Fixes issue #737: Possibility of adding privileges to objects

vitabaks · Aug 27, 2024 · 4454509 · 4454509
1 parent fa7134a
commit 4454509
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 0 deletions.
diff --git a/automation/config_pgcluster.yml b/automation/config_pgcluster.yml
@@ -199,6 +199,9 @@
     - role: postgresql-schemas
       when: inventory_hostname in groups['primary']
 
+    - role: postgresql-privs
+      when: inventory_hostname in groups['primary']
+
     - role: postgresql-extensions
       when: inventory_hostname in groups['primary']
 

diff --git a/automation/deploy_pgcluster.yml b/automation/deploy_pgcluster.yml
@@ -380,6 +380,9 @@
     - role: postgresql-schemas
       when: is_master | bool and postgresql_schemas | length > 0
 
+    - role: postgresql-privs
+      when: is_master | bool and postgresql_databases | length > 0
+
     - role: postgresql-extensions
       when: is_master | bool and postgresql_extensions | length > 0
 

diff --git a/automation/roles/postgresql-privs/tasks/main.yml b/automation/roles/postgresql-privs/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+
+- name: Grant/revoke privileges on objects
+  community.postgresql.postgresql_privs:
+    roles: "{{ item.role }}"
+    privs: "{{ item.privs }}"
+    type: "{{ item.type }}"
+    objs: "{{ item.objs }}"
+    schema: "{{ item.schema | default(omit) }}"
+    db: "{{ item.db }}"
+    state: "{{ item.state | default('present') }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ postgresql_port }}"
+    login_user: "{{ patroni_superuser_username }}"
+    login_password: "{{ patroni_superuser_password }}"
+  ignore_errors: true  # noqa ignore-errors
+  loop: "{{ postgresql_privs | flatten(1) }}"
+  when:
+    - postgresql_privs | default('') | length > 0
+    - item.role | default('') | length > 0
+    - patroni_standby_cluster.host | default('') | length < 1  # do not perform on the Standby Cluster leader
+  tags: postgresql_privs
diff --git a/automation/tags.md b/automation/tags.md
@@ -81,6 +81,7 @@
 - postgresql_users
 - postgresql_databases
 - postgresql_schemas
+- postgresql_privs
 - postgresql_extensions
 - cluster_info
 - - patroni_status

diff --git a/automation/vars/main.yml b/automation/vars/main.yml
@@ -202,6 +202,12 @@ postgresql_databases: []
 postgresql_schemas: []
 #  - { schema: "myschema", db: "mydatabase", owner: "mydb-user" }
 
+# (optional) list of privileges to be granted (if not already exists) or revoked
+postgresql_privs: []
+#  - { role: "mydb-user", privs: "SELECT", type: "table", db: "mydb", objs: "my_table", schema: "my_schema" }
+#  - { role: "db-user", privs: "EXECUTE", type: "function", db: "database_name", objs: "pg_ls_waldir()", schema: "pg_catalog" }
+#  - { role: "myuser, privs: "SELECT", type: "table", db: "mydatabase", objs: "my_table2", schema: "my_schema2", state: "absent" }
+
 # (optional) list of database extensions to be created (if not already exists)
 postgresql_extensions: []
 #  - { ext: "pg_stat_statements", db: "postgres" }