#50877: add support to postgresql_privs to use "FOR { ROLE | USER } target_role" in "ALTER DEFAULT PRIVILEGES" (#51073)

* #50877: * add support to postgresql_privs to use "FOR { ROLE | USER } target_role" in "ALTER DEFAULT PRIVILEGES" * fix sanity errors * #50877: fix documentation and add a check for correct usage of target_roles * #50877: fix missing absent option for default privs with target_role * #50877: add clear description, when target_roles can be used * #50877: fix conflicts, formatting, and add a changelog fragment * #50877: fix sanity error E335 * #50877: swap conditions and fix error to warning msg * #50877: add tests for default privileges * #50877: fix tests for default privileges * #50877: fix tests for default privileges on centos 6
2024-09-14 20:13:21 +02:00 · 2019-03-21 14:26:44 +01:00 · 2019-03-21 14:26:44 +01:00 · bb61d7527f
commit bb61d7527f
parent 7b44bc1ac9
4 changed files with 203 additions and 13 deletions
--- a/changelogs/fragments/50877-postgresql_privs_add-support-for-target_role.yaml
+++ b/changelogs/fragments/50877-postgresql_privs_add-support-for-target_role.yaml
@ -0,0 +1,3 @@
 ---
 minor_changes:
  - "postgresql_privs - introduces support to postgresql_privs to use 'FOR { ROLE | USER } target_role' in 'ALTER DEFAULT PRIVILEGES'. (https://github.com/ansible/ansible/issues/50877)"
--- a/lib/ansible/modules/database/postgresql/postgresql_privs.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_privs.py
@ -84,6 +84,12 @@ options:
    description: |
      Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of.
      Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
  target_roles:
    description:
    - A list of existing role (user/group) names to set as the
      default permissions for database objects subsequently created by them.
    - Parameter I(target_roles) is only available with C(type=default_privs).
    version_added: '2.8'
  grant_option:
    description:
      - Whether C(role) may grant/revoke the specified privileges/group
@ -302,6 +308,36 @@ EXAMPLES = """
    roles: caller
    objs: ALL_IN_SCHEMA
    schema: common
 # Available since version 2.8
 # ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader
 # GRANT SELECT privileges for new TABLES objects created by librarian as
 # default to the role reader.
 # For specific
 - postgresql_privs:
    db: library
    schema: library
    objs: TABLES
    privs: SELECT
    type: default_privs
    role: reader
    target_roles: librarian
 # Available since version 2.8
 # ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader
 # REVOKE SELECT privileges for new TABLES objects created by librarian as
 # default from the role reader.
 # For specific
 - postgresql_privs:
    db: library
    state: absent
    schema: library
    objs: TABLES
    privs: SELECT
    type: default_privs
    role: reader
    target_roles: librarian
 """
 import traceback
@ -538,7 +574,7 @@ class Connection(object):
    # Manipulating privileges
-    def manipulate_privs(self, obj_type, privs, objs, roles,
+    def manipulate_privs(self, obj_type, privs, objs, roles, target_roles,
                         state, grant_option, schema_qualifier=None, fail_on_role=True):
        """Manipulate database object privileges.
@ -550,6 +586,8 @@ class Connection(object):
                     privileges for.
        :param roles: Either a list of role names or "PUBLIC"
                      for the implicitly defined "PUBLIC" group
        :param target_roles: List of role names to grant/revoke
                             default privileges as.
        :param state: "present" to grant privileges, "absent" to revoke.
        :param grant_option: Only for state "present": If True, set
                             grant/admin option. If False, revoke it.
@ -639,12 +677,18 @@ class Connection(object):
            for_whom = ','.join(for_whom)
        # as_who:
        as_who = None
        if target_roles:
            as_who = ','.join(pg_quote_identifier(r, 'role') for r in target_roles)
        status_before = get_status(objs)
        query = QueryBuilder(state) \
            .for_objtype(obj_type) \
            .with_grant_option(grant_option) \
            .for_whom(for_whom) \
            .as_who(as_who) \
            .for_schema(schema_qualifier) \
            .set_what(set_what) \
            .for_objs(objs) \
@ -659,6 +703,7 @@ class QueryBuilder(object):
    def __init__(self, state):
        self._grant_option = None
        self._for_whom = None
        self._as_who = None
        self._set_what = None
        self._obj_type = None
        self._state = state
@ -682,6 +727,10 @@ class QueryBuilder(object):
        self._for_whom = who
        return self
    def as_who(self, target_roles):
        self._as_who = target_roles
        return self
    def set_what(self, what):
        self._set_what = what
        return self
@ -701,9 +750,15 @@ class QueryBuilder(object):
    def add_default_revoke(self):
        for obj in self._objs:
-            self.query.append(
+            if self._as_who:
-                'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj,
+                self.query.append(
-                                                                                            self._for_whom))
+                    'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} REVOKE ALL ON {2} FROM {3};'.format(self._as_who,
                                                                                                             self._schema, obj,
                                                                                                             self._for_whom))
            else:
                self.query.append(
                    'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj,
                                                                                                self._for_whom))
    def add_grant_option(self):
        if self._grant_option:
@ -720,13 +775,28 @@ class QueryBuilder(object):
    def add_default_priv(self):
        for obj in self._objs:
-            self.query.append(
+            if self._as_who:
-                'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT {1} ON {2} TO {3}'.format(self._schema, self._set_what,
+                self.query.append(
-                                                                                        obj,
+                    'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} GRANT {2} ON {3} TO {4}'.format(self._as_who,
-                                                                                        self._for_whom))
+                                                                                                         self._schema,
                                                                                                         self._set_what,
