mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			486 lines
		
	
	
	
		
			16 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			486 lines
		
	
	
	
		
			16 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| # This file is part of Ansible
 | |
| #
 | |
| # Ansible is free software: you can redistribute it and/or modify
 | |
| # it under the terms of the GNU General Public License as published by
 | |
| # the Free Software Foundation, either version 3 of the License, or
 | |
| # (at your option) any later version.
 | |
| #
 | |
| # Ansible is distributed in the hope that it will be useful,
 | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| # GNU General Public License for more details.
 | |
| #
 | |
| # You should have received a copy of the GNU General Public License
 | |
| # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: postgresql_user
 | |
| short_description: Adds or removes a users (roles) from a PostgreSQL database.
 | |
| description:
 | |
|    - Add or remove PostgreSQL users (roles) from a remote host and, optionally,
 | |
|      grant the users access to an existing database or tables.
 | |
|    - The fundamental function of the module is to create, or delete, roles from
 | |
|      a PostgreSQL cluster. Privilege assignment, or removal, is an optional
 | |
|      step, which works on one database at a time. This allows for the module to
 | |
|      be called several times in the same module to modify the permissions on
 | |
|      different databases, or to grant permissions to already existing users.
 | |
|    - A user cannot be removed until all the privileges have been stripped from
 | |
|      the user. In such situation, if the module tries to remove the user it
 | |
|      will fail. To avoid this from happening the fail_on_user option signals
 | |
|      the module to try to remove the user, but if not possible keep going; the
 | |
|      module will report if changes happened and separately if the user was
 | |
|      removed or not.
 | |
| version_added: "0.6"
 | |
| options:
 | |
|   name:
 | |
|     description:
 | |
|       - name of the user (role) to add or remove
 | |
|     required: true
 | |
|     default: null
 | |
|   password:
 | |
|     description:
 | |
|       - set the user's password, before 1.4 this was required.
 | |
|     required: false
 | |
|     default: null
 | |
|   db:
 | |
|     description:
 | |
|       - name of database where permissions will be granted
 | |
|     required: false
 | |
|     default: null
 | |
|   fail_on_user:
 | |
|     description:
 | |
|       - if C(yes), fail when user can't be removed. Otherwise just log and continue
 | |
|     required: false
 | |
|     default: 'yes'
 | |
|     choices: [ "yes", "no" ]
 | |
|   login_user:
 | |
|     description:
 | |
|       - User (role) used to authenticate with PostgreSQL
 | |
|     required: false
 | |
|     default: postgres
 | |
|   login_password:
 | |
|     description:
 | |
|       - Password used to authenticate with PostgreSQL
 | |
|     required: false
 | |
|     default: null
 | |
|   login_host:
 | |
|     description:
 | |
|       - Host running PostgreSQL.
 | |
|     required: false
 | |
|     default: localhost
 | |
|   priv:
 | |
|     description:
 | |
|       - "PostgreSQL privileges string in the format: C(table:priv1,priv2)"
 | |
|     required: false
 | |
|     default: null
 | |
|   role_attr_flags:
 | |
|     description:
 | |
|       - "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER"
 | |
|     required: false
 | |
|     default: null
 | |
|     choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
 | |
|                     "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ]
 | |
|   state:
 | |
|     description:
 | |
|       - The user (role) state
 | |
|     required: false
 | |
|     default: present
 | |
|     choices: [ "present", "absent" ]
 | |
|   encrypted:
 | |
|     description:
 | |
|       - denotes if the password is already encrypted. boolean.
 | |
|     required: false
 | |
|     default: false
 | |
|     version_added: '1.4'
 | |
|   expires:
 | |
|     description:
 | |
|       - sets the user's password expiration.
 | |
|     required: false
 | |
|     default: null
 | |
|     version_added: '1.4'
 | |
| notes:
 | |
|    - The default authentication assumes that you are either logging in as or
 | |
|      sudo'ing to the postgres account on the host.
