#!/usr/bin/python # -*- coding: utf-8 -*- # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . DOCUMENTATION = ''' --- module: postgresql_user short_description: Adds or removes a users (roles) from a PostgreSQL database. description: - Add or remove PostgreSQL users (roles) from a remote host and, optionally, grant the users access to an existing database or tables. - The fundamental function of the module is to create, or delete, roles from a PostgreSQL cluster. Privilege assignment, or removal, is an optional step, which works on one database at a time. This allows for the module to be called several times in the same module to modify the permissions on different databases, or to grant permissions to already existing users. - A user cannot be removed untill all the privileges have been stripped from the user. In such situation, if the module tries to remove the user it will fail. To avoid this from happening the fail_on_user option signals the module to try to remove the user, but if not possible keep going; the module will report if changes happened and separately if the user was removed or not. version_added: "0.6" options: name: description: - name of the user (role) to add or remove required: true default: null password: description: - set the user's password required: true default: null db: description: - name of database where permissions will be granted required: false default: null fail_on_user: description: - if yes, fail when user can't be removed. Otherwise just log and continue required: false default: yes choices: [ "yes", "no" ] login_user: description: - User (role) used to authenticate with PostgreSQL required: false default: postgres login_password: description: - Password used to authenticate with PostgreSQL required: false default: null login_host: description: - Host running PostgreSQL. required: false default: localhost priv: description: - "PostgreSQL privileges string in the format: C(table:priv1,priv2)" required: false default: null role_attr_flags: description: - "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER" required: false default: null choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB", "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ] state: description: - The database state required: false default: present choices: [ "present", "absent" ] examples: - code: postgresql_user db=acme user=django password=ceec4eif7ya priv=CONNECT/products:ALL description: Create django user and grant access to database and products table - code: postgresql_user user=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER - description: Create rails user, grant privilege to create other databases and demote rails from super user status - code: postgresql_user db=acme user=test priv=ALL/products:ALL state=absent fail_on_user=no description: Remove test user privileges from acme - code: postgresql_user db=test user=test priv=ALL state=absent description: Remove test user from test database and the cluster - code: INSERT,UPDATE/table:SELECT/anothertable:ALL description: Example privileges string format notes: - The default authentication assumes that you are either logging in as or sudo'ing to the postgres account on the host. - This module uses psycopg2, a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the postgresql, libpq-dev, and python-psycopg2 packages on the remote host before using this module. requirements: [ psycopg2 ] author: Lorin Hochstein ''' import re try: import psycopg2 except ImportError: postgresqldb_found = False else: postgresqldb_found = True # =========================================== # PostgreSQL module specific support methods. # def user_exists(cursor, user): query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s" cursor.execute(query, {'user': user}) return cursor.rowcount > 0 def user_add(cursor, user, password, role_attr_flags): """Create a new user with write access to the database""" query = "CREATE USER %(user)s with PASSWORD '%(password)s' %(role_attr_flags)s" cursor.execute(query % {"user": user, "password": password, "role_attr_flags": role_attr_flags}) return True def user_alter(cursor, user, password, role_attr_flags): """Change user password""" changed = False # Handle passwords. if password is not None or role_attr_flags is not None: # Define columns for select. columns = 'rolpassword,rolsuper,rolinherit,rolcreaterole,rolcreatedb,rolcanlogin,rolreplication' # Select password and all flag-like columns in order to verify changes. # rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcatupdate | # rolcanlogin | rolreplication | rolconnlimit | rolpassword | rolvaliduntil # Not sure how to interpolate properly in python yet... select = "SELECT " + columns + " FROM pg_authid where rolname=%(user)s" cursor.execute(select, {"columns": columns, "user": user}) # Grab current role attributes. current_role_attrs = cursor.fetchone() if password is not None: # Update the role attributes, including password. alter = "ALTER USER %(user)s WITH PASSWORD '%(password)s' %(role_attr_flags)s" cursor.execute(alter % {"user": user, "password": password, "role_attr_flags": role_attr_flags}) else: # Update the role attributes, excluding password. alter = "ALTER USER %(user)s WITH %(role_attr_flags)s" cursor.execute(alter % {"user": user, "role_attr_flags": role_attr_flags}) # Grab new role attributes. cursor.execute(select, {"columns": columns, "user": user}) new_role_attrs = cursor.fetchone() # Detect any differences between current_ and new_role_attrs. for i in range(len(current_role_attrs)): if current_role_attrs[i] != new_role_attrs[i]: changed = True return changed def user_delete(cursor, user): """Try to remove a user. Returns True if successful otherwise False""" cursor.execute("SAVEPOINT ansible_pgsql_user_delete") try: cursor.execute("DROP USER %s" % user) except: cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_user_delete") cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete") return False cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete") return True def has_table_privilege(cursor, user, table, priv): query = 'SELECT has_table_privilege(%s, %s, %s)' cursor.execute(query, (user, table, priv)) return