From 77bf8b9a66ebd2bbc017d898d62aee94c7f38c9b Mon Sep 17 00:00:00 2001 From: Andrew Klychkov Date: Thu, 24 Sep 2020 10:08:34 +0300 Subject: [PATCH] postgresql_privs: add usage_on_types option (#941) * postgresql_privs: add usage_of_types option * add CI tests * add changelog fragment --- ...postgresql_privs_usage_on_types_option.yml | 2 + .../database/postgresql/postgresql_privs.py | 38 ++++++++++++++----- .../tasks/postgresql_privs_general.yml | 24 ++++++++++++ 3 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 changelogs/fragments/941-postgresql_privs_usage_on_types_option.yml diff --git a/changelogs/fragments/941-postgresql_privs_usage_on_types_option.yml b/changelogs/fragments/941-postgresql_privs_usage_on_types_option.yml new file mode 100644 index 0000000000..bfcafe5cd5 --- /dev/null +++ b/changelogs/fragments/941-postgresql_privs_usage_on_types_option.yml @@ -0,0 +1,2 @@ +minor_changes: +- postgresql_privs - add the ``usage_on_types`` option (https://github.com/ansible-collections/community.general/issues/884). diff --git a/plugins/modules/database/postgresql/postgresql_privs.py b/plugins/modules/database/postgresql/postgresql_privs.py index 155bd87e94..20cade9217 100644 --- a/plugins/modules/database/postgresql/postgresql_privs.py +++ b/plugins/modules/database/postgresql/postgresql_privs.py @@ -161,6 +161,15 @@ options: type: bool default: yes version_added: '0.2.0' + usage_on_types: + description: + - When adding default privileges, the module always implicitly adds ``USAGE ON TYPES``. + - To avoid this behavior, set I(usage_on_types) to C(no). + - Added to save backwards compatibility. + - Used only when adding default privileges, ignored otherwise. + type: bool + default: yes + version_added: '1.2.0' notes: - Parameters that accept comma separated lists (I(privs), I(objs), I(roles)) @@ -658,7 +667,7 @@ class Connection(object): # Manipulating privileges def manipulate_privs(self, obj_type, privs, objs, roles, target_roles, - state, grant_option, schema_qualifier=None, fail_on_role=True): + state, grant_option, schema_qualifier=None, fail_on_role=True, usage_on_types=True): """Manipulate database object privileges. :param obj_type: Type of database object to grant/revoke @@ -780,6 +789,7 @@ class Connection(object): .for_schema(schema_qualifier) \ .set_what(set_what) \ .for_objs(objs) \ + .usage_on_types(usage_on_types) \ .build() executed_queries.append(query) @@ -811,6 +821,7 @@ class QueryBuilder(object): self._state = state self._schema = None self._objs = None + self._usage_on_types = None self.query = [] def for_objs(self, objs): @@ -829,6 +840,10 @@ class QueryBuilder(object): self._for_whom = who return self + def usage_on_types(self, usage_on_types): + self._usage_on_types = usage_on_types + return self + def as_who(self, target_roles): self._as_who = target_roles return self @@ -893,14 +908,16 @@ class QueryBuilder(object): obj, self._for_whom)) self.add_grant_option() - if self._as_who: - self.query.append( - 'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} GRANT USAGE ON TYPES TO {2}'.format(self._as_who, - self._schema, - self._for_whom)) - else: - self.query.append( - 'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT USAGE ON TYPES TO {1}'.format(self._schema, self._for_whom)) + + if self._usage_on_types: + if self._as_who: + self.query.append( + 'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} GRANT USAGE ON TYPES TO {2}'.format(self._as_who, + self._schema, + self._for_whom)) + else: + self.query.append( + 'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT USAGE ON TYPES TO {1}'.format(self._schema, self._for_whom)) self.add_grant_option() def build_present(self): @@ -960,6 +977,7 @@ def main(): password=dict(default='', aliases=['login_password'], no_log=True), fail_on_role=dict(type='bool', default=True), trust_input=dict(type='bool', default=True), + usage_on_types=dict(type='bool', default=True), ) module = AnsibleModule( @@ -968,6 +986,7 @@ def main(): ) fail_on_role = module.params['fail_on_role'] + usage_on_types = module.params['usage_on_types'] # Create type object as namespace for module params p = type('Params', (), module.params) @@ -1092,6 +1111,7 @@ def main(): grant_option=p.grant_option, schema_qualifier=p.schema, fail_on_role=fail_on_role, + usage_on_types=usage_on_types, ) except Error as e: diff --git a/tests/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml b/tests/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml index fe28150b39..50bb6026e3 100644 --- a/tests/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml +++ b/tests/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml @@ -71,6 +71,7 @@ that: - result is changed +# Also covers https://github.com/ansible-collections/community.general/issues/884 - name: Set table default privs on the schema with hyphen in the name postgresql_privs: login_user: "{{ pg_user }}" @@ -82,11 +83,34 @@ obj: TABLES privs: all state: present + usage_on_types: yes + register: result + check_mode: yes + +- assert: + that: + - result is changed + - result.queries is search('ON TYPES') + +# Also covers https://github.com/ansible-collections/community.general/issues/884 +- name: Set table default privs on the schema with hyphen in the name + postgresql_privs: + login_user: "{{ pg_user }}" + password: password + db: "{{ db_name_with_hyphens }}" + schema: "{{ db_schema_with_hyphens }}" + role: "{{ db_user_with_hyphens }}" + type: default_privs + obj: TABLES + privs: all + state: present + usage_on_types: no register: result - assert: that: - result is changed + - result.queries is not search('ON TYPES') - name: Delete table default privs on the schema with hyphen in the name postgresql_privs: