7a86083850
Previously postgresql_user quoted user supplied identifers to create grant statements that look like this: GRANT SELECT on "tablename" to "user"; Which only works if the tablename is not in a namespace. If you supply a namespaced tabelname like "report.revenue" then it creates this incorrect statement: GRANT SELECT on "report.revenue" to "user"; Which will not find the "revenue" table in the "report" namespace, but will rather look for a table named "report.revenue" in the current (default public) namespace. The correct form is: GRANT SELECT on "report"."revenue" to "user"; This approach could have the unfortunate effect that code that previously relied on the other behavior to grant privileges on tables with periods in their names may now break. PostgreSQL users typically shouldn't name tables as such, and users can still access the old behavior and use tablenames with periods in the if they must by supplying their own quoting.
506 lines
17 KiB
Python
506 lines
17 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: postgresql_user
|
|
short_description: Adds or removes a users (roles) from a PostgreSQL database.
|
|
description:
|
|
- Add or remove PostgreSQL users (roles) from a remote host and, optionally,
|
|
grant the users access to an existing database or tables.
|
|
- The fundamental function of the module is to create, or delete, roles from
|
|
a PostgreSQL cluster. Privilege assignment, or removal, is an optional
|
|
step, which works on one database at a time. This allows for the module to
|
|
be called several times in the same module to modify the permissions on
|
|
different databases, or to grant permissions to already existing users.
|
|
- A user cannot be removed until all the privileges have been stripped from
|
|
the user. In such situation, if the module tries to remove the user it
|
|
will fail. To avoid this from happening the fail_on_user option signals
|
|
the module to try to remove the user, but if not possible keep going; the
|
|
module will report if changes happened and separately if the user was
|
|
removed or not.
|
|
version_added: "0.6"
|
|
options:
|
|
name:
|
|
description:
|
|
- name of the user (role) to add or remove
|
|
required: true
|
|
default: null
|
|
password:
|
|
description:
|
|
- set the user's password, before 1.4 this was required.
|
|
- "When passing an encrypted password it must be generated with the format C('str[\\"md5\\"] + md5[ password + username ]'), resulting in a total of 35 characters. An easy way to do this is: C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\")."
|
|
required: false
|
|
default: null
|
|
db:
|
|
description:
|
|
- name of database where permissions will be granted
|
|
required: false
|
|
default: null
|
|
fail_on_user:
|
|
description:
|
|
- if C(yes), fail when user can't be removed. Otherwise just log and continue
|
|
required: false
|
|
default: 'yes'
|
|
choices: [ "yes", "no" ]
|
|
login_user:
|
|
description:
|
|
- User (role) used to authenticate with PostgreSQL
|
|
required: false
|
|
default: postgres
|
|
login_password:
|
|
description:
|
|
- Password used to authenticate with PostgreSQL
|
|
required: false
|
|
default: null
|
|
login_host:
|
|
description:
|
|
- Host running PostgreSQL.
|
|
required: false
|
|
default: localhost
|
|
priv:
|
|
description:
|
|
- "PostgreSQL privileges string in the format: C(table:priv1,priv2)"
|
|
required: false
|
|
default: null
|
|
role_attr_flags:
|
|
description:
|
|
- "PostgreSQL role attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER"
|
|
required: false
|
|
default: null
|
|
choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
|
|
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ]
|
|
state:
|
|
description:
|
|
- The user (role) state
|
|
required: false
|
|
default: present
|
|
choices: [ "present", "absent" ]
|
|
encrypted:
|
|
description:
|
|
- denotes if the password is already encrypted. boolean.
|
|
required: false
|
|
default: false
|
|
version_added: '1.4'
|
|
expires:
|
|
description:
|
|
- sets the user's password expiration.
|
|
required: false
|
|
default: null
|
|
version_added: '1.4'
|
|
notes:
|
|
- The default authentication assumes that you are either logging in as or
|
|
sudo'ing to the postgres account on the host.