 | |
|    - This module uses psycopg2, a Python PostgreSQL database adapter. You must
 | |
|      ensure that psycopg2 is installed on the host before using this module. If
 | |
|      the remote host is the PostgreSQL server (which is the default case), then
 | |
|      PostgreSQL must also be installed on the remote host. For Ubuntu-based
 | |
|      systems, install the postgresql, libpq-dev, and python-psycopg2 packages
 | |
|      on the remote host before using this module.
 | |
|    - If you specify PUBLIC as the user, then the privilege changes will apply
 | |
|      to all users. You may not specify password or role_attr_flags when the
 | |
|      PUBLIC user is specified.
 | |
| requirements: [ psycopg2 ]
 | |
| author: Lorin Hochstein
 | |
| '''
 | |
| 
 | |
| EXAMPLES = '''
 | |
| # Create django user and grant access to database and products table
 | |
| - postgresql_user: db=acme name=django password=ceec4eif7ya priv=CONNECT/products:ALL
 | |
| 
 | |
| # Create rails user, grant privilege to create other databases and demote rails from super user status
 | |
| - postgresql_user: name=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER
 | |
| 
 | |
| # Remove test user privileges from acme
 | |
| - postgresql_user: db=acme name=test priv=ALL/products:ALL state=absent fail_on_user=no
 | |
| 
 | |
| # Remove test user from test database and the cluster
 | |
| - postgresql_user: db=test name=test priv=ALL state=absent
 | |
| 
 | |
| # Example privileges string format
 | |
| INSERT,UPDATE/table:SELECT/anothertable:ALL
 | |
| 
 | |
| # Remove an existing user's password
 | |
| - postgresql_user: db=test user=test password=NULL
 | |
| '''
 | |
| 
 | |
| import re
 | |
| 
 | |
| try:
 | |
|     import psycopg2
 | |
| except ImportError:
 | |
|     postgresqldb_found = False
 | |
| else:
 | |
|     postgresqldb_found = True
 | |
| 
 | |
| # ===========================================
 | |
| # PostgreSQL module specific support methods.
 | |
| #
 | |
| 
 | |
| 
 | |
| def user_exists(cursor, user):
 | |
|     # The PUBLIC user is a special case that is always there
 | |
|     if user == 'PUBLIC':
 | |
|         return True
 | |
|     query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"
 | |
|     cursor.execute(query, {'user': user})
 | |
|     return cursor.rowcount > 0
 | |
| 
 | |
| 
 | |
| def user_add(cursor, user, password, role_attr_flags,  encrypted, expires):
 | |
|     """Create a new database user (role)."""
 | |
|     query = 'CREATE USER "%(user)s"' % { "user": user}
 | |
|     if password is not None:
 | |
|         query = query + " WITH %(crypt)s PASSWORD '%(password)s'" % { "crypt": encrypted, "password": password }
 | |
|     if expires is not None:
 | |
|         query = query + " VALID UNTIL '%(expires)s'" % { "exipres": expires }
 | |
|     query = query + " " + role_attr_flags
 | |
|     cursor.execute(query)
 | |
|     return True
 | |
| 
 | |
| def user_alter(cursor, user, password, role_attr_flags, encrypted, expires):
 | |
|     """Change user password and/or attributes. Return True if changed, False otherwise."""
 | |
|     changed = False
 | |
| 
 | |
|     if user == 'PUBLIC':
 | |
|         if password is not None:
 | |
|             module.fail_json(msg="cannot change the password for PUBLIC user")
 | |
|         elif role_attr_flags != '':
 | |
|             module.fail_json(msg="cannot change the role_attr_flags for PUBLIC user")
 | |
|         else:
 | |
|             return False
 | |
| 
 | |
|     # Handle passwords.
 | |
|     if password is not None or role_attr_flags is not None:
 | |
|         # Select password and all flag-like columns in order to verify changes.
 | |
|         select = "SELECT * FROM pg_authid where rolname=%(user)s"
 | |
|         cursor.execute(select, {"user": user})
 | |
|         # Grab current role attributes.
