archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
devel
stable-2.18
stable-2.17
stable-2.16
stable-2.15
stable-2.14
milestone
stable-2.12
stable-2.13
stable-2.9
stable-2.11
stable-2.3
stable-2.10
stable-2.8
stable-2.4
stable-2.5
stable-2.6
stable-2.7
temp-2.10-devel
mazer_role_loader
stable-2.2
threading_plus_forking
threading_instead_of_forking
stable-2.1
stable-1.9
stable-2.0
stable-2.0.0.1
stable-2.0-network
release1.8.4
release1.8.3
release1.8.2
release1.8.1
release1.8.0
release1.7.2
release1.7.1
release1.7.0
release1.6.8
release1.6.10
release1.6.9
release1.6.7
release1.6.6
release1.6.5
release1.6.4
release1.6.3
release1.6.2
release1.6.1
release1.6.0
release1.5.5
release1.5.4
release1.5.3
release1.5.2
release1.5.1
release1.5.0
v2.14.3
v2.13.8
v2.14.3rc1
v2.13.8rc1
v2.14.2
v2.14.2rc1
v2.14.1
v2.13.7
v2.13.7rc1
v2.14.1rc1
v2.13.6
v2.14.0
v2.14.0rc2
v2.13.6rc1
v2.14.0rc1
v2.14.0b3
v2.13.5
v2.12.10
v2.14.0b2
v2.13.5rc1
v2.12.10rc1
v2.14.0b1
v2.12.9
v2.13.4
v2.13.4rc1
v2.12.9rc1
v2.13.3
v2.12.8
v2.12.8rc1
v2.13.3rc1
v2.13.2
v2.13.2rc1
v2.12.7
v2.13.1
v2.12.7rc1
v2.13.1rc1
v2.12.6
v2.11.12
v2.12.6rc1
v2.11.12rc1
v2.13.0
v2.13.0rc1
v2.13.0b1
v2.12.5
v2.11.11
v2.12.5rc1
v2.11.11rc1
v2.13.0b0
v2.12.4
v2.11.10
v2.12.4rc1
v2.11.10rc1
v2.11.9
v2.12.3
v2.12.3rc1
v2.11.9rc1
v2.12.2
v2.11.8
v2.10.17
v2.12.2rc1
v2.11.8rc1
v2.10.17rc1
v2.12.1
v2.11.7
v2.10.16
v2.10.16rc1
v2.11.7rc1
v2.12.1rc1
v2.12.0
v2.12.0rc1
v2.12.0b2
v2.11.6
v2.10.15
v2.9.27
v2.9.27rc1
v2.10.15rc1
v2.11.6rc1
v2.12.0b1
v2.11.5
v2.10.14
v2.9.26
v2.11.5rc1
v2.10.14rc1
v2.9.26rc1
v2.11.4
v2.10.13
v2.9.25
v2.9.25rc1
v2.10.13rc1
v2.11.4rc1
v2.11.3
v2.10.12
v2.9.24
v2.11.3rc1
v2.10.12rc1
v2.9.24rc1
v2.9.23
v2.10.11
v2.11.2
v2.11.2rc1
v2.10.11rc1
v2.9.23rc1
v2.11.1
v2.10.10
v2.9.22
v2.9.22rc1
v2.10.10rc1
v2.11.1rc1
v2.10.9
v2.9.21
v2.10.9rc1
v2.9.21rc1
v2.11.0
v2.8.20
v2.9.20
v2.10.8
v2.11.0rc2
v2.8.20rc1
v2.9.20rc1
v2.10.8rc1
v2.11.0rc1
stable-2.11-branchpoint
v2.11.0b4
v2.11.0b3
v2.11.0b2
v2.10.7
v2.9.19
v2.10.7rc1
v2.9.19rc1
v2.11.0b1
v2.8.19
v2.9.18
v2.10.6
v2.8.19rc1
v2.9.18rc1
v2.10.6rc1
v2.9.17
v2.10.5
v2.10.5rc1
v2.9.17rc1
v2.8.18
v2.9.16
v2.10.4
v2.8.18rc1
v2.9.16rc1
v2.10.4rc1
v2.8.17
v2.9.15
v2.10.3
v2.8.17rc1
v2.9.15rc1
v2.10.3rc1
v2.10.2
v2.9.14
v2.8.16
v2.8.16rc1
v2.9.14rc1
v2.10.2rc1
v2.10.1
v2.10.1rc3
v2.10.1rc2
v2.8.15
v2.9.13
v2.10.0
v2.9.12
v2.8.14
v2.10.0rc4
v2.10.0rc3
v2.10.0rc2
v2.10.0rc1
v2.9.11
v2.8.13
v2.9.10
v2.10.0b1
stable-2.10-branchpoint
v2.9.9
v2.7.18
v2.8.12
v2.9.8
v2.9.7
v2.8.11
v2.7.17
pre-ansible-base
v2.8.10
v2.8.9
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.8.8
v2.7.16
v2.9.2
v2.9.1
v2.8.7
v2.7.15
v2.9.0
v2.9.0rc5
v2.8.6
v2.7.14
v2.9.0rc4
v2.6.20
v2.9.0rc3
v2.9.0rc2
v2.9.0rc1
v2.8.5
v2.9.0b1
stable-2.9-branchpoint
v2.6.19
v2.7.13
v2.8.4
v2.8.3
v2.6.18
v2.7.12
v2.8.2
v2.8.1
v2.7.11
v2.6.17
v2.8.0
v2.8.0rc3
v2.8.0rc2
v2.8.0rc1
v2.8.0b1
v2.8.0a1
v2.6.16
v2.7.10
v2.6.15
v2.7.9
v2.7.8
v2.6.14
v2.5.15
v2.7.7
v2.6.13
v2.6.12
v2.7.6
v2.5.14
v2.7.5
v2.6.11
v2.6.10
v2.7.4
v2.5.13
v2.7.3
v2.6.9
v2.5.12
v2.6.8
v2.7.2
v2.6.7
v2.5.11
v2.7.1
v2.6.6
v2.7.0
v2.6.5
v2.7.0rc4
v2.5.10
v2.7.0rc3
v2.7.0rc2
v2.5.9
