Use pg_roles instead of pg_authid in postgresql (#32624)

This fix adds additional check to get details about roles
from pg_roles instead of pg_authid. On AWS RDS instances,
access to pg_authid is restricted for security reasons.

Fixes: #32358

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
pull/33574/head
Abhijeet Kasurde 7 years ago committed by ansibot
parent dccf58efe3
commit 8699f8cf26

@ -332,6 +332,18 @@ def user_alter(db_connection, module, user, password, role_attr_flags, encrypted
pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted) pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted)
if current_role_attrs is None:
try:
# AWS RDS instances does not allow user to access pg_authid
# so try to get current_role_attrs from pg_roles tables
select = "SELECT * FROM pg_roles where rolname=%(user)s"
cursor.execute(select, {"user": user})
# Grab current role attributes from pg_roles
current_role_attrs = cursor.fetchone()
except psycopg2.ProgrammingError as e:
db_connection.rollback()
module.fail_json(msg="Failed to get role details for current user %s: %s" % (user, e))
role_attr_flags_changing = False role_attr_flags_changing = False
if role_attr_flags: if role_attr_flags:
role_attr_flags_dict = {} role_attr_flags_dict = {}

Loading…
Cancel
Save