mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Allow setting/unsetting BYPASSRLS Postgres role attribute (#24625)
* Allow setting/unsetting BYPASSRLS role attr * Build valid role attrs against version * Add integration tests
This commit is contained in:
parent
603366863f
commit
723c8f06ab
4 changed files with 243 additions and 93 deletions
|
@ -103,7 +103,7 @@ options:
|
||||||
required: false
|
required: false
|
||||||
default: ""
|
default: ""
|
||||||
choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
|
choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
|
||||||
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ]
|
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", "[NO]BYPASSRLS" ]
|
||||||
state:
|
state:
|
||||||
description:
|
description:
|
||||||
- The user (role) state
|
- The user (role) state
|
||||||
|
@ -210,6 +210,8 @@ EXAMPLES = '''
|
||||||
import re
|
import re
|
||||||
import itertools
|
import itertools
|
||||||
|
|
||||||
|
from distutils.version import StrictVersion
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import psycopg2
|
import psycopg2
|
||||||
import psycopg2.extras
|
import psycopg2.extras
|
||||||
|
@ -220,7 +222,7 @@ else:
|
||||||
from ansible.module_utils.six import iteritems
|
from ansible.module_utils.six import iteritems
|
||||||
|
|
||||||
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
|
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
|
||||||
VALID_FLAGS = frozenset(itertools.chain(_flags, ('NO%s' % f for f in _flags)))
|
_flags_by_version = {'BYPASSRLS': '9.5.0'}
|
||||||
|
|
||||||
VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')),
|
VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')),
|
||||||
database=frozenset(('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')),
|
database=frozenset(('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')),
|
||||||
|
@ -230,7 +232,7 @@ VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRU
|
||||||
PRIV_TO_AUTHID_COLUMN = dict(SUPERUSER='rolsuper', CREATEROLE='rolcreaterole',
|
PRIV_TO_AUTHID_COLUMN = dict(SUPERUSER='rolsuper', CREATEROLE='rolcreaterole',
|
||||||
CREATEUSER='rolcreateuser', CREATEDB='rolcreatedb',
|
CREATEUSER='rolcreateuser', CREATEDB='rolcreatedb',
|
||||||
INHERIT='rolinherit', LOGIN='rolcanlogin',
|
INHERIT='rolinherit', LOGIN='rolcanlogin',
|
||||||
REPLICATION='rolreplication')
|
REPLICATION='rolreplication', BYPASSRLS='rolbypassrls')
|
||||||
|
|
||||||
class InvalidFlagsError(Exception):
|
class InvalidFlagsError(Exception):
|
||||||
pass
|
pass
|
||||||
|
@ -558,7 +560,7 @@ def grant_privileges(cursor, user, privs):
|
||||||
changed = True
|
changed = True
|
||||||
return changed
|
return changed
|
||||||
|
|
||||||
def parse_role_attrs(role_attr_flags):
|
def parse_role_attrs(cursor, role_attr_flags):
|
||||||
"""
|
"""
|
||||||
Parse role attributes string for user creation.
|
Parse role attributes string for user creation.
