on_user=dict(default='yes'),
 | |
|             role_attr_flags=dict(default='')
 | |
|         )
 | |
|     )
 | |
|     user = module.params["user"]
 | |
|     password = module.params["password"]
 | |
|     state = module.params["state"]
 | |
|     fail_on_user = module.params["fail_on_user"] == 'yes'
 | |
|     db = module.params["db"]
 | |
|     if db == '' and module.params["priv"] is not None:
 | |
|         module.fail_json(msg="privileges require a database to be specified")
 | |
|     privs = parse_privs(module.params["priv"], db)
 | |
|     port = module.params["port"]
 | |
|     role_attr_flags = parse_role_attrs(module.params["role_attr_flags"])
 | |
| 
 | |
|     if not postgresqldb_found:
 | |
|         module.fail_json(msg="the python psycopg2 module is required")
 | |
| 
 | |
|     # To use defaults values, keyword arguments must be absent, so
 | |
|     # check which values are empty and don't include in the **kw
 | |
|     # dictionary
 | |
|     params_map = {
 | |
|         "login_host":"host",
 | |
|         "login_user":"user",
 | |
|         "login_password":"password",
 | |
|         "port":"port",
 | |
|         "db":"database"
 | |
|     }
 | |
|     kw = dict( (params_map[k], v) for (k, v) in module.params.iteritems()
 | |
|               if k in params_map and v != "" )
 | |
|     try:
 | |
|         db_connection = psycopg2.connect(**kw)
 | |
|         cursor = db_connection.cursor()
 | |
|     except Exception, e:
 | |
|         module.fail_json(msg="unable to connect to database: %s" % e)
 | |
| 
 | |
|     kw = dict(user=user)
 | |
|     changed = False
 | |
|     user_removed = False
 | |
|     if state == "present":
 | |
|         if user_exists(cursor, user):
 | |
|             changed = user_alter(cursor, user, password, role_attr_flags)
 | |
|         else:
 | |
|             if password is None:
 | |
|                 msg = "password parameter required when adding a user"
 | |
|                 module.fail_json(msg=msg)
 | |
|             changed = user_add(cursor, user, password, role_attr_flags)
 | |
|         changed = grant_privileges(cursor, user, privs) or changed
 | |
|     else:
 | |
|         if user_exists(cursor, user):
 | |
|             changed = revoke_privileges(cursor, user, privs)
 | |
|             user_removed = user_delete(cursor, user)
 | |
|             changed = changed or user_removed
 | |
|             if fail_on_user and not user_removed:
 | |
|                 msg = "unable to remove user"
 | |
|                 module.fail_json(msg=msg)
 | |
|             kw['user_removed'] = user_removed
 | |
| 
 | |
|     if changed:
 | |
|         db_connection.commit()
 | |
| 
 | |
|     kw['changed'] = changed
 | |
|     module.exit_json(**kw)
 | |
| 
 | |
| # this is magic, see lib/ansible/module_common.py
 | |
| #<<INCLUDE_ANSIBLE_MODULE_COMMON>>
 | |
| main()
 |