Try SpotterAdd or remove PostgreSQL roles from groups
Authors: Andrew Klychkov (@Andersson007)
Install with ansible-galaxy collection install community.general:==1.3.14
collections:
- name: community.general
version: 1.3.14Adds or removes PostgreSQL roles from groups (other roles).
Users are roles with login privilege.
Groups are PostgreSQL roles usually without LOGIN privilege.
Common use case:
1) add a new group (groups) by M(community.general.postgresql_user) module with I(role_attr_flags=NOLOGIN)
2) grant them desired privileges by M(community.general.postgresql_privs) module
3) add desired PostgreSQL users to the new group (groups) by this module
- name: Grant role read_only to alice and bob
community.general.postgresql_membership:
group: read_only
target_roles:
- alice
- bob
state: present
# you can also use target_roles: alice,bob,etc to pass the role list
- name: Revoke role read_only and exec_func from bob. Ignore if roles don't exist
community.general.postgresql_membership:
groups:
- read_only
- exec_func
target_role: bob
fail_on_role: no
state: absent
db:
aliases:
- login_db
description:
- Name of database to connect to.
type: str
port:
aliases:
- login_port
default: 5432
description:
- Database port to connect to.
type: int
state:
choices:
- absent
- present
default: present
description:
- Membership state.
- I(state=present) implies the I(groups)must be granted to I(target_roles).
- I(state=absent) implies the I(groups) must be revoked from I(target_roles).
type: str
groups:
aliases:
- group
- source_role
- source_roles
description:
- The list of groups (roles) that need to be granted to or revoked from I(target_roles).
elements: str
required: true
type: list
ca_cert:
aliases:
- ssl_rootcert
description:
- Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
- If the file exists, the server's certificate will be verified to be signed by one
of these authorities.
type: str
ssl_mode:
choices:
- allow
- disable
- prefer
- require
- verify-ca
- verify-full
default: prefer
description:
- Determines whether or with what priority a secure SSL TCP/IP connection will be
negotiated with the server.
- See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information
on the modes.
- Default of C(prefer) matches libpq default.
type: str
login_host:
description:
- Host running the database.
type: str
login_user:
default: postgres
description:
- The username used to authenticate with.
type: str
trust_input:
default: true
description:
- If C(no), check whether values of parameters I(groups), I(target_roles), I(session_role)
are potentially dangerous.
- It makes sense to use C(no) only when SQL injections via the parameters are possible.
type: bool
version_added: 0.2.0
version_added_collection: community.general
fail_on_role:
default: true
description:
- If C(yes), fail when group or target_role doesn't exist. If C(no), just warn and
continue.
type: bool
session_role:
description:
- Switch to session_role after connecting. The specified session_role must be a role
that the current login_user is a member of.
- Permissions checking for SQL commands is carried out as though the session_role
were the one that had logged in originally.
type: str
target_roles:
aliases:
- target_role
- users
- user
description:
- The list of target roles (groups will be granted to them).
elements: str
required: true
type: list
login_password:
description:
- The password used to authenticate with.
type: str
login_unix_socket:
description:
- Path to a Unix domain socket for local connections.
type: str
granted:
description: Dict of granted groups and roles.
returned: if I(state=present)
sample:
ro_group:
- alice
- bob
type: dict
queries:
description: List of executed queries.
returned: always
sample:
- GRANT "user_ro" TO "alice"
type: str
revoked:
description: Dict of revoked groups and roles.
returned: if I(state=absent)
sample:
ro_group:
- alice
- bob
type: dict
state:
description: Membership state that tried to be set.
returned: always
sample: present
type: str