|
||||||
Format:
|
Format:
|
||||||
|
@ -569,18 +571,24 @@ def parse_role_attrs(role_attr_flags):
|
||||||
|
|
||||||
attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
|
attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
|
||||||
[ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
|
[ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
|
||||||
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ]
|
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION",
|
||||||
|
"[NO]BYPASSRLS" ]
|
||||||
|
|
||||||
|
Note: "[NO]BYPASSRLS" role attribute introduced in 9.5
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
flags = frozenset(itertools.chain(_flags, get_valid_flags_by_version(cursor)))
|
||||||
|
valid_flags = frozenset(itertools.chain(flags, ('NO%s' % f for f in flags)))
|
||||||
|
|
||||||
if ',' in role_attr_flags:
|
if ',' in role_attr_flags:
|
||||||
flag_set = frozenset(r.upper() for r in role_attr_flags.split(","))
|
flag_set = frozenset(r.upper() for r in role_attr_flags.split(","))
|
||||||
elif role_attr_flags:
|
elif role_attr_flags:
|
||||||
flag_set = frozenset((role_attr_flags.upper(),))
|
flag_set = frozenset((role_attr_flags.upper(),))
|
||||||
else:
|
else:
|
||||||
flag_set = frozenset()
|
flag_set = frozenset()
|
||||||
if not flag_set.issubset(VALID_FLAGS):
|
if not flag_set.issubset(valid_flags):
|
||||||
raise InvalidFlagsError('Invalid role_attr_flags specified: %s' %
|
raise InvalidFlagsError('Invalid role_attr_flags specified: %s' %
|
||||||
' '.join(flag_set.difference(VALID_FLAGS)))
|
' '.join(flag_set.difference(valid_flags)))
|
||||||
o_flags = ' '.join(flag_set)
|
o_flags = ' '.join(flag_set)
|
||||||
return o_flags
|
return o_flags
|
||||||
|
|
||||||
|
@ -633,6 +641,35 @@ def parse_privs(privs, db):
|
||||||
|
|
||||||
return o_privs
|
return o_privs
|
||||||
|
|
||||||
|
def get_pg_server_version(cursor):
|
||||||
|
"""
|
||||||
|
Queries Postgres for its server version.
|
||||||
|
|
||||||
|
server_version should be just the server version itself:
|
||||||
|
|
||||||
|
postgres=# SHOW SERVER_VERSION;
|
||||||
|
server_version
|
||||||
|
----------------
|
||||||
|
9.6.2
|
||||||
|
(1 row)
|
||||||
|
"""
|
||||||
|
cursor.execute("SHOW SERVER_VERSION")
|
||||||
|
return cursor.fetchone()['server_version']
|
||||||
|
|
||||||
|
def get_valid_flags_by_version(cursor):
|
||||||
|
"""
|
||||||
|
Some role attributes were introduced after certain versions. We want to
|
||||||
|
compile a list of valid flags against the current Postgres version.
|
||||||
|
"""
|
||||||
|
current_version = StrictVersion(get_pg_server_version(cursor))
|
||||||
|
|
||||||
|
return [
|
||||||
|
flag
|
||||||
|
for flag, version_introduced in _flags_by_version.items()
|
||||||
|
if current_version >= StrictVersion(version_introduced)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
# ===========================================
|
# ===========================================
|
||||||
# Module execution.
|
# Module execution.
|
||||||
#
|
#
|
||||||
|
@ -671,11 +708,6 @@ def main():
|
||||||
privs = parse_privs(module.params["priv"], db)
|
privs = parse_privs(module.params["priv"], db)
|
||||||
port = module.params["port"]
|
port = module.params["port"]
|
||||||
no_password_changes = module.params["no_password_changes"]
|
no_password_changes = module.params["no_password_changes"]
|
||||||
try:
|
|
||||||
role_attr_flags = parse_role_attrs(module.params["role_attr_flags"])
|
|
||||||
except InvalidFlagsError:
|
|
||||||
e = get_exception()
|
|
||||||
module.fail_json(msg=str(e))
|
|
||||||
if module.params["encrypted"]:
|
if module.params["encrypted"]:
|
||||||
encrypted = "ENCRYPTED"
|
encrypted = "ENCRYPTED"
|
||||||
else:
|
else:
|
||||||
|
@ -723,6 +755,12 @@ def main():
|
||||||
e = get_exception()
|
e = get_exception()
|
||||||
module.fail_json(msg="unable to connect to database: %s" % e)
|
module.fail_json(msg="unable to connect to database: %s" % e)
|
||||||
|
|
||||||
|
try:
|
||||||
|
role_attr_flags = parse_role_attrs(cursor, module.params["role_attr_flags"])
|
||||||
|
except InvalidFlagsError:
|
||||||
|
e = get_exception()
|
||||||
|
module.fail_json(msg=str(e))
|
||||||
|
|
||||||
kw = dict(user=user)
|
kw = dict(user=user)
|
||||||
changed = False
|
changed = False
|
||||||
user_removed = False
|
user_removed = False
|
||||||
|
|
|
@ -268,92 +268,27 @@
|
||||||
that:
|
that:
|
||||||
- "result.changed == False"
|
- "result.changed == False"
