PITR: password reset for PostgreSQL users

vitabaks · Feb 20, 2023 · b64d8b0 · b64d8b0
1 parent 6a9934c
commit b64d8b0
Showing 1 changed file with 30 additions and 9 deletions.
diff --git a/roles/patroni/tasks/main.yml b/roles/patroni/tasks/main.yml
@@ -840,7 +840,7 @@
   when: existing_pgcluster is not defined or not existing_pgcluster|bool
   tags: patroni, pg_hba, pg_hba_generate
 
-- block:  # PITR (custom bootstrap) - superuser and replication
+- block:  # PITR (custom bootstrap) - password reset for PostgreSQL users
     - name: Make sure the Master is not in recovery mode
       command: "{{ postgresql_bin_dir }}/psql -p {{ postgresql_port }} -tAc 'SELECT pg_is_in_recovery()'"
       register: pg_is_in_recovery
@@ -850,21 +850,42 @@
       changed_when: false
       when: is_master == "true"
 
-    - name: Make sure the postgresql users are present, and password does not differ from the specified
+    - name: Make sure the superuser and replication users are present, and password does not differ from the specified
       postgresql_user:
         db: postgres
-        name: "{{ item.role }}"
-        password: "{{ item.pass }}"
-        role_attr_flags: "{{ item.role_attr }}"
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        role_attr_flags: "{{ item.flags }}"
         login_unix_socket: "{{ postgresql_unix_socket_dir }}"
         port: "{{ postgresql_port }}"
       register: postgresql_user_result
       loop:
-        - { role: '{{ patroni_superuser_username }}', pass: '{{ patroni_superuser_password }}', role_attr: 'SUPERUSER' }
-        - { role: '{{ patroni_replication_username }}', pass: '{{ patroni_replication_password }}', role_attr: 'LOGIN,REPLICATION' }
+        - { name: '{{ patroni_superuser_username }}', password: '{{ patroni_superuser_password }}', flags: 'SUPERUSER' }
+        - { name: '{{ patroni_replication_username }}', password: '{{ patroni_replication_password }}', flags: 'LOGIN,REPLICATION' }
       loop_control:
-        label: "{{ item.role }}"
-      when: is_master == "true"
+        label: "{{ item.name }}"
+      when:
+        - is_master == "true"
+        - (patroni_superuser_username and patroni_superuser_password) is defined
+        - (patroni_superuser_username and patroni_superuser_password) | length > 0
+        - (patroni_replication_username and patroni_replication_password) is defined
+        - (patroni_replication_username and patroni_replication_password) | length > 0
+
+    - name: Make sure the postgresql users are present, and password does not differ from the specified
+      postgresql_user:
+        db: postgres
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        role_attr_flags: "{{ item.flags }}"
+        login_unix_socket: "{{ postgresql_unix_socket_dir }}"
+        port: "{{ postgresql_port }}"
+      loop: "{{ postgresql_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      ignore_errors: true
+      when:
+        - is_master == "true"
+        - (postgresql_users is defined and postgresql_users | length > 0)
 
     - name: Update postgresql authentication in patroni.yml
       yedit: