From 8699f8cf2636df854ce39c1e86177533a663f390 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 5 Dec 2017 07:41:35 +0530
Subject: [PATCH] Use pg_roles instead of pg_authid in postgresql (#32624)

This fix adds additional check to get details about roles
from pg_roles instead of pg_authid. On AWS RDS instances,
access to pg_authid is restricted for security reasons.

Fixes: #32358

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 .../modules/database/postgresql/postgresql_user.py   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/ansible/modules/database/postgresql/postgresql_user.py b/lib/ansible/modules/database/postgresql/postgresql_user.py
index 4745dd76a7f..5f31e5a66f7 100644
--- a/lib/ansible/modules/database/postgresql/postgresql_user.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_user.py
@@ -332,6 +332,18 @@ def user_alter(db_connection, module, user, password, role_attr_flags, encrypted
 
         pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted)
 
+        if current_role_attrs is None:
+            try:
+                # AWS RDS instances does not allow user to access pg_authid
+                # so try to get current_role_attrs from pg_roles tables
+                select = "SELECT * FROM pg_roles where rolname=%(user)s"
+                cursor.execute(select, {"user": user})
+                # Grab current role attributes from pg_roles
+                current_role_attrs = cursor.fetchone()
+            except psycopg2.ProgrammingError as e:
+                db_connection.rollback()
+                module.fail_json(msg="Failed to get role details for current user %s: %s" % (user, e))
+
         role_attr_flags_changing = False
         if role_attr_flags:
             role_attr_flags_dict = {}