Commit Graph

71 Commits (457a1115e8b7f5f7e5523a6cfc4c3a341ce1705f)

Author SHA1 Message Date
Feike Steenbergen 38e70ea317 Add session_role to postgresql modules (#43650)
* Allow session_role to be set for PostgreSQL

By implementing session_role it becomes possible to run the specific
PostgreSQL commands as a different role.
The usecase that is immediately served by this, is the one that one
ansible playbook can be shared by multiple users, which all have
their
own PostgreSQL login_user. They do not need to share login
credentials,
as they can share the role within the PostgreSQL database.

The following example may give some insight:

$ psql -U jdoe -X -d postgres

postgres=> CREATE DATABASE abc;
ERROR:  permission denied to create database
postgres=> set role postgres;
SET
postgres=# CREATE DATABASE abc;
CREATE DATABASE

fixes #43592

* Tests for session_role in PostgreSQL

* Bump version_added for session_role feature

* Remove explicit encrypted parameter from tests
6 years ago
Adam Miller 2d83db7036 update/enable postgresql integration test target for rhel8 beta
Signed-off-by: Adam Miller <admiller@redhat.com>
6 years ago
Matt Clay a41c0405a7
Add CI platform: rhel/8.0 (#48835) 6 years ago
Jordan Borean dd46f953f6
postgresql_user: fix test errors on newer Fedora versions (#47166) 6 years ago
Brian Coca af6b9799aa fixed test using removed feature 6 years ago
Matt Clay 4e489d1be8
Update Shippable integration test groups. (#43118)
* Update Shippable integration test groups.
* Update integration test group aliases.
* Rebalance AWS and Azure tests with extra group.
* Rebalance Windows tests with another group.
6 years ago
Strahinja Kustudic 32d6a354d7 postgresql_user: set encrypted as default and fix empty password reporting changed (#36931)
* Set encrypted as default and fix empty password reporting changed

* Starting with Postgres 10 `UNENCRYPTED` passwords are removed and
because of that this module fails with the default `encrypted=no`.
Also encrypted passwords are suported since version 7.2
(https://www.postgresql.org/docs/7.2/static/sql-createuser.html) which
went EOL in 2007 and since 7.3 it is the default. Because of this it
makes a lot more sense to make `encrypted=yes` the default. This won't
break backward compatibility, the module would just update the user's
password in the DB in the hashed format and everything else will work
like before. It's also a security bad practice to store passwords in
plain text. fixes #25823
* There was also a bug with `encrypted=yes` and an empty password always
reported as changed.
* Improved documentation for `encrypted`/`password` parameters, and
removed some obsolete notes about passlib.

* Fix clearing user's password to work with all versions of Postgres

* Add tests for clearing the user password

* Fix documentation atfer rebase

* Add changelog fragment
7 years ago
Matt Martz 4fe08441be Deprecate tests used as filters (#32361)
* Warn on tests used as filters

* Update docs, add aliases for tests that fit more gramatically with test syntax

* Fix rst formatting

* Add successful filter, alias of success

* Remove renamed_deprecation, it was overkill

* Make directory alias for is_dir

* Update tests to use proper jinja test syntax

* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax

* Add conversion script, porting guide updates, and changelog updates

* Update newly added uses of tests as filters

* No underscore variable

* Convert recent tests as filter changes to win_stat

* Fix some changes related to rebasing a few integration tests

* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name

* Add test for tests_as_filters_warning

* Update tests as filters in newly added/modified tests

* Address recent changes to several integration tests

* Address recent changes in cs_vpc
7 years ago
Josh Moore d5ae6cc585 postgres_db: add dump and restore support (#20627)
* Feature #2731: added postgres import and dump

* Feature #2731: be more permissive of arguments

```
hacking/test-module -m ./ppostgresql_db.py -a "db=example state=dump target=/tmp/out"`
```

failed previously since host, user, and port were required as keywords
in the pg_dump / pg_import methods.

* Feature #2731: fixed doc string for validate-modules

```
$ ansible-validate-modules database/postgresql/
```

now passes.

* Feature #2731: disable 'password' for dump/restore

* Feature #2731: bump added version to 2.3

* Feature #2731: replace db_import with db_restore

* Feature #2731: add missing version description

* Feature #2731: fix 'state' description

* Feature #2731: fix pep8 issues

* Feature #2731: put state documentation in a single string

* Bump added version from 2.3 to 2.4

* Fix pep8 and pylint errors

* Attempt yaml formatting of documentation string

* Add integration tests for postgres_db:dump/restore

* Update dump/restore logic to support new kw-args

Also attempt to support password; integration tests are
still failing.

* Revert to postgres user for dump/restore

Passing PGPASSWORD is not working for subprocesses. For the
moment, reverting to the strategy of failing if login_password
is set and using `postgres` for all testing of dump/restore.

