From 23531e0c73f4611f39e46eeee783639c0ddb9c95 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 13:48:48 -0700 Subject: [PATCH 1/9] Create new task to manage object permissions using builtin postgresql_privs module --- tasks/main.yml | 3 +++ tasks/privs.yml | 29 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 tasks/privs.yml diff --git a/tasks/main.yml b/tasks/main.yml index 58e3e3d89..6a722001d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,6 +29,9 @@ - include: users_privileges.yml tags: [postgresql, postgresql-users] +- include: privs.yml + tags: [postgresql, postgresql-users] + - include: monit.yml when: monit_protection is defined and monit_protection == true tags: [postgresql, postgresql-monit] diff --git a/tasks/privs.yml b/tasks/privs.yml new file mode 100644 index 000000000..88bde408c --- /dev/null +++ b/tasks/privs.yml @@ -0,0 +1,29 @@ +# file: postgresql/tasks/privs.yml + +- name: PostgreSQL | Ensure PostgreSQL is running + service: + name: "{{ postgresql_service_name }}" + state: started + +# Iterate over postgresql_privileges to grant and revoke privileges +# on objects using the built in module +# http://docs.ansible.com/ansible/postgresql_privs_module.html +- name: PostgreSQL | Update the privileges + postgresql_privs: + db: "{{item.db}}" + login_host: "{{item.host | default(omit)}}" + login_user: "{{postgresql_admin_user}}" + port: "{{postgresql_port}}" + + grant_option: "{{item.grant_option | default(omit)}}" + objs: "{{item.objs | default(omit)}}" + privs: "{{item.privs | default(omit)}}" + roles: "{{item.roles}}" + schema: "{{item.schema | default(omit)}}" + + state: "{{item.state | default(omit)}}" + type: "{{item.type | default(omit)}}" + become: yes + become_user: "{{postgresql_admin_user}}" + with_items: "{{postgresql_privileges}}" + when: "{{postgresql_privileges|length > 0}}" From 1a6f27bd0d7e44986f7601858de7e143d6a55a05 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:08:24 -0700 Subject: [PATCH 2/9] Add README.md --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 55f90c806..51d9f863b 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,20 @@ postgresql_user_privileges: db: foobar # database priv: "ALL" # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL role_attr_flags: "CREATEDB" # role attribute flags + +# List of object privileges to be applied (optional) +postgresql_privileges: + - db: foobar + objs: table1 + role: baz + privs: SELECT,INSERT,UPDATE + schema: public + - db: foobar + obj: public + role: baz + state: absent # revoke privilege + type: schema # on all objects in schema + priv: INSERT,UPDATE ``` There's a lot more knobs and bolts to set, which you can find in the defaults/main.yml From b0e8f7bd3a0ac728fd15b6ec563bf5b7868e3ffe Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:08:52 -0700 Subject: [PATCH 3/9] De-plurify parameters --- tasks/privs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/privs.yml b/tasks/privs.yml index 88bde408c..b7fd7bec3 100644 --- a/tasks/privs.yml +++ b/tasks/privs.yml @@ -16,9 +16,9 @@ port: "{{postgresql_port}}" grant_option: "{{item.grant_option | default(omit)}}" - objs: "{{item.objs | default(omit)}}" - privs: "{{item.privs | default(omit)}}" - roles: "{{item.roles}}" + obj: "{{item.obj | default(omit)}}" + priv: "{{item.priv | default(omit)}}" + role: "{{item.role}}" schema: "{{item.schema | default(omit)}}" state: "{{item.state | default(omit)}}" From 3163ce0521f6f33330a4197362200e8cefda2ffe Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:09:35 -0700 Subject: [PATCH 4/9] Consolidate into users_privileges.yml --- tasks/privs.yml | 29 ----------------------------- tasks/users_privileges.yml | 28 ++++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 29 deletions(-) delete mode 100644 tasks/privs.yml diff --git a/tasks/privs.yml b/tasks/privs.yml deleted file mode 100644 index b7fd7bec3..000000000 --- a/tasks/privs.yml +++ /dev/null @@ -1,29 +0,0 @@ -# file: postgresql/tasks/privs.yml - -- name: PostgreSQL | Ensure PostgreSQL is running - service: - name: "{{ postgresql_service_name }}" - state: started - -# Iterate over postgresql_privileges to grant and revoke privileges -# on objects using the built in module -# http://docs.ansible.com/ansible/postgresql_privs_module.html -- name: PostgreSQL | Update the privileges - postgresql_privs: - db: "{{item.db}}" - login_host: "{{item.host | default(omit)}}" - login_user: "{{postgresql_admin_user}}" - port: "{{postgresql_port}}" - - grant_option: "{{item.grant_option | default(omit)}}" - obj: "{{item.obj | default(omit)}}" - priv: "{{item.priv | default(omit)}}" - role: "{{item.role}}" - schema: "{{item.schema | default(omit)}}" - - state: "{{item.state | default(omit)}}" - type: "{{item.type | default(omit)}}" - become: