Skip to content

Commit

Permalink
Possibility of adding privileges to objects (#740)
Browse files Browse the repository at this point in the history
  • Loading branch information
abyss-ms authored Sep 6, 2024
1 parent fa7134a commit 86a0f97
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ jobs:
TAG: ${{ env.TAG }}

- name: Run Docker push
if: ${{ env.DOCKER_REGISTRY_USER != '' && env.DOCKER_REGISTRY_PASSWORD != '' }}
run: make docker-push
env:
TAG: ${{ env.TAG }}
Expand Down
3 changes: 3 additions & 0 deletions automation/config_pgcluster.yml
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,9 @@
- role: postgresql-schemas
when: inventory_hostname in groups['primary']

- role: postgresql-privs
when: inventory_hostname in groups['primary']

- role: postgresql-extensions
when: inventory_hostname in groups['primary']

Expand Down
3 changes: 3 additions & 0 deletions automation/deploy_pgcluster.yml
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,9 @@
- role: postgresql-schemas
when: is_master | bool and postgresql_schemas | length > 0

- role: postgresql-privs
when: is_master | bool and postgresql_privs | default('') | length > 0

- role: postgresql-extensions
when: is_master | bool and postgresql_extensions | length > 0

Expand Down
23 changes: 23 additions & 0 deletions automation/roles/postgresql-privs/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---

- name: Grant/revoke privileges on objects
community.postgresql.postgresql_privs:
roles: "{{ item.role }}"
privs: "{{ item.privs }}"
type: "{{ item.type }}"
objs: "{{ item.objs }}"
schema: "{{ item.schema | default(omit) }}"
db: "{{ item.db }}"
state: "{{ item.state | default('present') }}"
login_host: "127.0.0.1"
login_port: "{{ postgresql_port }}"
login_user: "{{ patroni_superuser_username }}"
login_password: "{{ patroni_superuser_password }}"
ignore_errors: true # noqa ignore-errors
loop: "{{ postgresql_privs | flatten(1) }}"
when:
- postgresql_privs | default('') | length > 0
- item.role | default('') | length > 0
- item.db | default('') | length > 0
- patroni_standby_cluster.host | default('') | length < 1 # do not perform on the Standby Cluster leader
tags: postgresql_privs
1 change: 1 addition & 0 deletions automation/tags.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
- postgresql_users
- postgresql_databases
- postgresql_schemas
- postgresql_privs
- postgresql_extensions
- cluster_info
- - patroni_status
Expand Down
12 changes: 12 additions & 0 deletions automation/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,18 @@ postgresql_databases: []
postgresql_schemas: []
# - { schema: "myschema", db: "mydatabase", owner: "mydb-user" }

# (optional) list of privileges to be granted (if not already exists) or revoked
# https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_privs_module.html#examples
# The db (which is the database to connect to) and role parameters are required
postgresql_privs: []
# - { role: "test", privs: "SELECT,INSERT,UPDATE", type: "table", db: "test2", objs: "test" } # grant SELECT, INSERT, UPDATE on a table to role test
# - { role: "test-user", privs: "ALL", type: "database", db: "test-db", objs: "test-db" } # grant ALL on a database to role test-user
# - { role: "mydb-user", privs: "SELECT", type: "table", db: "mydb", objs: "my_table", schema: "my_schema" } # grant SELECT on a table and schema
# - { role: "user", privs: "EXECUTE", type: "function", db: "db1", objs: "pg_ls_waldir()", schema: "pg_catalog" } # grant EXECUTE on a function
# - { role: "user, privs: "SELECT", type: "table", db: "mydb", objs: "table2", schema: "schema2", state: "absent" } # revoke SELECT on a table2 and schema2
# - { role: "test, test2", privs: "CREATE", type: "database", db: "test2", objs: "test2" } # grant CREATE on a database test2 to role test and test2


# (optional) list of database extensions to be created (if not already exists)
postgresql_extensions: []
# - { ext: "pg_stat_statements", db: "postgres" }
Expand Down

0 comments on commit 86a0f97

Please sign in to comment.