* Various cleanups to have tests passing

* Working tests for {sql,tar} x {,bz2,gz,xz}

* Use pg_user to support FreeBSD

* Revert login_ prefixes and re-enable password support

All `login_` keywords are mapped to their non-prefix versions
so the previous changes were effectively using `postgres` for
all actions. With the proper keywords, PGPASSWORD-passing to
the subprocess is now working.

* Optionally add password

environ_update doesn't handle None values in the
dictionary to be added to the environment. Adding
check.

* Quick fixes

* Refactor login arguments after fixes from pchauncey

The fixes introduced by pchaunchy pointed to further issues
(like no --dbname on PG<=9.2) with the login parameters. This
refactors them and adds further tests.

Note: this will still not pass integration tests due to a further
      issue with pg_dump as a non-admin user:

      pg_restore: [archiver (db)] Error while PROCESSING TOC:
      pg_restore: [archiver (db)] Error from TOC entry 1925; 0 0 COMMENT EXTENSION plpgsql
      pg_restore: [archiver (db)] could not execute query: ERROR:  must be owner of extension plpgsql

* Introduce target_opts for passing limiting dumped/restored schemas

The current integration tests (PG version and template DBs) don't
permit a regular user (`{{ db_user1 }}`) access to plpgsql causing
restores to fail. By adding an option for passing arbitrary args to
pg_dump and pg_restore, testing is made easier. This also paves the
way for `-j` usage, once the PG version is bumped.
8 years ago
Michael De La Rue 3c4db1e8dd Mdd psql user aws fix (#23988)
* postgresql_user module - transaction logic hacks to allow recovery from failed select

* postgresql_user - PEP8 and style fixes to make debugging easier

* postgresql_user - move password changing logic to separate function

* postgresql_user - trap failure in case where there is no access to pg_authid

* postgresql_user - further PEP8 fixes

* postgresql_user - Simplify password change logic and improve imports according to suggestions from PR review

* postgresql_user - Eliminate pep8/blank line errors introduced in merge

* Check behaviour when pg_authid relation isn't readable

TASK [postgresql : Normal user isn't allowed to access pg_authid relation:
      password comparison will fail, password will be updated] ***
An exception occurred during task execution. To see the full traceback,
use -vvv. The error was: psycopg2.ProgrammingError: permission denied
for relation pg_authid

* Don't reintroduce passlib, remove useless query
8 years ago
Pilou 460d932aa8 postgresql_user: fix bugs related to 'expires' option (#23862)
* Factorize tests related to no_password_change using an include task

* Refactor: deduplicate tasks

* postgresql_user: test 'expires' parameter

* Change 'valid until' even it's the only updated field

* value is changed when another value is provided

* value isn't returned when unset

* Remove unused variable

* psycopg2.extras.DictRow is able to handle comparison

* postgresql_user: simplify helper method

* postgresql_user: define variable just before using it

* Fix comparison between user input and applied configuration

* new test: adding an invalid attribute

* Refactor, add cleaning task

* Check that using same attribute a 2nd time does nothing

* Always try to remove created user

* postgresql_user: fix pep8
8 years ago
Pierre-Louis Bonicoli a4131197e0 PostgreSQL tests: enforce UTF8
By default, client encoding is determined either from the LANG_*/LC_*
environment variables or using encoding of the database.

Containers used in the CI don't define a default locale, then encoding
of default databases was SQL_ASCII.
8 years ago
Pierre-Louis Bonicoli ce856c2123 postgresql_user: add tests with hashed password 8 years ago
Reilly Herrewig-Pope 723c8f06ab Allow setting/unsetting BYPASSRLS Postgres role attribute (#24625)
* Allow setting/unsetting BYPASSRLS role attr

* Build valid role attrs against version

* Add integration tests
8 years ago
Adrian Likins 499d3a1b53 add a intg test for issue #19835 (#21487)
(postgresql_user changing role_attr_flags with no_password_checks
fails)
8 years ago
Matt Clay 31d6b6ef67 Run postgresql tests on FreeBSD. (#20676)
* Use vars for user, group and locale suffix.
* Switch tests from `es_MX` to `es_ES`.
* Enable postgresql tests on freebsd.
* Work-arounds for service restart on freebsd.
8 years ago
Matt Clay 95b59cd76c Remove `needs/privileged` from postgresql test. (#19907)
* Remove `needs/privileged` from postgresql test.
* Add python 3 support to postgresql tests.
8 years ago
Carlos E. Garcia 0b8011436d minor spelling changes 8 years ago
Matt Clay 6bbd92e422 Initial ansible-test implementation. (#18556) 8 years ago
Adrien Vergé 0e834fc9e4 Fix cosmetic problems in YAML source
This change corrects problems reported by the `yamllint` linter.

Since key duplication problems were removed in 4d48711, this commit
mainly fixes trailing spaces and extra empty lines at beginning/end of
files.
8 years ago
Matt Clay 75e4645ee7 Migrate Linux CI roles to test targets. (#17997) 8 years ago