 | |
|         current_role_attrs = cursor.fetchone()
 | |
| 
 | |
|         alter = 'ALTER USER "%(user)s"' % {"user": user}
 | |
|         if password is not None:
 | |
|             alter = alter + " WITH %(crypt)s PASSWORD '%(password)s' %(flags)s" % {
 | |
|                 "crypt": encrypted, "password": password, "flags": role_attr_flags
 | |
|             }
 | |
|         elif role_attr_flags:
 | |
|             alter = alter + ' WITH ' + role_attr_flags
 | |
|         if expires is not None:
 | |
|             alter = alter + " VALID UNTIL '%(expires)s'" % { "exipres": expires }
 | |
| 
 | |
|         cursor.execute(alter)
 | |
| 
 | |
|         # Grab new role attributes.
 | |
|         cursor.execute(select, {"user": user})
 | |
|         new_role_attrs = cursor.fetchone()
 | |
| 
 | |
|         # Detect any differences between current_ and new_role_attrs.
 | |
|         for i in range(len(current_role_attrs)):
 | |
|             if current_role_attrs[i] != new_role_attrs[i]:
 | |
|                 changed = True
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def user_delete(cursor, user):
 | |
|     """Try to remove a user. Returns True if successful otherwise False"""
 | |
|     cursor.execute("SAVEPOINT ansible_pgsql_user_delete")
 | |
|     try:
 | |
|         cursor.execute("DROP USER \"%s\"" % user)
 | |
|     except:
 | |
|         cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_user_delete")
 | |
|         cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
 | |
|         return False
 | |
| 
 | |
|     cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
 | |
|     return True
 | |
| 
 | |
| def has_table_privilege(cursor, user, table, priv):
 | |
|     query = 'SELECT has_table_privilege(%s, %s, %s)'
 | |
|     cursor.execute(query, (user, table, priv))
 | |
|     return cursor.fetchone()[0]
 | |
| 
 | |
| def get_table_privileges(cursor, user, table):
 | |
|     if '.' in table:
 | |
|         schema, table = table.split('.', 1)
 | |
|     else:
 | |
|         schema = 'public'
 | |
|     query = '''SELECT privilege_type FROM information_schema.role_table_grants
 | |
|     WHERE grantee=%s AND table_name=%s AND table_schema=%s'''
 | |
|     cursor.execute(query, (user, table, schema))
 | |
|     return set([x[0] for x in cursor.fetchall()])
 | |
| 
 | |
| 
 | |
| def grant_table_privilege(cursor, user, table, priv):
 | |
|     prev_priv = get_table_privileges(cursor, user, table)
 | |
|     query = 'GRANT %s ON TABLE \"%s\" TO \"%s\"' % (priv, table, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_table_privileges(cursor, user, table)
 | |
|     return len(curr_priv) > len(prev_priv)
 | |
| 
 | |
| def revoke_table_privilege(cursor, user, table, priv):
 | |
|     prev_priv = get_table_privileges(cursor, user, table)
 | |
|     query = 'REVOKE %s ON TABLE \"%s\" FROM \"%s\"' % (priv, table, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_table_privileges(cursor, user, table)
 | |
|     return len(curr_priv) < len(prev_priv)
 | |
| 
 | |
| 
 | |
| def get_database_privileges(cursor, user, db):
 | |
|     priv_map = {
 | |
|         'C':'CREATE',
 | |
|         'T':'TEMPORARY',
 | |
|         'c':'CONNECT',
 | |
|     }
 | |
|     query = 'SELECT datacl FROM pg_database WHERE datname = %s'
 | |
|     cursor.execute(query, (db,))
 | |
|     datacl = cursor.fetchone()[0]
 | |
|     if datacl is None:
 | |
|         return []
 | |
|     r = re.search('%s=(C?T?c?)/[a-z]+\,?' % user, datacl)
 | |
|     if r is None:
 | |
|         return []
 | |
|     o = []
 | |
|     for v in r.group(1):
 | |
|         o.append(priv_map[v])
 | |
|     return o
 | |
| 
 | |
| def has_database_privilege(cursor, user, db, priv):
 | |
|     query = 'SELECT has_database_privilege(%s, %s, %s)'
 | |
|     cursor.execute(query, (user, db, priv))
 | |
|     return cursor.fetchone()[0]