v2.6.4
v2.7.0rc1
v2.7.0b1
v2.7.0.a1
v2.6.3
v2.5.8
v2.6.2
v2.5.7
v2.6.1
v2.5.6
v2.4.6.0-1
v2.6.0
v2.6.0rc5
v2.6.0rc4
v2.4.5.0-1
v2.6.0rc3
v2.5.5
v2.4.5.0-0.1.rc1
v2.6.0rc2
v2.6.0rc1
v2.5.4
v2.6.0a2
v2.6.0a1
v2.5.3
v2.5.2
v2.5.1
v2.4.4.0-1
v2.4.4.0-0.3.rc2
v2.5.0
v2.5.0rc3
v2.5.0rc2
v2.4.4-0.2.rc1
v2.3.4.0-0.1.rc1
v2.5.0rc1
v2.4.4-0.1.beta1
v2.5.0b1
v2.5.0a1
v2.4.3.0-1
v2.4.3.0-0.6.rc3
v2.4.3.0-0.5.rc2
v2.4.3.0-0.4.rc1
v2.4.3-0.3.beta3
v2.4.3.0-0.2.beta2
v2.3.3.0-1
v2.4.3.0-0.1.beta1
v2.4.2.0-1
v2.4.2.0-0.5.rc1
v2.4.2.0-0.4.beta4
v2.3.3.0-0.3.rc3
v2.4.2.0-0.3.beta3
v2.4.2.0-0.2.beta2
v2.4.2.0-0.1.beta1
v2.4.1.0-1
v2.4.1.0-0.4.rc2
v2.3.3.0-0.2.rc2
v2.4.1.0-0.3.rc1
v2.4.1.0-0.2.beta2
v2.3.3.0-0.1.rc1
v2.4.1.0-0.1.beta1
v2.4.0.0-1
v2.4.0.0-0.5.rc5
v2.4.0.0-0.4.rc4
v2.4.0.0-0.3.rc3
v2.4.0.0-0.2.rc2
v2.4.0.0-0.1.rc1
v2.3.2.0-1
v2.3.2.0-0.5.rc5
v2.3.2.0-0.4.rc4
v2.3.2.0-0.3.rc3
v2.3.2.0-0.2.rc2
v2.3.2.0-0.1.rc1
v2.1.6.0-1
v2.3.1.0-1
v2.3.1.0-0.2.rc2
v2.2.3.0-1
v2.1.6.0-0.1.rc1
v2.3.1.0-0.1.rc1
v2.3.0.0-1
v2.3.0.0-0.6.rc6
v2.3.0.0-0.5.rc5
v2.3.0.0-0.4.rc4
v2.2.3.0-0.1.rc1
v2.3.0.0-0.3.rc3
v2.3.0.0-0.2.rc2
v2.2.2.0-1
v2.1.5.0-1
v2.3.0.0-0.1.rc1
v2.1.5.0-0.2.rc2
v2.2.2.0-0.2.rc2
v2.1.5.0-0.1.rc1
v2.2.2.0-0.1.rc1
v2.1.4.0-1
v2.2.1.0-1
v2.1.4.0-0.3.rc3
v2.2.1.0-0.5.rc5
v2.1.4.0-0.2.rc2
v2.2.1.0-0.4.rc4
v2.1.4.0-0.1.rc1
v2.2.1.0-0.3.rc3
v2.2.1.0-0.2.rc2
v2.2.1.0-0.1.rc1
v2.1.3.0-1
v2.2.0.0-1
v2.2.0.0-0.4.rc4
v2.1.3.0-0.3.rc3
v2.1.3.0-0.2.rc2
v2.2.0.0-0.3.rc3
v2.1.3.0-0.1.rc1
v2.2.0.0-0.2.rc2
v2.2.0.0-0.1.rc1
v2.1.2.0-1
v2.1.2.0-0.5.rc5
v2.1.2.0-0.4.rc4
v2.1.2.0-0.3.rc3
v2.1.2.0-0.2.rc2
v2.1.2.0-0.1.rc1
v2.1.1.0-1
v2.1.1.0-0.5.rc5
v2.1.1.0-0.4.rc4
v2.1.1.0-0.3.rc3
v2.1.1.0-0.2.rc2
v2.1.1.0-0.1.rc1
v2.1.0.0-1
v2.1.0.0-0.4.rc4
v2.1.0.0-0.2.rc2
v2.1.0.0-0.3.rc3
v2.1.0.0-0.1.rc1
v2.0.2.0-1
v1.9.6-1
v2.0.2.0-0.4.rc4
v2.0.2.0-0.3.rc3
v1.9.6-0.1.rc1
v2.0.2.0-0.2.rc2
v2.0.2.0-0.1.rc1
v1.9.5-1
v1.9.5-0.1.rc1
v2.0.1.0-1
v2.0.1.0-0.2.rc2
v2.0.1.0-0.1.rc1
v2.0.0.2-1
v2.0.0.1-1
v2.0.0.0-1
v2.0.0-0.9.rc4
v2.0.0-0.8.rc3
v2.0.0-0.7.rc2
v2.0.0-0.6.rc1
v2.0.0-0.5.beta3
v2.0.0-0.4.beta2
v1.9.4-1
v2.0.0-0.3.beta1
v1.9.4-0.3.rc3
v1.9.4-0.2.rc2
v1.9.4-0.1.rc1
v2.0.0-0.2.alpha2
v1.9.3-1
v2.0.0-0.1.alpha1
v1.9.3-0.3.rc3
v1.9.3-0.2.rc2
v1.9.3-0.1.rc1
v1.9.2-1
v1.9.2-0.2.rc2
v1_last
v1.9.2-0.1.rc1
v1.9.1-1
v1.9.1-0.4.rc4
v1.9.1-0.3.rc3
v1.9.1-0.2.rc2
v1.9.1-0.1.rc1
v1.9.0.1-1
v1.9.0-2
v1.9.0-1
v1.9.0-0.2.rc2
v1.9.0-0.1.rc1
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.2
v1.7.1
v1.7.0
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
0.8
0.7.2
0.7
0.6
0.5
0.4.1
0.4
0.3.1
0.3
0.01
0.0.1
0.0.2
0.7.1
v0.9
v2.13.10
v2.13.10rc1
v2.13.11
v2.13.11rc1
v2.13.12
v2.13.12rc1
v2.13.13
v2.13.13rc1
v2.13.9
v2.13.9rc1
v2.14.10
v2.14.10rc1
v2.14.11
v2.14.11rc1
v2.14.12
v2.14.12rc1
v2.14.13
v2.14.14
v2.14.14rc1
v2.14.15
v2.14.15rc1
v2.14.16
v2.14.16rc1
v2.14.17
v2.14.17rc1
v2.14.18
v2.14.18rc1
v2.14.4
v2.14.4rc1
v2.14.5
v2.14.5rc1
v2.14.6
v2.14.6rc1
v2.14.7
v2.14.7rc1
v2.14.8
v2.14.8rc1
v2.14.9
v2.14.9rc1
v2.15.0
v2.15.0b1
v2.15.0b2
v2.15.0b3
v2.15.0rc1
v2.15.0rc2
v2.15.1
v2.15.10
v2.15.10rc1
v2.15.11
v2.15.11rc1
v2.15.12
v2.15.12rc1
v2.15.13