|
|
- This module uses psycopg2, a Python PostgreSQL database adapter. You must
|
|
ensure that psycopg2 is installed on the host before using this module. If
|
|
the remote host is the PostgreSQL server (which is the default case), then
|
|
PostgreSQL must also be installed on the remote host. For Ubuntu-based
|
|
systems, install the postgresql, libpq-dev, and python-psycopg2 packages
|
|
on the remote host before using this module.
|
|
- If you specify PUBLIC as the user, then the privilege changes will apply
|
|
to all users. You may not specify password or role_attr_flags when the
|
|
PUBLIC user is specified.
|
|
requirements: [ psycopg2 ]
|
|
author: Lorin Hochstein
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
# Create django user and grant access to database and products table
|
|
- postgresql_user: db=acme name=django password=ceec4eif7ya priv=CONNECT/products:ALL
|
|
|
|
# Create rails user, grant privilege to create other databases and demote rails from super user status
|
|
- postgresql_user: name=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER
|
|
|
|
# Remove test user privileges from acme
|
|
- postgresql_user: db=acme name=test priv=ALL/products:ALL state=absent fail_on_user=no
|
|
|
|
# Remove test user from test database and the cluster
|
|
- postgresql_user: db=test name=test priv=ALL state=absent
|
|
|
|
# Example privileges string format
|
|
INSERT,UPDATE/table:SELECT/anothertable:ALL
|
|
|
|
# Remove an existing user's password
|
|
- postgresql_user: db=test user=test password=NULL
|
|
'''
|
|
|
|
import re
|
|
|
|
try:
|
|
import psycopg2
|
|
except ImportError:
|
|
postgresqldb_found = False
|
|
else:
|
|
postgresqldb_found = True
|
|
|
|
# ===========================================
|
|
# PostgreSQL module specific support methods.
|
|
#
|
|
|
|
|
|
def user_exists(cursor, user):
|
|
# The PUBLIC user is a special case that is always there
|
|
if user == 'PUBLIC':
|
|
return True
|
|
query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"
|
|
cursor.execute(query, {'user': user})
|
|
return cursor.rowcount > 0
|
|
|
|
|
|
def user_add(cursor, user, password, role_attr_flags, encrypted, expires):
|
|
"""Create a new database user (role)."""
|
|
query = 'CREATE USER "%(user)s"' % { "user": user}
|
|
if password is not None:
|
|
query = query + " WITH %(crypt)s PASSWORD '%(password)s'" % { "crypt": encrypted, "password": password }
|
|
if expires is not None:
|
|
query = query + " VALID UNTIL '%(expires)s'" % { "exipres": expires }
|
|
query = query + " " + role_attr_flags
|
|
cursor.execute(query)
|
|
return True
|
|
|
|
def user_alter(cursor, user, password, role_attr_flags, encrypted, expires):
|
|
"""Change user password and/or attributes. Return True if changed, False otherwise."""
|
|
changed = False
|
|
|
|
if user == 'PUBLIC':
|
|
if password is not None:
|
|
module.fail_json(msg="cannot change the password for PUBLIC user")
|
|
elif role_attr_flags != '':
|
|
module.fail_json(msg="cannot change the role_attr_flags for PUBLIC user")
|
|
else:
|
|
return False
|
|
|
|
# Handle passwords.
|
|
if password is not None or role_attr_flags is not None:
|
|
# Select password and all flag-like columns in order to verify changes.
|
|
select = "SELECT * FROM pg_authid where rolname=%(user)s"
|
|
cursor.execute(select, {"user": user})
|
|
# Grab current role attributes.
|
|
current_role_attrs = cursor.fetchone()
|
|
|
|
alter = 'ALTER USER "%(user)s"' % {"user": user}
|
|
if password is not None:
|
|
alter = alter + " WITH %(crypt)s PASSWORD '%(password)s' %(flags)s" % {
|
|
"crypt": encrypted, "password": password, "flags": role_attr_flags
|
|
}
|
|
elif role_attr_flags:
|
|
alter = alter + ' WITH ' + role_attr_flags
|
|
if expires is not None:
|
|
alter = alter + " VALID UNTIL '%(expires)s'" % { "exipres": expires }
|
|
|
|
cursor.execute(alter)