cursor.fetchone()[0] def get_table_privileges(cursor, user, table): if '.' in table: schema, table = table.split('.', 1) else: schema = 'public' query = '''SELECT privilege_type FROM information_schema.role_table_grants WHERE grantee=%s AND table_name=%s AND table_schema=%s''' cursor.execute(query, (user, table, schema)) return set([x[0] for x in cursor.fetchall()]) def grant_table_privilege(cursor, user, table, priv): prev_priv = get_table_privileges(cursor, user, table) query = 'GRANT %s ON TABLE %s TO %s' % (priv, table, user) cursor.execute(query) curr_priv = get_table_privileges(cursor, user, table) return len(curr_priv) > len(prev_priv) def revoke_table_privilege(cursor, user, table, priv): prev_priv = get_table_privileges(cursor, user, table) query = 'REVOKE %s ON TABLE %s FROM %s' % (priv, table, user) cursor.execute(query) curr_priv = get_table_privileges(cursor, user, table) return len(curr_priv) < len(prev_priv) def get_database_privileges(cursor, user, db): priv_map = { 'C':'CREATE', 'T':'TEMPORARY', 'c':'CONNECT', } query = 'SELECT datacl FROM pg_database WHERE datname = %s' cursor.execute(query, (db,)) datacl = cursor.fetchone()[0] if datacl is None: return [] r = re.search('%s=(C?T?c?)/[a-z]+\,?' % user, datacl) if r is None: return [] o = [] for v in r.group(1): o.append(priv_map[v]) return o def has_database_privilege(cursor, user, db, priv): query = 'SELECT has_database_privilege(%s, %s, %s)' cursor.execute(query, (user, db, priv)) return cursor.fetchone()[0] def grant_database_privilege(cursor, user, db, priv): prev_priv = get_database_privileges(cursor, user, db) query = 'GRANT %s ON DATABASE %s TO %s' % (priv, db, user) cursor.execute(query) curr_priv = get_database_privileges(cursor, user, db) return len(curr_priv) > len(prev_priv) def revoke_database_privilege(cursor, user, db, priv): prev_priv = get_database_privileges(cursor, user, db) query = 'REVOKE %s ON DATABASE %s FROM %s' % (priv, db, user) cursor.execute(query) curr_priv = get_database_privileges(cursor, user, db) return len(curr_priv) < len(prev_priv) def revoke_privileges(cursor, user, privs): if privs is None: return False changed = False for type_ in privs: revoke_func = { 'table':revoke_table_privilege, 'database':revoke_database_privilege }[type_] for name, privileges in privs[type_].iteritems(): for privilege in privileges: changed = revoke_func(cursor, user, name, privilege)\ or changed return changed def grant_privileges(cursor, user, privs): if privs is None: return False changed = False for type_ in privs: grant_func = { 'table':grant_table_privilege, 'database':grant_database_privilege }[type_] for name, privileges in privs[type_].iteritems(): for privilege in privileges: changed = grant_func(cursor, user, name, privilege)\ or changed return changed def parse_role_attrs(role_attr_flags): """ Parse role attributes string for user creation. Format: attributes[,attributes,...] Where: attributes := CREATEDB,CREATEROLE,NOSUPERUSER,... """ if ',' not in role_attr_flags: return role_attr_flags flag_set = role_attr_flags.split(",") o_flags = " ".join(flag_set) return o_flags def parse_privs(privs, db): """ Parse privilege string to determine permissions for database db. Format: privileges[/privileges/...] Where: privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] | TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...] """ if privs is None: return privs o_privs = { 'database':{}, 'table':{} } for token in privs.split('/'): if ':' not in token: type_ = 'database' name = db priv_set = set(x.strip() for x in token.split(',')) else: type_ = 'table' name, privileges = token.split(':', 1) priv_set = set(x.strip() for x in privileges.split(',')) o_privs[type_][name] = priv_set return o_privs # =========================================== # Module execution. # def main(): module = AnsibleModule( argument_spec=dict( login_user=dict(default="postgres"), login_password=dict(default=""), login_host=dict(default=""), user=dict(required=True, aliases=['name']), password=dict(default=None), state=dict(default="present", choices=["absent", "present"]), priv=dict(default=None), db=dict(default=''), port=dict(default='5432'), fail_on_user=dict(default='yes'), role_attr_flags=dict(default='') ) ) user = module.params["user"] password = module.params["password"] state = module.params["state"] fail_on_user = module.params["fail_on_user"] == 'yes' db = module.params["db"] if db == '' and module.params["priv"] is not None: module.fail_json(msg="privileges require a database to be specified") privs = parse_privs(module.params["priv"], db) port = module.params["port"] role_attr_flags = parse_role_attrs(module.params["role_attr_flags"]) if not postgresqldb_found: module.fail_json(msg="the python psycopg2 module is required") # To use defaults values, keyword arguments must be absent, so # check which values are empty and don't include in the **kw # dictionary params_map = { "login_host":"host", "login_user":"user", "login_password":"password", "port":"port", "db":"database" } kw = dict( (params_map[k], v) for (k, v) in module.params.iteritems() if k in params_map and v != "" ) try: db_connection = psycopg2.connect(**kw) cursor = db_connection.cursor() except Exception, e: module.fail_json(msg="unable to connect to database: %s" % e) kw = dict(user=user) changed = False user_removed = False if state == "present": if user_exists(cursor, user): changed = user_alter(cursor, user, password, role_attr_flags) else: if password is None: msg = "password parameter required when adding a user" module.fail_json(msg=msg) changed = user_add(cursor, user, password, role_attr_flags) changed = grant_privileges(cursor, user, privs) or changed else: if user_exists(cursor, user): changed = revoke_privileges(cursor, user, privs) user_removed = user_delete(cursor, user) changed = changed or user_removed if fail_on_user and not user_removed: msg = "unable to remove user" module.fail_json(msg=msg) kw['user_removed'] = user_removed if changed: db_connection.commit() kw['changed'] = changed module.exit_json(**kw) # this is magic, see lib/ansible/module_common.py #<> main()