v2.15.13rc1
v2.15.1rc1
v2.15.2
v2.15.2rc1
v2.15.3
v2.15.3rc1
v2.15.4
v2.15.4rc1
v2.15.5
v2.15.5rc1
v2.15.6
v2.15.6rc1
v2.15.7
v2.15.7rc1
v2.15.8
v2.15.9
v2.15.9rc1
v2.16.0
v2.16.0b1
v2.16.0b2
v2.16.0rc1
v2.16.1
v2.16.10
v2.16.10rc1
v2.16.11
v2.16.11rc1
v2.16.12
v2.16.12rc1
v2.16.13
v2.16.13rc1
v2.16.1rc1
v2.16.2
v2.16.3
v2.16.3rc1
v2.16.4
v2.16.4rc1
v2.16.5
v2.16.5rc1
v2.16.6
v2.16.7
v2.16.7rc1
v2.16.8
v2.16.8rc1
v2.16.9
v2.16.9rc1
v2.17.0
v2.17.0b1
v2.17.0rc1
v2.17.0rc2
v2.17.1
v2.17.1rc1
v2.17.2
v2.17.2rc1
v2.17.2rc2
v2.17.3
v2.17.3rc1
v2.17.4
v2.17.4rc1
v2.17.5
v2.17.5rc1
v2.17.6
v2.17.6rc1
v2.18.0
v2.18.0b1
v2.18.0rc1
v2.18.0rc2
v2.5.0b2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '135c853588'
${ noResults }
ansible/test/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml

967 lines
24 KiB
YAML
Raw Blame History

# Setup
- name: Create DB
become_user: "{{ pg_user }}"
become: yes
postgresql_db:
state: present
name: "{{ db_name }}"
login_user: "{{ pg_user }}"
- name: Create a user to be owner of objects
postgresql_user:
name: "{{ db_user3 }}"
state: present
encrypted: yes
password: password
role_attr_flags: CREATEDB,LOGIN
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
- name: Create a user to be given permissions and other tests
postgresql_user:
name: "{{ db_user2 }}"
state: present
encrypted: yes
password: password
role_attr_flags: LOGIN
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
#############################
# Test of solving bug 27327 #
#############################
# Create the test table and view:
- name: Create table
become: yes
become_user: "{{ pg_user }}"
postgresql_table:
login_user: "{{ pg_user }}"
db: postgres
name: test_table1
columns:
- id int
- name: Create view
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
db: postgres
query: "CREATE VIEW test_view AS SELECT id FROM test_table1"
# Test check_mode:
- name: Grant SELECT on test_view, check_mode
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
login_user: "{{ pg_user }}"
db: postgres
state: present
privs: SELECT
type: table
objs: test_view
roles: "{{ db_user2 }}"
check_mode: yes
register: result
- assert:
that:
- result is changed
# Check:
- name: Check that nothing was changed after the prev step
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
db: postgres
query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'"
register: result
- assert:
that:
- result.rowcount == 0
# Test true mode:
- name: Grant SELECT on test_view
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
login_user: "{{ pg_user }}"
db: postgres
state: present
privs: SELECT
type: table
objs: test_view
roles: "{{ db_user2 }}"
register: result
- assert:
that:
- result is changed
# Check:
- name: Check that nothing was changed after the prev step
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
db: postgres
query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'"
register: result
- assert:
that:
- result.rowcount == 1
# Test true mode:
- name: Try to grant SELECT again
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
login_user: "{{ pg_user }}"
db: postgres
state: present
privs: SELECT
type: table
objs: test_view
