mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
postgresql_privs: Fix bug with grant_option (#796)
This commit is contained in:
parent
b797922e20
commit
f3b82a9470
3 changed files with 139 additions and 6 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- postgresql_privs - the module was attempting to revoke grant options even though ``grant_option`` was not specified (https://github.com/ansible-collections/community.general/pull/796).
|
|
@ -864,12 +864,14 @@ class QueryBuilder(object):
|
||||||
self.query[-1] += ' WITH ADMIN OPTION;'
|
self.query[-1] += ' WITH ADMIN OPTION;'
|
||||||
else:
|
else:
|
||||||
self.query[-1] += ' WITH GRANT OPTION;'
|
self.query[-1] += ' WITH GRANT OPTION;'
|
||||||
else:
|
elif self._grant_option is False:
|
||||||
self.query[-1] += ';'
|
self.query[-1] += ';'
|
||||||
if self._obj_type == 'group':
|
if self._obj_type == 'group':
|
||||||
self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
|
self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
|
||||||
elif not self._obj_type == 'default_privs':
|
elif not self._obj_type == 'default_privs':
|
||||||
self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
|
self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
|
||||||
|
else:
|
||||||
|
self.query[-1] += ';'
|
||||||
|
|
||||||
def add_default_priv(self):
|
def add_default_priv(self):
|
||||||
for obj in self._objs:
|
for obj in self._objs:
|
||||||
|
|
|
@ -683,6 +683,135 @@
|
||||||
- result.rowcount == 0
|
- result.rowcount == 0
|
||||||
when: postgres_version_resp.stdout is version('10', '>=')
|
when: postgres_version_resp.stdout is version('10', '>=')
|
||||||
|
|
||||||
|
# Test
|
||||||
|
- name: Grant execute with grant option on pg_create_restore_point function
|
||||||
|
postgresql_privs:
|
||||||
|
privs: EXECUTE
|
||||||
|
type: function
|
||||||
|
schema: pg_catalog
|
||||||
|
obj: pg_create_restore_point(text)
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
roles: "{{ db_user2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
grant_option: yes
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
# Checks
|
||||||
|
- assert:
|
||||||
|
that: result is changed
|
||||||
|
|
||||||
|
- name: Check that user has GRANT privilege on the function
|
||||||
|
postgresql_query:
|
||||||
|
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
login_user: "{{ db_user2 }}"
|
||||||
|
login_password: password
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
|
||||||
|
|
||||||
|
# Test
|
||||||
|
- name: Grant execute without specifying grant_option to check idempotence
|
||||||
|
postgresql_privs:
|
||||||
|
privs: EXECUTE
|
||||||
|
type: function
|
||||||
|
schema: pg_catalog
|
||||||
|
obj: pg_create_restore_point(text)
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
roles: "{{ db_user2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
# Checks
|
||||||
|
- assert:
|
||||||
|
that: result is not changed
|
||||||
|
|
||||||
|
- name: Check that user has GRANT privilege on the function
|
||||||
|
postgresql_query:
|
||||||
|
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
login_user: "{{ db_user2 }}"
|
||||||
|
login_password: password
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
|
||||||
|
|
||||||
|
# Test
|
||||||
|
- name: Revoke grant option on pg_create_restore_point function
|
||||||
|
postgresql_privs:
|
||||||
|
privs: EXECUTE
|
||||||
|
type: function
|
||||||
|
schema: pg_catalog
|
||||||
|
obj: pg_create_restore_point(text)
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
roles: "{{ db_user2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
grant_option: no
|
||||||
|
state: present
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
# Checks
|
||||||
|
- assert:
|
||||||
|
that: result is changed
|
||||||
|
|
||||||
|
- name: Check that user does not have GRANT privilege on the function
|
||||||
|
postgresql_query:
|
||||||
|
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
login_user: "{{ db_user2 }}"
|
||||||
|
login_password: password
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that: "'{{ db_user2 }}=X/{{ pg_user }}' in result.query_result[0].proacl"
|
||||||
|
|
||||||
|
# Test
|
||||||
|
- name: Revoke execute on pg_create_restore_point function
|
||||||
|
postgresql_privs:
|
||||||
|
privs: EXECUTE
|
||||||
|
type: function
|
||||||
|
schema: pg_catalog
|
||||||
|
obj: pg_create_restore_point(text)
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
roles: "{{ db_user2 }}"
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
state: absent
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
# Checks
|
||||||
|
- assert:
|
||||||
|
that: result is changed
|
||||||
|
|
||||||
|
- name: Check that user does not have EXECUTE privilege on the function
|
||||||
|
postgresql_query:
|
||||||
|
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
|
||||||
|
db: "{{ db_name }}"
|
||||||
|
login_user: "{{ db_user2 }}"
|
||||||
|
login_password: password
|
||||||
|
become: yes
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that: "'{{ db_user2 }}' not in result.query_result[0].proacl"
|
||||||
|
|
||||||
# Test
|
# Test
|
||||||
- name: Grant execute to all tables
|
- name: Grant execute to all tables
|
||||||
|
|
Loading…
Reference in a new issue