                                                                                                         obj,
                                                                                                         self._for_whom))
            else:
                self.query.append(
                    'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT {1} ON {2} TO {3}'.format(self._schema,
                                                                                            self._set_what,
                                                                                            obj,
                                                                                            self._for_whom))
            self.add_grant_option()
-        self.query.append(
+        if self._as_who:
-            'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT USAGE ON TYPES TO {1}'.format(self._schema, self._for_whom))
+            self.query.append(
                'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} GRANT USAGE ON TYPES TO {2}'.format(self._as_who,
                                                                                                         self._schema,
                                                                                                         self._for_whom))
        else:
            self.query.append(
                'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} GRANT USAGE ON TYPES TO {1}'.format(self._schema, self._for_whom))
        self.add_grant_option()
    def build_present(self):
@ -741,9 +811,15 @@ class QueryBuilder(object):
        if self._obj_type == 'default_privs':
            self.query = []
            for obj in ['TABLES', 'SEQUENCES', 'TYPES']:
-                self.query.append(
+                if self._as_who:
-                    'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj,
+                    self.query.append(
-                                                                                                self._for_whom))
+                        'ALTER DEFAULT PRIVILEGES FOR ROLE {0} IN SCHEMA {1} REVOKE ALL ON {2} FROM {3};'.format(self._as_who,
                                                                                                                 self._schema, obj,
                                                                                                                 self._for_whom))
                else:
                    self.query.append(
                        'ALTER DEFAULT PRIVILEGES IN SCHEMA {0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj,
                                                                                                    self._for_whom))
        else:
            self.query.append('REVOKE {0} FROM {1};'.format(self._set_what, self._for_whom))
@ -770,6 +846,7 @@ def main():
            schema=dict(required=False),
            roles=dict(required=True, aliases=['role']),
            session_role=dict(required=False),
            target_roles=dict(required=False),
            grant_option=dict(required=False, type='bool',
                              aliases=['admin_option']),
            host=dict(default='', aliases=['login_host']),
@ -884,11 +961,23 @@ def main():
                else:
                    module.warn("Role '%s' does not exist, nothing to do" % roles[0].strip())
        # check if target_roles is set with type: default_privs
        if p.target_roles and not p.type == 'default_privs':
            module.warn('"target_roles" will be ignored '
                        'Argument "type: default_privs" is required for usage of "target_roles".')
        # target roles
        if p.target_roles:
            target_roles = p.target_roles.split(',')
        else:
            target_roles = None
        changed = conn.manipulate_privs(
            obj_type=p.type,
            privs=privs,
            objs=objs,
            roles=roles,
            target_roles=target_roles,
            state=p.state,
            grant_option=p.grant_option,
            schema_qualifier=p.schema,
--- a/test/integration/targets/postgresql/tasks/main.yml
+++ b/test/integration/targets/postgresql/tasks/main.yml
@ -787,6 +787,10 @@
 # Test postgresql_facts module:
 - include: postgresql_facts.yml
 # Test default_privs with target_role
 - include: test_target_role.yml
  when: postgres_version_resp.stdout is version('9.1', '>=')
 # dump/restore tests per format
 # ============================================================
 - include: state_dump_restore.yml test_fixture=user file=dbdata.sql
--- a/test/integration/targets/postgresql/tasks/test_target_role.yml
+++ b/test/integration/targets/postgresql/tasks/test_target_role.yml
@ -0,0 +1,94 @@
 ---
 # Setup
 - name: Create DB
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_db:
    state: present
    name: "{{ db_name }}"
    owner: "{{ db_user1 }}"
    login_user: "{{ pg_user }}"
 - name: Create a user to be given permissions and other tests
  postgresql_user:
    name: "{{ db_user2 }}"
    state: present
    encrypted: yes
    password: password
    role_attr_flags: LOGIN
    db: "{{ db_name }}"
    login_user: "{{ pg_user }}"
 #######################################
 # Test default_privs with target_role #
 #######################################
 # Test
 - name: Grant default privileges for new table objects
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_privs:
    db: "{{ db_name }}"
    objs: TABLES
    privs: SELECT
    type: default_privs
    role: "{{ db_user2 }}"
    target_roles: "{{ db_user1 }}"
    login_user: "{{ pg_user }}"
  register: result
 # Checks
 - assert:
    that: result.changed == true
 - name: Check that default privileges are set
  become: yes
  become_user: "{{ pg_user }}"
  shell: psql {{ db_name }} -c "SELECT defaclrole, defaclobjtype, defaclacl FROM pg_default_acl a JOIN pg_roles b ON a.defaclrole=b.oid;" -t
  register: result
 - assert:
    that: "'{{ db_user2 }}=r/{{ db_user1 }}' in '{{ result.stdout_lines[0] }}'"
 # Test
 - name: Revoke default privileges for new table objects
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_privs:
    db: "{{ db_name }}"
    state: absent
    objs: TABLES
    privs: SELECT
    type: default_privs
    role: "{{ db_user2 }}"
    target_roles: "{{ db_user1 }}"
    login_user: "{{ pg_user }}"
  register: result
 # Checks
 - assert:
    that: result.changed == true
 # Cleanup
 - name: Remove user given permissions
  postgresql_user:
    name: "{{ db_user2 }}"
    state: absent
    db: "{{ db_name }}"
    login_user: "{{ pg_user }}"
 - name: Remove user owner of objects
  postgresql_user:
    name: "{{ db_user3 }}"
    state: absent
    db: "{{ db_name }}"
    login_user: "{{ pg_user }}"
 - name: Destroy DB
  become_user: "{{ pg_user }}"
  become: yes
  postgresql_db:
    state: absent
    name: "{{ db_name }}"
    login_user: "{{ pg_user }}"