|
|
|
|
# Grab new role attributes.
|
|
cursor.execute(select, {"user": user})
|
|
new_role_attrs = cursor.fetchone()
|
|
|
|
# Detect any differences between current_ and new_role_attrs.
|
|
for i in range(len(current_role_attrs)):
|
|
if current_role_attrs[i] != new_role_attrs[i]:
|
|
changed = True
|
|
|
|
return changed
|
|
|
|
def user_delete(cursor, user):
|
|
"""Try to remove a user. Returns True if successful otherwise False"""
|
|
cursor.execute("SAVEPOINT ansible_pgsql_user_delete")
|
|
try:
|
|
cursor.execute("DROP USER \"%s\"" % user)
|
|
except:
|
|
cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_user_delete")
|
|
cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
|
|
return False
|
|
|
|
cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete")
|
|
return True
|
|
|
|
def has_table_privilege(cursor, user, table, priv):
|
|
query = 'SELECT has_table_privilege(%s, %s, %s)'
|
|
cursor.execute(query, (user, table, priv))
|
|
return cursor.fetchone()[0]
|
|
|
|
def get_table_privileges(cursor, user, table):
|
|
if '.' in table:
|
|
schema, table = table.split('.', 1)
|
|
else:
|
|
schema = 'public'
|
|
query = '''SELECT privilege_type FROM information_schema.role_table_grants
|
|
WHERE grantee=%s AND table_name=%s AND table_schema=%s'''
|
|
cursor.execute(query, (user, table, schema))
|
|
return set([x[0] for x in cursor.fetchall()])
|
|
|
|
|
|
def quote_pg_identifier(identifier):
|
|
"""
|
|
quote postgresql identifiers involving zero or more namespaces
|
|
"""
|
|
|
|
if '"' in identifier:
|
|
# the user has supplied their own quoting. we have to hope they're
|
|
# doing it right. Maybe they have an unfortunately named table
|
|
# containing a period in the name, such as: "public"."users.2013"
|
|
return identifier
|
|
|
|
tokens = identifier.strip().split(".")
|
|
quoted_tokens = []
|
|
for token in tokens:
|
|
quoted_tokens.append('"%s"' % (token, ))
|
|
return ".".join(quoted_tokens)
|
|
|
|
def grant_table_privilege(cursor, user, table, priv):
|
|
prev_priv = get_table_privileges(cursor, user, table)
|
|
query = 'GRANT %s ON TABLE %s TO %s' % (
|
|
priv, quote_pg_identifier(table), quote_pg_identifier(user), )
|
|
cursor.execute(query)
|
|
curr_priv = get_table_privileges(cursor, user, table)
|
|
return len(curr_priv) > len(prev_priv)
|
|
|
|
def revoke_table_privilege(cursor, user, table, priv):
|
|
prev_priv = get_table_privileges(cursor, user, table)
|
|
query = 'REVOKE %s ON TABLE %s FROM %s' % (
|
|
priv, quote_pg_identifier(table), quote_pg_identifier(user), )
|
|
cursor.execute(query)
|
|
curr_priv = get_table_privileges(cursor, user, table)
|
|
return len(curr_priv) < len(prev_priv)
|
|
|
|
|
|
def get_database_privileges(cursor, user, db):
|
|
priv_map = {
|
|
'C':'CREATE',
|
|
'T':'TEMPORARY',
|
|
'c':'CONNECT',
|
|
}
|
|
query = 'SELECT datacl FROM pg_database WHERE datname = %s'