 | |
| 
 | |
| def grant_database_privilege(cursor, user, db, priv):
 | |
|     prev_priv = get_database_privileges(cursor, user, db)
 | |
|     if user == "PUBLIC":
 | |
|         query = 'GRANT %s ON DATABASE \"%s\" TO PUBLIC' % (priv, db)
 | |
|     else:
 | |
|         query = 'GRANT %s ON DATABASE \"%s\" TO \"%s\"' % (priv, db, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_database_privileges(cursor, user, db)
 | |
|     return len(curr_priv) > len(prev_priv)
 | |
| 
 | |
| def revoke_database_privilege(cursor, user, db, priv):
 | |
|     prev_priv = get_database_privileges(cursor, user, db)
 | |
|     if user == "PUBLIC":
 | |
|         query = 'REVOKE %s ON DATABASE \"%s\" FROM PUBLIC' % (priv, db)
 | |
|     else:
 | |
|         query = 'REVOKE %s ON DATABASE \"%s\" FROM \"%s\"' % (priv, db, user)
 | |
|     cursor.execute(query)
 | |
|     curr_priv = get_database_privileges(cursor, user, db)
 | |
|     return len(curr_priv) < len(prev_priv)
 | |
| 
 | |
| def revoke_privileges(cursor, user, privs):
 | |
|     if privs is None:
 | |
|         return False
 | |
| 
 | |
|     changed = False
 | |
|     for type_ in privs:
 | |
|         revoke_func = {
 | |
|             'table':revoke_table_privilege,
 | |
|             'database':revoke_database_privilege
 | |
|         }[type_]
 | |
|         for name, privileges in privs[type_].iteritems():
 | |
|             for privilege in privileges:
 | |
|                 changed = revoke_func(cursor, user, name, privilege)\
 | |
|                         or changed
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def grant_privileges(cursor, user, privs):
 | |
|     if privs is None:
 | |
|         return False
 | |
| 
 | |
|     changed = False
 | |
|     for type_ in privs:
 | |
|         grant_func = {
 | |
|             'table':grant_table_privilege,
 | |
|             'database':grant_database_privilege
 | |
|         }[type_]
 | |
|         for name, privileges in privs[type_].iteritems():
 | |
|             for privilege in privileges:
 | |
|                 changed = grant_func(cursor, user, name, privilege)\
 | |
|                         or changed
 | |
| 
 | |
|     return changed
 | |
| 
 | |
| def parse_role_attrs(role_attr_flags):
 | |
|     """
 | |
|     Parse role attributes string for user creation.
 | |
|     Format:
 | |
| 
 | |
|         attributes[,attributes,...]
 | |
| 
 | |
|     Where:
 | |
| 
 | |
|         attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
 | |
|     """
 | |
|     if ',' not in role_attr_flags:
 | |
|         return role_attr_flags
 | |
|     flag_set = role_attr_flags.split(",")
 | |
|     o_flags = " ".join(flag_set)
 | |
|     return o_flags
 | |
| 
 | |
| def parse_privs(privs, db):
 | |
|     """
 | |
|     Parse privilege string to determine permissions for database db.
 | |
|     Format:
 | |
| 
 | |
|         privileges[/privileges/...]
 | |
| 
 | |
|     Where:
 | |
| 
 | |
|         privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] |
 | |
|             TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...]
 | |
|     """
 | |
|     if privs is None:
 | |
|         return privs
 | |
| 
 | |
|     o_privs = {
 | |
|         'database':{},
 | |
|         'table':{}
 | |
|     }
 | |
|     for token in privs.split('/'):
 | |
|         if ':' not in token:
 | |
|             type_ = 'database'
 | |
|             name = db
 | |
|             priv_set = set(x.strip() for x in token.split(','))
 | |
|         else:
 | |
|             type_ = 'table'
 | |
|             name, privileges = token.split(':', 1)
 | |
|             priv_set = set(x.strip() for x in privileges.split(','))
 | |
| 
 | |
|         o_privs[type_][name] = priv_set
 | |
| 
 | |
|     return o_privs
 | |
| 
 | |
| # ===========================================
 | |
| # Module execution.