roles: "{{ db_user2 }}"
register: result
- assert:
that:
- result is not changed
# Cleanup:
- name: Drop test view
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
db: postgres
query: "DROP VIEW test_view"
- name: Drop test table
become: yes
become_user: "{{ pg_user }}"
postgresql_table:
login_user: "{{ pg_user }}"
db: postgres
name: test_table1
state: absent
######################################################
# Test foreign data wrapper and foreign server privs #
######################################################
# Foreign data wrapper setup
- name: Create foreign data wrapper extension
become: yes
become_user: "{{ pg_user }}"
shell: echo "CREATE EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
- name: Create dummy foreign data wrapper
become: yes
become_user: "{{ pg_user }}"
shell: echo "CREATE FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
- name: Create foreign server
become: yes
become_user: "{{ pg_user }}"
shell: echo "CREATE SERVER dummy_server FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
# Test
- name: Grant foreign data wrapper privileges
postgresql_privs:
state: present
type: foreign_data_wrapper
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is changed
- name: Get foreign data wrapper privileges
become: yes
become_user: "{{ pg_user }}"
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
vars:
fdw_query: >
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
register: fdw_result
- assert:
that:
- "fdw_result.stdout_lines[-1] == '(1 row)'"
- "'{{ db_user2 }}' in fdw_result.stdout_lines[-2]"
# Test
- name: Grant foreign data wrapper privileges second time
postgresql_privs:
state: present
type: foreign_data_wrapper
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is not changed
# Test
- name: Revoke foreign data wrapper privileges
postgresql_privs:
state: absent
type: foreign_data_wrapper
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is changed
- name: Get foreign data wrapper privileges
become: yes
become_user: "{{ pg_user }}"
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
vars:
fdw_query: >
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
register: fdw_result
- assert:
that:
- "fdw_result.stdout_lines[-1] == '(1 row)'"
- "'{{ db_user2 }}' not in fdw_result.stdout_lines[-2]"
# Test
- name: Revoke foreign data wrapper privileges for second time
postgresql_privs:
state: absent
type: foreign_data_wrapper
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is not changed
# Test
- name: Grant foreign server privileges
postgresql_privs:
state: present
type: foreign_server
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy_server
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is changed
- name: Get foreign server privileges
become: yes
become_user: "{{ pg_user }}"
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
vars:
fdw_query: >
SELECT srvacl FROM pg_catalog.pg_foreign_server
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
register: fs_result
- assert:
that:
- "fs_result.stdout_lines[-1] == '(1 row)'"
- "'{{ db_user2 }}' in fs_result.stdout_lines[-2]"
# Test
- name: Grant foreign server privileges for second time