|
||||||
|
|
||||||
- name: Create a user with all role attributes
|
# BYPASSRLS role attribute was introduced in Postgres 9.5, so
|
||||||
|
# we want to test atrribute management differently depending
|
||||||
|
# on the version. See https://github.com/ansible/ansible/pull/24625
|
||||||
|
# for more details.
|
||||||
|
- name: Get Postgres version
|
||||||
become_user: "{{ pg_user }}"
|
become_user: "{{ pg_user }}"
|
||||||
become: True
|
become: True
|
||||||
postgresql_user:
|
shell: echo 'SHOW SERVER_VERSION' | psql -d postgres
|
||||||
name: "{{ db_user1 }}"
|
register: postgres_version_resp
|
||||||
state: "present"
|
|
||||||
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login"
|
|
||||||
login_user: "{{ pg_user }}"
|
|
||||||
db: postgres
|
|
||||||
|
|
||||||
- name: Check that the user has the requested role attributes
|
- name: Print Postgres server version
|
||||||
become_user: "{{ pg_user }}"
|
debug:
|
||||||
become: True
|
msg: "{{ postgres_version_resp.stdout_lines[-2] | trim }}"
|
||||||
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
|
||||||
register: result
|
|
||||||
|
|
||||||
- assert:
|
- name: Role attribute testing for Postgres 9.5+
|
||||||
that:
|
include: postgresql_user_9.5_or_greater.yml
|
||||||
- "result.stdout_lines[-1] == '(1 row)'"
|
when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '>=')
|
||||||
- "'super:t' in result.stdout_lines[-2]"
|
|
||||||
- "'createrole:t' in result.stdout_lines[-2]"
|
|
||||||
- "'create:t' in result.stdout_lines[-2]"
|
|
||||||
- "'inherit:t' in result.stdout_lines[-2]"
|
|
||||||
- "'login:t' in result.stdout_lines[-2]"
|
|
||||||
|
|
||||||
- name: Modify a user to have no role attributes
|
- name: Role attribute testing for Postgres versions below 9.5
|
||||||
become_user: "{{ pg_user }}"
|
include: postgresql_user_less_than_9.5.yml
|
||||||
become: True
|
when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '<')
|
||||||
postgresql_user:
|
|
||||||
name: "{{ db_user1 }}"
|
|
||||||
state: "present"
|
|
||||||
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
|
|
||||||
login_user: "{{ pg_user }}"
|
|
||||||
db: postgres
|
|
||||||
register: result
|
|
||||||
|
|
||||||
- name: Check that ansible reports it modified the role
|
|
||||||
assert:
|
|
||||||
that:
|
|
||||||
- "result.changed == True"
|
|
||||||
|
|
||||||
- name: Check that the user has the requested role attributes
|
|
||||||
become_user: "{{ pg_user }}"
|
|
||||||
become: True
|
|
||||||
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
|
||||||
register: result
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- "result.stdout_lines[-1] == '(1 row)'"
|
|
||||||
- "'super:f' in result.stdout_lines[-2]"
|
|
||||||
- "'createrole:f' in result.stdout_lines[-2]"
|
|
||||||
- "'create:f' in result.stdout_lines[-2]"
|
|
||||||
- "'inherit:f' in result.stdout_lines[-2]"
|
|
||||||
- "'login:f' in result.stdout_lines[-2]"
|
|
||||||
|
|
||||||
- name: Modify a single role attribute on a user
|
|
||||||
become_user: "{{ pg_user }}"
|
|
||||||
become: True
|
|
||||||
postgresql_user:
|
|
||||||
name: "{{ db_user1 }}"
|
|
||||||
state: "present"
|
|
||||||
role_attr_flags: "LOGIN"
|
|
||||||
login_user: "{{ pg_user }}"
|
|
||||||
db: postgres
|
|
||||||
register: result
|
|
||||||
|
|
||||||
- name: Check that ansible reports it modified the role
|
|
||||||
assert:
|
|
||||||
that:
|
|
||||||
- "result.changed == True"
|
|
||||||
|
|
||||||
- name: Check that the user has the requested role attributes
|
|
||||||
become_user: "{{ pg_user }}"
|
|
||||||
become: True
|
|
||||||
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
|
||||||
register: result
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- "result.stdout_lines[-1] == '(1 row)'"
|
|
||||||
- "'super:f' in result.stdout_lines[-2]"
|
|
||||||
- "'createrole:f' in result.stdout_lines[-2]"
|
|
||||||
- "'create:f' in result.stdout_lines[-2]"
|
|
||||||