yes - become_user: "{{postgresql_admin_user}}" - with_items: "{{postgresql_privileges}}" - when: "{{postgresql_privileges|length > 0}}" diff --git a/tasks/users_privileges.yml b/tasks/users_privileges.yml index 94aaea245..ca9f55f54 100644 --- a/tasks/users_privileges.yml +++ b/tasks/users_privileges.yml @@ -1,5 +1,10 @@ # file: postgresql/tasks/users_privileges.yml +- name: PostgreSQL | Ensure PostgreSQL is running + service: + name: "{{ postgresql_service_name }}" + state: started + - name: PostgreSQL | Update the user privileges postgresql_user: name: "{{item.name}}" @@ -14,3 +19,26 @@ become_user: "{{postgresql_admin_user}}" with_items: "{{postgresql_user_privileges}}" when: postgresql_users|length > 0 + +# Iterate over postgresql_privileges to grant and revoke privileges +# on objects using the built in module +# http://docs.ansible.com/ansible/postgresql_privs_module.html +- name: PostgreSQL | Update the privileges + postgresql_privs: + db: "{{item.db}}" + login_host: "{{item.host | default(omit)}}" + login_user: "{{postgresql_admin_user}}" + port: "{{postgresql_port}}" + + grant_option: "{{item.grant_option | default(omit)}}" + obj: "{{item.obj | default(omit)}}" + priv: "{{item.priv | default(omit)}}" + role: "{{item.role}}" + schema: "{{item.schema | default(omit)}}" + + state: "{{item.state | default(omit)}}" + type: "{{item.type | default(omit)}}" + become: yes + become_user: "{{postgresql_admin_user}}" + with_items: "{{postgresql_privileges}}" + when: "{{postgresql_privileges|length > 0}}" From cb6c830c9ba80c144688dea3d9fb6ea03b32ece7 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:13:31 -0700 Subject: [PATCH 5/9] Drop privs.yml from main.yml tasks --- tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6a722001d..58e3e3d89 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,9 +29,6 @@ - include: users_privileges.yml tags: [postgresql, postgresql-users] -- include: privs.yml - tags: [postgresql, postgresql-users] - - include: monit.yml when: monit_protection is defined and monit_protection == true tags: [postgresql, postgresql-monit] From 4883515ef7948a75239388a15c2c2df1922dc664 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:32:59 -0700 Subject: [PATCH 6/9] Update tests with postgresql_privileges and fix plurals in README --- README.md | 4 ++-- tests/vars.yml | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 51d9f863b..c77e76ebf 100644 --- a/README.md +++ b/README.md @@ -64,9 +64,9 @@ postgresql_user_privileges: # List of object privileges to be applied (optional) postgresql_privileges: - db: foobar - objs: table1 + obj: table1 role: baz - privs: SELECT,INSERT,UPDATE + priv: SELECT,INSERT,UPDATE schema: public - db: foobar obj: public diff --git a/tests/vars.yml b/tests/vars.yml index 57b98bec1..45307925f 100644 --- a/tests/vars.yml +++ b/tests/vars.yml @@ -17,5 +17,9 @@ postgresql_users: - name: zabaz postgresql_user_privileges: - - name: baz - db: foobar + - db: foobar + obj: public + role: baz + state: present + type: schema + priv: SELECT,INSERT,UPDATE From fbf7788a13ac1aa3096d3e689df7a8ec4e3d4958 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 14:44:43 -0700 Subject: [PATCH 7/9] Second try at fixing tests --- tests/vars.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/vars.yml b/tests/vars.yml index 45307925f..3241618d9 100644 --- a/tests/vars.yml +++ b/tests/vars.yml @@ -17,6 +17,10 @@ postgresql_users: - name: zabaz postgresql_user_privileges: + - name: baz + db: foobar + +postgresql_privileges: - db: foobar obj: public role: baz From 1455cfa8aac07dfb1531a4cf2a79a2d02dc02825 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 15:02:15 -0700 Subject: [PATCH 8/9] Change test to grant CREATE,USAGE since it's a schema --- tests/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/vars.yml b/tests/vars.yml index 3241618d9..810bad55a 100644 --- a/tests/vars.yml +++ b/tests/vars.yml @@ -26,4 +26,4 @@ postgresql_privileges: role: baz state: present type: schema - priv: SELECT,INSERT,UPDATE + priv: CREATE,USAGE From 9520ca87ce7cc23c043711ea597af1319a644457 Mon Sep 17 00:00:00 2001 From: Benjamin Goldenberg Date: Wed, 15 Jun 2016 15:44:26 -0700 Subject: [PATCH 9/9] Add postgresql_privileges to defaults/main.yml --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index fda3adc35..c392e6def 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,6 +38,9 @@ postgresql_users: [] # List of user privileges to be applied (optional) postgresql_user_privileges: [] +# List of object privileges to be applied (optional) +postgresql_privileges: [] + # pg_hba.conf postgresql_pg_hba_default: - { type: local, database: all, user: '{{ postgresql_admin_user }}', address: '', method: '{{ postgresql_default_auth_method }}', comment: '' }