postgresql_privs:
state: present
type: foreign_server
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy_server
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is not changed
# Test
- name: Revoke foreign server privileges
postgresql_privs:
state: absent
type: foreign_server
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy_server
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is changed
- name: Get foreign server privileges
become: yes
become_user: "{{ pg_user }}"
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
vars:
fdw_query: >
SELECT srvacl FROM pg_catalog.pg_foreign_server
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
register: fs_result
- assert:
that:
- "fs_result.stdout_lines[-1] == '(1 row)'"
- "'{{ db_user2 }}' not in fs_result.stdout_lines[-2]"
# Test
- name: Revoke foreign server privileges for second time
postgresql_privs:
state: absent
type: foreign_server
roles: "{{ db_user2 }}"
privs: ALL
objs: dummy_server
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
ignore_errors: yes
# Checks
- assert:
that:
- result is not changed
# Foreign data wrapper cleanup
- name: Drop foreign server
become: yes
become_user: "{{ pg_user }}"
shell: echo "DROP SERVER dummy_server" | psql -d "{{ db_name }}"
- name: Drop dummy foreign data wrapper
become: yes
become_user: "{{ pg_user }}"
shell: echo "DROP FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
- name: Drop foreign data wrapper extension
become: yes
become_user: "{{ pg_user }}"
shell: echo "DROP EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
##########################################
# Test ALL_IN_SCHEMA for 'function' type #
##########################################
# Function ALL_IN_SCHEMA Setup
- name: Create function for test
postgresql_query:
query: CREATE FUNCTION public.a() RETURNS integer LANGUAGE SQL AS 'SELECT 2';
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
# Test
- name: Grant execute to all functions
postgresql_privs:
type: function
state: present
privs: EXECUTE
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
# Checks
- assert:
that: result is changed
- name: Check that all functions have execute privileges
become: yes
become_user: "{{ pg_user }}"
shell: psql {{ db_name }} -c "SELECT proacl FROM pg_proc WHERE proname = 'a'" -t
register: result
- assert:
that: "'{{ db_user2 }}=X/{{ db_user3 }}' in '{{ result.stdout_lines[0] }}'"
# Test
- name: Grant execute to all functions again
postgresql_privs:
type: function
state: present
privs: EXECUTE
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
# Checks
- assert:
that: result is not changed
# Test
- name: Revoke execute to all functions
postgresql_privs:
type: function
state: absent
privs: EXECUTE
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
# Checks
- assert:
that: result is changed
# Test
- name: Revoke execute to all functions again
postgresql_privs:
type: function
state: absent
privs: EXECUTE
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
- assert:
that: result is not changed
# Function ALL_IN_SCHEMA cleanup
- name: Remove function for test
postgresql_query:
query: DROP FUNCTION public.a();
