mirror of https://github.com/ansible/ansible.git
Add session_role to postgresql modules (#43650)
* Allow session_role to be set for PostgreSQL By implementing session_role it becomes possible to run the specific PostgreSQL commands as a different role. The usecase that is immediately served by this, is the one that one ansible playbook can be shared by multiple users, which all have their own PostgreSQL login_user. They do not need to share login credentials, as they can share the role within the PostgreSQL database. The following example may give some insight: $ psql -U jdoe -X -d postgres postgres=> CREATE DATABASE abc; ERROR: permission denied to create database postgres=> set role postgres; SET postgres=# CREATE DATABASE abc; CREATE DATABASE fixes #43592 * Tests for session_role in PostgreSQL * Bump version_added for session_role feature * Remove explicit encrypted parameter from testspull/50373/head
parent
e633b93f85
commit
38e70ea317
@ -0,0 +1,254 @@
|
|||||||
|
- name: Check that becoming an non-existing user throws an error
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_db:
|
||||||
|
state: present
|
||||||
|
name: "{{ db_name }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
register: result
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- 'result.failed == True'
|
||||||
|
|
||||||
|
- name: Create a high privileged user
|
||||||
|
become: True
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
state: "present"
|
||||||
|
password: "password"
|
||||||
|
role_attr_flags: "CREATEDB,LOGIN,CREATEROLE"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
|
||||||
|
- name: Create a low privileged user using the newly created user
|
||||||
|
become: True
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_session_role2 }}"
|
||||||
|
state: "present"
|
||||||
|
password: "password"
|
||||||
|
role_attr_flags: "LOGIN"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
db: postgres
|
||||||
|
|
||||||
|
- name: Create DB as session_role
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_db:
|
||||||
|
state: present
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: Check that database created and is owned by correct user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select rolname from pg_database join pg_roles on datdba = pg_roles.oid where datname = '{{ db_session_role1 }}';" | psql -AtXq postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '{{ db_session_role1 }}'"
|
||||||
|
|
||||||
|
- name: Fail when creating database as low privileged user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_db:
|
||||||
|
state: present
|
||||||
|
name: "{{ db_session_role2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role2 }}"
|
||||||
|
register: result
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- 'result.failed == True'
|
||||||
|
|
||||||
|
- name: Create schema in own database
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_schema:
|
||||||
|
database: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
|
||||||
|
- name: Create schema in own database, should be owned by session_role
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_schema:
|
||||||
|
database: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
owner: "{{ db_session_role1 }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- result.changed == False
|
||||||
|
|
||||||
|
- name: Fail when creating schema in postgres database as a regular user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_schema:
|
||||||
|
database: postgres
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
ignore_errors: True
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- 'result.failed == True'
|
||||||
|
|
||||||
|
# PostgreSQL introduced extensions in 9.1, some checks are still run against older versions, therefore we need to ensure
|
||||||
|
# we only run these tests against supported PostgreSQL databases
|
||||||
|
|
||||||
|
- name: Check that pg_extension exists (postgresql >= 9.1)
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select count(*) from pg_class where relname='pg_extension' and relkind='r'" | psql -AtXq postgres
|
||||||
|
register: pg_extension
|
||||||
|
|
||||||
|
- name: Remove plpgsql from testdb using postgresql_ext
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_ext:
|
||||||
|
name: plpgsql
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
state: absent
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- name: Fail when trying to create an extension as a mere mortal user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_ext:
|
||||||
|
name: plpgsql
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role2 }}"
|
||||||
|
ignore_errors: True
|
||||||
|
register: result
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- 'result.failed == True'
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- name: Install extension as session_role
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_ext:
|
||||||
|
name: plpgsql
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
session_role: "{{ db_session_role1 }}"
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- name: Check that extension is created and is owned by session_role
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select rolname from pg_extension join pg_roles on extowner=pg_roles.oid where extname='plpgsql';" | psql -AtXq "{{ db_session_role1 }}"
|
||||||
|
register: result
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '{{ db_session_role1 }}'"
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
- name: Remove plpgsql from testdb using postgresql_ext
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_ext:
|
||||||
|
name: plpgsql
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
state: absent
|
||||||
|
when:
|
||||||
|
"pg_extension.stdout_lines[-1] == '1'"
|
||||||
|
|
||||||
|
# End of postgresql_ext conditional tests against PostgreSQL 9.1+
|
||||||
|
|
||||||
|
- name: Create table to be able to grant privileges
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "CREATE TABLE test(i int); CREATE TABLE test2(i int);" | psql -AtXq "{{ db_session_role1 }}"
|
||||||
|
|
||||||
|
- name: Grant all privileges on test1 table to low privileged user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_privs:
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
type: table
|
||||||
|
objs: test
|
||||||
|
roles: "{{ db_session_role2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
privs: select
|
||||||
|
admin_option: yes
|
||||||
|
|
||||||
|
- name: Verify admin option was successful for grants
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_privs:
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
type: table
|
||||||
|
objs: test
|
||||||
|
roles: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
privs: select
|
||||||
|
session_role: "{{ db_session_role2 }}"
|
||||||
|
|
||||||
|
- name: Verify no grants can be granted for test2 table
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_privs:
|
||||||
|
db: "{{ db_session_role1 }}"
|
||||||
|
type: table
|
||||||
|
objs: test2
|
||||||
|
roles: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
privs: update
|
||||||
|
session_role: "{{ db_session_role2 }}"
|
||||||
|
ignore_errors: True
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- 'result.failed == True'
|
||||||
|
|
||||||
|
- name: Drop test db
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_db:
|
||||||
|
state: absent
|
||||||
|
name: "{{ db_session_role1 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
|
||||||
|
- name: Drop test users
|
||||||
|
become: True
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
with_items:
|
||||||
|
- "{{ db_session_role1 }}"
|
||||||
|
- "{{ db_session_role2 }}"
|
Loading…
Reference in New Issue