|
|
cursor.execute(query, (db,))
|
|
datacl = cursor.fetchone()[0]
|
|
if datacl is None:
|
|
return []
|
|
r = re.search('%s=(C?T?c?)/[a-z]+\,?' % user, datacl)
|
|
if r is None:
|
|
return []
|
|
o = []
|
|
for v in r.group(1):
|
|
o.append(priv_map[v])
|
|
return o
|
|
|
|
def has_database_privilege(cursor, user, db, priv):
|
|
query = 'SELECT has_database_privilege(%s, %s, %s)'
|
|
cursor.execute(query, (user, db, priv))
|
|
return cursor.fetchone()[0]
|
|
|
|
def grant_database_privilege(cursor, user, db, priv):
|
|
prev_priv = get_database_privileges(cursor, user, db)
|
|
if user == "PUBLIC":
|
|
query = 'GRANT %s ON DATABASE \"%s\" TO PUBLIC' % (priv, db)
|
|
else:
|
|
query = 'GRANT %s ON DATABASE \"%s\" TO \"%s\"' % (priv, db, user)
|
|
cursor.execute(query)
|
|
curr_priv = get_database_privileges(cursor, user, db)
|
|
return len(curr_priv) > len(prev_priv)
|
|
|
|
def revoke_database_privilege(cursor, user, db, priv):
|
|
prev_priv = get_database_privileges(cursor, user, db)
|
|
if user == "PUBLIC":
|
|
query = 'REVOKE %s ON DATABASE \"%s\" FROM PUBLIC' % (priv, db)
|
|
else:
|
|
query = 'REVOKE %s ON DATABASE \"%s\" FROM \"%s\"' % (priv, db, user)
|
|
cursor.execute(query)
|
|
curr_priv = get_database_privileges(cursor, user, db)
|
|
return len(curr_priv) < len(prev_priv)
|
|
|
|
def revoke_privileges(cursor, user, privs):
|
|
if privs is None:
|
|
return False
|
|
|
|
changed = False
|
|
for type_ in privs:
|
|
revoke_func = {
|
|
'table':revoke_table_privilege,
|
|
'database':revoke_database_privilege
|
|
}[type_]
|
|
for name, privileges in privs[type_].iteritems():
|
|
for privilege in privileges:
|
|
changed = revoke_func(cursor, user, name, privilege)\
|
|
or changed
|
|
|
|
return changed
|
|
|
|
def grant_privileges(cursor, user, privs):
|
|
if privs is None:
|
|
return False
|
|
|
|
changed = False
|
|
for type_ in privs:
|
|
grant_func = {
|
|
'table':grant_table_privilege,
|
|
'database':grant_database_privilege
|
|
}[type_]
|
|
for name, privileges in privs[type_].iteritems():
|
|
for privilege in privileges:
|
|
changed = grant_func(cursor, user, name, privilege)\
|
|
or changed
|
|
|
|
return changed
|
|
|
|
def parse_role_attrs(role_attr_flags):
|
|
"""
|
|
Parse role attributes string for user creation.
|
|
Format:
|
|
|
|
attributes[,attributes,...]
|
|
|
|
Where:
|
|
|
|
attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
|
|
"""
|
|
if ',' not in role_attr_flags:
|
|
return role_attr_flags
|
|
flag_set = role_attr_flags.split(",")
|
|
o_flags = " ".join(flag_set)
|
|
return o_flags
|
|
|
|
def parse_privs(privs, db):
|
|
"""
|
|
Parse privilege string to determine permissions for database db.
|
|
Format:
|
|
|
|
privileges[/privileges/...]
|
|
|
|
Where:
|
|
|
|
privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] |
|
|
TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...]