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
#################################################
# Test ALL_IN_SCHEMA for 'partioned tables type #
#################################################
# Partitioning tables is a feature introduced in Postgresql 10.
# (see https://www.postgresql.org/docs/10/ddl-partitioning.html )
# The test below check for this version
# Function ALL_IN_SCHEMA Setup
- name: Create partioned table for test purpose
postgresql_query:
query: CREATE TABLE public.testpt (id int not null, logdate date not null) PARTITION BY RANGE (logdate);
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables in check mode
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
check_mode: yes
# Checks
- name: Check that all partitioned tables don't have select privileges after the check mode task
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Check that all partitioned tables have select privileges
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 1
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables again to see no changes are reported
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result is not changed
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Revoke SELECT to all tables
postgresql_privs:
type: table
state: absent
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Check that all partitioned tables don't have select privileges
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Revoke SELECT to all tables and no changes are reported
postgresql_privs:
type: table
state: absent
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that: result is not changed
when: postgres_version_resp.stdout is version('10', '>=')
# Table ALL_IN_SCHEMA cleanup
- name: Remove table for test
postgresql_query:
query: DROP TABLE public.testpt;
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
###########################################
# Test for 'type' value of type parameter #
###########################################
# Test
- name: Grant type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: present
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: numeric
schema: pg_catalog
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
- name: Grant type privileges again using check_mode
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: present
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: numeric
schema: pg_catalog
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
check_mode: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is not changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
- name: Grant type privileges again
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: present
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: numeric
schema: pg_catalog
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is not changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
- name: Revoke type privileges in check_mode
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: absent
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: numeric
schema: pg_catalog
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
check_mode: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
- name: Revoke type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: absent
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: numeric
schema: pg_catalog
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' not in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
# type with default schema (public):
- name: Create custom type in schema public
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: "CREATE TYPE compfoo AS (f1 int, f2 text)"
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant type privileges with default schema
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: present
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: compfoo
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that:
- result is changed
when: postgres_version_resp.stdout is version('10', '>=')
- name: Get type privileges
become: yes
become_user: "{{ pg_user }}"
postgresql_query:
login_user: "{{ pg_user }}"
login_db: "{{ db_name }}"
query: >
SELECT t.typacl FROM pg_catalog.pg_type t JOIN pg_catalog.pg_namespace n
ON n.oid = t.typnamespace WHERE t.typname = 'compfoo' AND n.nspname = 'public';
register: typ_result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=')
# Cleanup
- name: Remove privs
become: yes
become_user: "{{ pg_user }}"
postgresql_privs:
state: absent
type: type
roles: "{{ db_user2 }}"
privs: ALL
objs: compfoo
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
when: postgres_version_resp.stdout is version('10', '>=')
- name: Reassign ownership
become_user: "{{ pg_user }}"
become: yes
postgresql_owner:
login_user: "{{ pg_user }}"
db: "{{ db_name }}"
new_owner: "{{ pg_user }}"
reassign_owned_by: "{{ item }}"
loop:
- "{{ db_user2 }}"
- "{{ db_user3 }}"
- name: Remove user given permissions
become: yes
become_user: "{{ pg_user }}"
postgresql_user:
name: "{{ db_user2 }}"
state: absent
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
- name: Remove user owner of objects
become: yes
become_user: "{{ pg_user }}"
postgresql_user:
name: "{{ db_user3 }}"
state: absent
db: "{{ db_name }}"
login_user: "{{ pg_user }}"
- name: Destroy DB
become_user: "{{ pg_user }}"
become: yes
postgresql_db:
state: absent
name: "{{ db_name }}"
login_user: "{{ pg_user }}"
Reference in New Issue View Git Blame Copy Permalink