- "'inherit:f' in result.stdout_lines[-2]"
|
|
||||||
- "'login:t' in result.stdout_lines[-2]"
|
|
||||||
|
|
||||||
- name: Cleanup the user
|
- name: Cleanup the user
|
||||||
become_user: "{{ pg_user }}"
|
become_user: "{{ pg_user }}"
|
||||||
|
|
|
@ -0,0 +1,90 @@
|
||||||
|
---
|
||||||
|
- name: Create a user with all role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login,BYPASSRLS"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:t' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:t' in result.stdout_lines[-2]"
|
||||||
|
- "'create:t' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:t' in result.stdout_lines[-2]"
|
||||||
|
- "'login:t' in result.stdout_lines[-2]"
|
||||||
|
- "'bypassrls:t' in result.stdout_lines[-2]"
|
||||||
|
|
||||||
|
- name: Modify a user to have no role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN,NOBYPASSRLS"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: Check that ansible reports it modified the role
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "result.changed == True"
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:f' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:f' in result.stdout_lines[-2]"
|
||||||
|
- "'create:f' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:f' in result.stdout_lines[-2]"
|
||||||
|
- "'login:f' in result.stdout_lines[-2]"
|
||||||
|
- "'bypassrls:f' in result.stdout_lines[-2]"
|
||||||
|
|
||||||
|
- name: Modify a single role attribute on a user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "LOGIN"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: Check that ansible reports it modified the role
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "result.changed == True"
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:f' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:f' in result.stdout_lines[-2]"
|
||||||
|
- "'create:f' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:f' in result.stdout_lines[-2]"
|
||||||
|
- "'login:t' in result.stdout_lines[-2]"
|
||||||
|
- "'bypassrls:f' in result.stdout_lines[-2]"
|
|
@ -0,0 +1,87 @@
|
||||||
|
---
|
||||||
|
- name: Create a user with all role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:t' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:t' in result.stdout_lines[-2]"
|
||||||
|
- "'create:t' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:t' in result.stdout_lines[-2]"
|
||||||
|
- "'login:t' in result.stdout_lines[-2]"
|
||||||
|
|
||||||
|
- name: Modify a user to have no role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: Check that ansible reports it modified the role
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "result.changed == True"
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:f' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:f' in result.stdout_lines[-2]"
|
||||||
|
- "'create:f' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:f' in result.stdout_lines[-2]"
|
||||||
|
- "'login:f' in result.stdout_lines[-2]"
|
||||||
|
|
||||||
|
- name: Modify a single role attribute on a user
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ db_user1 }}"
|
||||||
|
state: "present"
|
||||||
|
role_attr_flags: "LOGIN"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- name: Check that ansible reports it modified the role
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "result.changed == True"
|
||||||
|
|
||||||
|
- name: Check that the user has the requested role attributes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: True
|
||||||
|
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- "result.stdout_lines[-1] == '(1 row)'"
|
||||||
|
- "'super:f' in result.stdout_lines[-2]"
|
||||||
|
- "'createrole:f' in result.stdout_lines[-2]"
|
||||||
|
- "'create:f' in result.stdout_lines[-2]"
|
||||||
|
- "'inherit:f' in result.stdout_lines[-2]"
|
||||||
|
- "'login:t' in result.stdout_lines[-2]"
|
Loading…
Reference in a new issue