|
|
"""
|
|
if privs is None:
|
|
return privs
|
|
|
|
o_privs = {
|
|
'database':{},
|
|
'table':{}
|
|
}
|
|
for token in privs.split('/'):
|
|
if ':' not in token:
|
|
type_ = 'database'
|
|
name = db
|
|
priv_set = set(x.strip() for x in token.split(','))
|
|
else:
|
|
type_ = 'table'
|
|
name, privileges = token.split(':', 1)
|
|
priv_set = set(x.strip() for x in privileges.split(','))
|
|
|
|
o_privs[type_][name] = priv_set
|
|
|
|
return o_privs
|
|
|
|
# ===========================================
|
|
# Module execution.
|
|
#
|
|
|
|
def main():
|
|
module = AnsibleModule(
|
|
argument_spec=dict(
|
|
login_user=dict(default="postgres"),
|
|
login_password=dict(default=""),
|
|
login_host=dict(default=""),
|
|
user=dict(required=True, aliases=['name']),
|
|
password=dict(default=None),
|
|
state=dict(default="present", choices=["absent", "present"]),
|
|
priv=dict(default=None),
|
|
db=dict(default=''),
|
|
port=dict(default='5432'),
|
|
fail_on_user=dict(type='bool', choices=BOOLEANS, default='yes'),
|
|
role_attr_flags=dict(default=''),
|
|
encrypted=dict(type='bool', choices=BOOLEANS, default='no'),
|
|
expires=dict(default=None)
|
|
),
|
|
supports_check_mode = True
|
|
)
|
|
|
|
user = module.params["user"]
|
|
password = module.params["password"]
|
|
state = module.params["state"]
|
|
fail_on_user = module.params["fail_on_user"]
|
|
db = module.params["db"]
|
|
if db == '' and module.params["priv"] is not None:
|
|
module.fail_json(msg="privileges require a database to be specified")
|
|
privs = parse_privs(module.params["priv"], db)
|
|
port = module.params["port"]
|
|
role_attr_flags = parse_role_attrs(module.params["role_attr_flags"])
|
|
if module.params["encrypted"]:
|
|
encrypted = "ENCRYPTED"
|
|
else:
|
|
encrypted = "UNENCRYPTED"
|
|
expires = module.params["expires"]
|
|
|
|
if not postgresqldb_found:
|
|
module.fail_json(msg="the python psycopg2 module is required")
|
|
|
|
# To use defaults values, keyword arguments must be absent, so
|
|
# check which values are empty and don't include in the **kw
|
|
# dictionary
|
|
params_map = {
|
|
"login_host":"host",
|
|
"login_user":"user",
|
|
"login_password":"password",
|
|
"port":"port",
|
|
"db":"database"
|
|
}
|
|
kw = dict( (params_map[k], v) for (k, v) in module.params.iteritems()
|
|
if k in params_map and v != "" )
|
|
try:
|
|
db_connection = psycopg2.connect(**kw)
|
|
cursor = db_connection.cursor()
|
|
except Exception, e:
|
|
module.fail_json(msg="unable to connect to database: %s" % e)
|
|
|
|
kw = dict(user=user)
|
|
changed = False
|
|
user_removed = False
|
|
|
|
if state == "present":
|
|
if user_exists(cursor, user):
|
|
changed = user_alter(cursor, user, password, role_attr_flags, encrypted, expires)
|
|
else:
|
|
changed = user_add(cursor, user, password, role_attr_flags, encrypted, expires)
|
|
changed = grant_privileges(cursor, user, privs) or changed
|
|
else:
|
|
if user_exists(cursor, user):
|
|
if module.check_mode:
|
|
changed = True
|
|
kw['user_removed'] = True
|
|
else:
|
|
changed = revoke_privileges(cursor, user, privs)
|
|
user_removed = user_delete(cursor, user)
|
|
changed = changed or user_removed
|
|
if fail_on_user and not user_removed:
|
|
msg = "unable to remove user"
|
|
module.fail_json(msg=msg)
|
|
kw['user_removed'] = user_removed
|
|
|
|
if changed:
|
|
if module.check_mode:
|
|
db_connection.rollback()
|
|
else:
|
|
db_connection.commit()
|
|
|
|
kw['changed'] = changed
|
|
module.exit_json(**kw)
|
|
|
|
# import module snippets
|
|
from ansible.module_utils.basic import *
|
|
main()
|