Added the functionality of assigning roles to users and few improveme…

…nts (#439)
vitabaks · Aug 17, 2023 · b996948 · b996948
1 parent be50ad3
commit b996948
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 9 deletions.
diff --git a/config_pgcluster.yml b/config_pgcluster.yml
@@ -323,3 +323,17 @@
         - pg_pending_restart_settings | length > 0
   tags:
     - patroni_conf
+
+- name: config_pgcluster.yml | PostgreSQL Cluster Info
+  hosts: postgres_cluster
+  become: true
+  become_method: sudo
+  gather_facts: true
+  any_errors_fatal: true
+  vars_files:
+    - vars/main.yml
+    - vars/system.yml
+
+  roles:
+    # finish (info)
+    - role: deploy-finish
diff --git a/roles/deploy-finish/tasks/main.yml b/roles/deploy-finish/tasks/main.yml
@@ -3,24 +3,26 @@
 - name: Make sure handlers are flushed immediately
   ansible.builtin.meta: flush_handlers
 
+# users info
 - block:
-    - name: Check postgresql cluster health
+    - name: Get postgresql users list
       run_once: true
       become: true
       become_user: postgres
-      ansible.builtin.command: patronictl -c /etc/patroni/patroni.yml list
-      register: patronictl_result
-      environment:
-        PATH: "{{ ansible_env.PATH }}:/usr/bin:/usr/local/bin"
+      ansible.builtin.command:
+        "{{ postgresql_bin_dir }}/psql -p {{ postgresql_port }} -U {{ patroni_superuser_username }} -d postgres -c\"\\du\""
+      register: users_result
+      delegate_to: "{{ groups.master[0] }}"
       changed_when: false
 
-    - name: PostgreSQL Cluster health
+    - name: PostgreSQL list of users
       run_once: true
       ansible.builtin.debug:
-        var: patronictl_result.stdout_lines
+        var: users_result.stdout_lines
   ignore_errors: true
-  tags: patroni_status, cluster_info, cluster_status, point_in_time_recovery
+  tags: users, users_list, cluster_info, cluster_status, point_in_time_recovery
 
+# databases info
 - block:
     - name: Get postgresql database list
       run_once: true
@@ -59,6 +61,26 @@
   ignore_errors: true
   tags: databases, db_list, cluster_info, cluster_status, point_in_time_recovery
 
+# cluster info
+- block:
+    - name: Check postgresql cluster health
+      run_once: true
+      become: true
+      become_user: postgres
+      ansible.builtin.command: patronictl -c /etc/patroni/patroni.yml list
+      register: patronictl_result
+      environment:
+        PATH: "{{ ansible_env.PATH }}:/usr/bin:/usr/local/bin"
+      changed_when: false
+
+    - name: PostgreSQL Cluster health
+      run_once: true
+      ansible.builtin.debug:
+        var: patronictl_result.stdout_lines
+  ignore_errors: true
+  tags: patroni_status, cluster_info, cluster_status, point_in_time_recovery
+
+# connection info
 - block:  # if cluster_vip is defined
     - name: PostgreSQL Cluster connection info
       run_once: true

diff --git a/roles/postgresql-users/tasks/main.yml b/roles/postgresql-users/tasks/main.yml
@@ -21,4 +21,23 @@
   when: postgresql_users is defined and postgresql_users | length > 0
   tags: postgresql_users
 
+- name: Grant roles to users
+  community.postgresql.postgresql_membership:
+    group: "{{ item.role | default('') }}"
+    target_role: "{{ item.name }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ postgresql_port }}"
+    login_user: "{{ patroni_superuser_username }}"
+    login_password: "{{ patroni_superuser_password }}"
+    state: present
+  ignore_errors: true
+  loop: "{{ postgresql_users | flatten(1) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - postgresql_users is defined
+    - postgresql_users | length > 0
+    - item.role | default('') | length > 0
+  tags: postgresql_users
+
 ...
diff --git a/vars/main.yml b/vars/main.yml
@@ -140,7 +140,8 @@ postgresql_password_encryption_algorithm: "scram-sha-256"  # or "md5" if your cl
 
 # (optional) list of users to be created (if not already exists)
 postgresql_users:
-  - { name: "{{ pgbouncer_auth_username }}", password: "{{ pgbouncer_auth_password }}", flags: "LOGIN" }
+  - { name: "{{ pgbouncer_auth_username }}", password: "{{ pgbouncer_auth_password }}", flags: "LOGIN", role: "" }
+#  - { name: "monitoring_auth_username", password: "monitoring_user_password", flags: "LOGIN", role: "pg_monitor" } # monitoring Service Account
 #  - { name: "mydb-user", password: "mydb-user-pass", flags: "SUPERUSER" }
 #  - { name: "", password: "", flags: "NOSUPERUSER" }
 #  - { name: "", password: "", flags: "NOSUPERUSER" }