community / community.general / 0.1.4 / module / postgresql_membership Add or remove PostgreSQL roles from groups Authors: Andrew Klychkov (@Andersson007)community.general.postgresql_membership (0.1.4) — module
Install with ansible-galaxy collection install community.general:==0.1.4
collections: - name: community.general version: 0.1.4
Adds or removes PostgreSQL roles from groups (other roles).
Users are roles with login privilege.
Groups are PostgreSQL roles usually without LOGIN privilege.
Common use case:
1) add a new group (groups) by M(postgresql_user) module with I(role_attr_flags=NOLOGIN)
2) grant them desired privileges by M(postgresql_privs) module
3) add desired PostgreSQL users to the new group (groups) by this module
- name: Grant role read_only to alice and bob postgresql_membership: group: read_only target_roles: - alice - bob state: present
# you can also use target_roles: alice,bob,etc to pass the role list - name: Revoke role read_only and exec_func from bob. Ignore if roles don't exist postgresql_membership: groups: - read_only - exec_func target_role: bob fail_on_role: no state: absent
db: aliases: - login_db description: - Name of database to connect to. type: str port: aliases: - login_port default: 5432 description: - Database port to connect to. type: int state: choices: - absent - present default: present description: - Membership state. - I(state=present) implies the I(groups)must be granted to I(target_roles). - I(state=absent) implies the I(groups) must be revoked from I(target_roles). type: str groups: aliases: - group - source_role - source_roles description: - The list of groups (roles) that need to be granted to or revoked from I(target_roles). elements: str required: true type: list ca_cert: aliases: - ssl_rootcert description: - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). - If the file exists, the server's certificate will be verified to be signed by one of these authorities. type: str ssl_mode: choices: - allow - disable - prefer - require - verify-ca - verify-full default: prefer description: - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. - See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information on the modes. - Default of C(prefer) matches libpq default. type: str login_host: description: - Host running the database. type: str login_user: default: postgres description: - The username used to authenticate with. type: str trust_input: default: true description: - If C(no), check whether values of parameters I(groups), I(target_roles), I(session_role) are potentially dangerous. - It makes sense to use C(yes) only when SQL injections via the parameters are possible. type: bool version_added: 0.2.0 version_added_collection: community.general fail_on_role: default: true description: - If C(yes), fail when group or target_role doesn't exist. If C(no), just warn and continue. type: bool session_role: description: - Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of. - Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. type: str target_roles: aliases: - target_role - users - user description: - The list of target roles (groups will be granted to them). elements: str required: true type: list login_password: description: - The password used to authenticate with. type: str login_unix_socket: description: - Path to a Unix domain socket for local connections. type: str
granted: description: Dict of granted groups and roles. returned: if I(state=present) sample: ro_group: - alice - bob type: dict queries: description: List of executed queries. returned: always sample: - GRANT "user_ro" TO "alice" type: str revoked: description: Dict of revoked groups and roles. returned: if I(state=absent) sample: ro_group: - alice - bob type: dict state: description: Membership state that tried to be set. returned: always sample: present type: str