ANXS · goldenberg · Jun 15, 2016 · Jun 15, 2016 · Jun 15, 2016 · Jun 15, 2016
diff --git a/README.md b/README.md
@@ -60,6 +60,20 @@ postgresql_user_privileges:
     db: foobar                  # database
     priv: "ALL"                 # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL
     role_attr_flags: "CREATEDB" # role attribute flags
+
+# List of object privileges to be applied (optional)
+postgresql_privileges:
+  - db: foobar
+    obj: table1
+    role: baz
+    priv: SELECT,INSERT,UPDATE
+    schema: public
+  - db: foobar
+    obj: public
+    role: baz
+    state: absent       # revoke privilege
+    type: schema        # on all objects in schema
+    priv: INSERT,UPDATE
 ```
 
 There's a lot more knobs and bolts to set, which you can find in the defaults/main.yml

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -38,6 +38,9 @@ postgresql_users: []
 # List of user privileges to be applied (optional)
 postgresql_user_privileges: []
 
+# List of object privileges to be applied (optional)
+postgresql_privileges: []
+
 # pg_hba.conf
 postgresql_pg_hba_default:
   - { type: local, database: all, user: '{{ postgresql_admin_user }}', address: '', method: '{{ postgresql_default_auth_method }}', comment: '' }

diff --git a/tasks/users_privileges.yml b/tasks/users_privileges.yml
@@ -1,5 +1,10 @@
 # file: postgresql/tasks/users_privileges.yml
 
+- name: PostgreSQL | Ensure PostgreSQL is running
+  service:
+    name: "{{ postgresql_service_name }}"
+    state: started
+
 - name: PostgreSQL | Update the user privileges
   postgresql_user:
     name: "{{item.name}}"
@@ -14,3 +19,26 @@
   become_user: "{{postgresql_admin_user}}"
   with_items: "{{postgresql_user_privileges}}"
   when: postgresql_users|length > 0
+
+# Iterate over postgresql_privileges to grant and revoke privileges
+# on objects using the built in module
+# http://docs.ansible.com/ansible/postgresql_privs_module.html
+- name: PostgreSQL | Update the privileges
+  postgresql_privs:
+    db: "{{item.db}}"
+    login_host: "{{item.host | default(omit)}}"
+    login_user: "{{postgresql_admin_user}}"
+    port: "{{postgresql_port}}"
+
+    grant_option: "{{item.grant_option | default(omit)}}"
+    obj: "{{item.obj | default(omit)}}"
+    priv: "{{item.priv | default(omit)}}"
+    role: "{{item.role}}"
+    schema: "{{item.schema | default(omit)}}"
+
+    state: "{{item.state | default(omit)}}"
+    type: "{{item.type | default(omit)}}"
+  become: yes
+  become_user: "{{postgresql_admin_user}}"
+  with_items: "{{postgresql_privileges}}"
+  when: "{{postgresql_privileges|length > 0}}"
diff --git a/tests/vars.yml b/tests/vars.yml
@@ -19,3 +19,11 @@ postgresql_users:
 postgresql_user_privileges:
   - name: baz
     db: foobar
+
+postgresql_privileges:
+  - db: foobar
+    obj: public
+    role: baz
+    state: present
+    type: schema
+    priv: CREATE,USAGE