diff --git a/README.md b/README.md index d283d092..363c34c2 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,13 @@ postgresql_user_privileges: db: foobar # database priv: "ALL" # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL role_attr_flags: "CREATEDB" # role attribute flags + +# List of database privileges to be applied (optional) +postgresql_db_privileges: + - db: foobar # database + roles: baz # roles for grant or revoke privileges + objs: "ALL_IN_SCHEMA" # Comma separated list of database objects to set privileges on + grant: yes ``` There's a lot more knobs and bolts to set, which you can find in the defaults/main.yml diff --git a/defaults/main.yml b/defaults/main.yml index fda3adc3..7620d8b2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,6 +38,9 @@ postgresql_users: [] # List of user privileges to be applied (optional) postgresql_user_privileges: [] +# List of database privileges to be applied (optional) +postgresql_db_priveleges: [] + # pg_hba.conf postgresql_pg_hba_default: - { type: local, database: all, user: '{{ postgresql_admin_user }}', address: '', method: '{{ postgresql_default_auth_method }}', comment: '' } diff --git a/tasks/main.yml b/tasks/main.yml index 58e3e3d8..adca2bcd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,8 +26,8 @@ - include: databases.yml tags: [postgresql, postgresql-databases] -- include: users_privileges.yml - tags: [postgresql, postgresql-users] +- include: privileges.yml + tags: [postgresql, postgresql-privileges] - include: monit.yml when: monit_protection is defined and monit_protection == true diff --git a/tasks/privileges.yml b/tasks/privileges.yml new file mode 100644 index 00000000..7017cdab --- /dev/null +++ b/tasks/privileges.yml @@ -0,0 +1,37 @@ +# file: postgresql/tasks/privileges.yml + +- name: PostgreSQL | Ensure PostgreSQL is running + service: + name: "{{ postgresql_service_name }}" + state: started + +- name: PostgreSQL | Update the user privileges + postgresql_user: + name: "{{item.name}}" + db: "{{item.db | default(omit)}}" + port: "{{postgresql_port}}" + priv: "{{item.priv | default(omit)}}" + state: present + login_host: "{{item.host | default(omit)}}" + login_user: "{{postgresql_admin_user}}" + role_attr_flags: "{{item.role_attr_flags | default(omit)}}" + sudo: yes + sudo_user: "{{postgresql_admin_user}}" + with_items: postgresql_user_privileges + +- name: PostgreSQL | Make sure the PostgreSQL privileges are present + postgresql_privs: + database: "{{ item.db }}" + grant_option: "{{ item.grant | default(no) }}" + host: "{{ item.host | default(\"127.0.0.1\") }}" + login: "{{ item.login | default(postgresql_admin_user) }}" + objs: "{{ item.objs | default(omit) }}" + password: "{{ item.password | default(\"\") }}" + privs: "{{ item.privs | default(\"ALL\") }}" + roles: "{{ item.roles | default(\"PUBLIC\") }}" + schema: "{{ item.schema | default(omit) }}" + state: "{{ item.state | default(\"present\") }}" + type: "{{ item.type | default(\"table\") }}" + sudo: yes + sudo_user: "{{postgresql_admin_user}}" + with_items: postgresql_db_priveleges \ No newline at end of file diff --git a/tasks/users_privileges.yml b/tasks/users_privileges.yml deleted file mode 100644 index 6d5905fe..00000000 --- a/tasks/users_privileges.yml +++ /dev/null @@ -1,16 +0,0 @@ -# file: postgresql/tasks/users_privileges.yml - -- name: PostgreSQL | Update the user privileges - postgresql_user: - name: "{{item.name}}" - db: "{{item.db | default(omit)}}" - port: "{{postgresql_port}}" - priv: "{{item.priv | default(omit)}}" - state: present - login_host: "{{item.host | default(omit)}}" - login_user: "{{postgresql_admin_user}}" - role_attr_flags: "{{item.role_attr_flags | default(omit)}}" - sudo: yes - sudo_user: "{{postgresql_admin_user}}" - with_items: postgresql_user_privileges - when: postgresql_users|length > 0 diff --git a/tests/vars.yml b/tests/vars.yml index dd10f663..85545e9a 100644 --- a/tests/vars.yml +++ b/tests/vars.yml @@ -17,3 +17,11 @@ postgresql_users: postgresql_user_privileges: - name: baz db: foobar + +postgresql_db_priveleges: + - db: foobar + objs: "ALL_IN_SCHEMA" + schema: "public" + state: present + roles: baz + grant: yes