 | |
| #
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         argument_spec=dict(
 | |
|             login_user=dict(default="postgres"),
 | |
|             login_password=dict(default=""),
 | |
|             login_host=dict(default=""),
 | |
|             user=dict(required=True, aliases=['name']),
 | |
|             password=dict(default=None),
 | |
|             state=dict(default="present", choices=["absent", "present"]),
 | |
|             priv=dict(default=None),
 | |
|             db=dict(default=''),
 | |
|             port=dict(default='5432'),
 | |
|             fail_on_user=dict(type='bool', choices=BOOLEANS, default='yes'),
 | |
|             role_attr_flags=dict(default=''),
 | |
|             encrypted=dict(type='bool', choices=BOOLEANS, default='no'),
 | |
|             expires=dict(default=None)
 | |
|         ),
 | |
|         supports_check_mode = True
 | |
|     )
 | |
| 
 | |
|     user = module.params["user"]
 | |
|     password = module.params["password"]
 | |
|     state = module.params["state"]
 | |
|     fail_on_user = module.params["fail_on_user"]
 | |
|     db = module.params["db"]
 | |
|     if db == '' and module.params["priv"] is not None:
 | |
|         module.fail_json(msg="privileges require a database to be specified")
 | |
|     privs = parse_privs(module.params["priv"], db)
 | |
|     port = module.params["port"]
 | |
|     role_attr_flags = parse_role_attrs(module.params["role_attr_flags"])
 | |
|     if module.params["encrypted"]:
 | |
|         encrypted = "ENCRYPTED"
 | |
|     else:
 | |
|         encrypted = "UNENCRYPTED"
 | |
|     expires = module.params["expires"]
 | |
| 
 | |
|     if not postgresqldb_found:
 | |
|         module.fail_json(msg="the python psycopg2 module is required")
 | |
| 
 | |
|     # To use defaults values, keyword arguments must be absent, so
 | |
|     # check which values are empty and don't include in the **kw
 | |
|     # dictionary
 | |
|     params_map = {
 | |
|         "login_host":"host",
 | |
|         "login_user":"user",
 | |
|         "login_password":"password",
 | |
|         "port":"port",
 | |
|         "db":"database"
 | |
|     }
 | |
|     kw = dict( (params_map[k], v) for (k, v) in module.params.iteritems()
 | |
|               if k in params_map and v != "" )
 | |
|     try:
 | |
|         db_connection = psycopg2.connect(**kw)
 | |
|         cursor = db_connection.cursor()
 | |
|     except Exception, e:
 | |
|         module.fail_json(msg="unable to connect to database: %s" % e)
 | |
| 
 | |
|     kw = dict(user=user)
 | |
|     changed = False
 | |
|     user_removed = False
 | |
| 
 | |
|     if state == "present":
 | |
|         if user_exists(cursor, user):
 | |
|             changed = user_alter(cursor, user, password, role_attr_flags, encrypted, expires)
 | |
|         else:
 | |
|             changed = user_add(cursor, user, password, role_attr_flags, encrypted, expires)
 | |
|         changed = grant_privileges(cursor, user, privs) or changed
 | |
|     else:
 | |
|         if user_exists(cursor, user):
 | |
|             if  module.check_mode:
 | |
|                 changed = True
 | |
|                 kw['user_removed'] = True
 | |
|             else:
 | |
|                 changed = revoke_privileges(cursor, user, privs)
 | |
|                 user_removed = user_delete(cursor, user)
 | |
|                 changed = changed or user_removed
 | |
|                 if fail_on_user and not user_removed:
 | |
|                     msg = "unable to remove user"
 | |
|                     module.fail_json(msg=msg)
 | |
|                 kw['user_removed'] = user_removed
 | |
| 
 | |
|     if changed:
 | |
|         if module.check_mode:
 | |
|             db_connection.rollback()
 | |
|         else:
 | |
|             db_connection.commit()
 | |
| 
 | |
|     kw['changed'] = changed
 | |
|     module.exit_json(**kw)
 | |
| 
 | |
| # this is magic, see lib/ansible/module_common.py
 | |
| #<<INCLUDE_ANSIBLE_MODULE_COMMON>>
 | |
| main()
 |