Note
This plugin is part of the community.postgresql collection (version 1.1.1).
To install it use: ansible-galaxy collection install community.postgresql
.
To use it in a playbook, specify: community.postgresql.postgresql_privs
.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments |
---|---|---|
ca_cert string | Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. aliases: ssl_rootcert | |
database string / required | Name of database to connect to. aliases: db, login_db | |
fail_on_role boolean |
| If yes , fail when target role (for whom privs need to be granted) does not exist. Otherwise just warn and continue. |
grant_option boolean |
| Whether role may grant/revoke the specified privileges/group memberships to others.Set to no to revoke GRANT OPTION, leave unspecified to make no changes.
grant_option only has an effect if state is present .aliases: admin_option |
host string | Database host address. If unspecified, connect via Unix socket. aliases: login_host | |
login string | Default: "postgres" | The username to authenticate with. aliases: login_user |
login_host string | Host running the database. | |
login_password string | The password used to authenticate with. | |
login_unix_socket string | Path to a Unix domain socket for local connections. | |
login_user string | Default: "postgres" | The username used to authenticate with. |
objs string | Comma separated list of database objects to set privileges on. If type is table , partition table , sequence , function or procedure , the special valueC(ALL_IN_SCHEMA) can be provided instead to specify all database objects of type type in the schema specified via schema. (This also works with PostgreSQL < 9.0.) (ALL_IN_SCHEMA is available for function and partition table since Ansible 2.8).procedure is supported since PostgreSQL 11 and community.postgresql collection 1.3.0.If type is database , this parameter can be omitted, in which case privileges are set for the database specified via database.If type is function or procedure, colons (":") in object names will be replaced with commas (needed to specify signatures, see examples). aliases: obj | |
password string | The password to authenticate with. aliases: login_password | |
port integer | Default: 5432 | Database port to connect to. aliases: login_port |
privs string | Comma separated list of privileges to grant/revoke. aliases: priv | |
roles string / required | Comma separated list of role (user/group) names to set permissions for. The special value PUBLIC can be provided instead to set permissions for the implicitly defined PUBLIC group.aliases: role | |
schema string | Schema that contains the database objects specified via objs. May only be provided if type is table , sequence , function , procedure , type , or default_privs . Defaults to public in these cases.Pay attention, for embedded types when type=type schema can be pg_catalog or information_schema respectively. | |
session_role string | Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of. Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. | |
ssl_mode string |
| Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. Default of prefer matches libpq default. |
state string |
| If present , the specified privileges are granted, if absent they are revoked. |
target_roles string | A list of existing role (user/group) names to set as the default permissions for database objects subsequently created by them. Parameter target_roles is only available with type=default_privs . | |
trust_input boolean added in 0.2.0 of community.postgresql |
| If no , check whether values of parameters roles, target_roles, session_role, schema are potentially dangerous.It makes sense to use no only when SQL injections via the parameters are possible. |
type string |
| Type of database object to set privileges on. The default_privs choice is available starting at version 2.7.The foreign_data_wrapper and foreign_server object types are available since Ansible version 2.8.The type choice is available since Ansible version 2.10.The procedure is supported since collection version 1.3.0 and PostgreSQL 11. |
unix_socket string | Path to a Unix domain socket for local connections. aliases: login_unix_socket | |
usage_on_types boolean added in 1.2.0 of community.postgresql |
| When adding default privileges, the module always implicitly adds ``USAGE ON TYPES``. To avoid this behavior, set usage_on_types to no .Added to save backwards compatibility. Used only when adding default privileges, ignored otherwise. |
Note
check_mode
.GRANT OPTION
for a specific object, set state to present
and grant_option to no
(see examples).PUBLIC
.PUBLIC
role, the module always reports that the state has been changed.RESTRICT
is assumed (see PostgreSQL docs).postgres
account on the host.See also
The official documentation on the community.postgresql.postgresql_user module.
The official documentation on the community.postgresql.postgresql_owner module.
The official documentation on the community.postgresql.postgresql_membership module.
General information about PostgreSQL privileges.
Complete reference of the PostgreSQL GRANT command documentation.
Complete reference of the PostgreSQL REVOKE command documentation.
# On database "library": # GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors # TO librarian, reader WITH GRANT OPTION - name: Grant privs to librarian and reader on database library community.postgresql.postgresql_privs: database: library state: present privs: SELECT,INSERT,UPDATE type: table objs: books,authors schema: public roles: librarian,reader grant_option: yes - name: Same as above leveraging default values community.postgresql.postgresql_privs: db: library privs: SELECT,INSERT,UPDATE objs: books,authors roles: librarian,reader grant_option: yes # REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader # Note that role "reader" will be *granted* INSERT privilege itself if this # isn't already the case (since state: present). - name: Revoke privs from reader community.postgresql.postgresql_privs: db: library state: present priv: INSERT obj: books role: reader grant_option: no # "public" is the default schema. This also works for PostgreSQL 8.x. - name: REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader community.postgresql.postgresql_privs: db: library state: absent privs: INSERT,UPDATE objs: ALL_IN_SCHEMA role: reader - name: GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian community.postgresql.postgresql_privs: db: library privs: ALL type: schema objs: public,math role: librarian # Note the separation of arguments with colons. - name: GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader community.postgresql.postgresql_privs: db: library privs: ALL type: function obj: add(int:int) schema: math roles: librarian,reader # Note that group role memberships apply cluster-wide and therefore are not # restricted to database "library" here. - name: GRANT librarian, reader TO alice, bob WITH ADMIN OPTION community.postgresql.postgresql_privs: db: library type: group objs: librarian,reader roles: alice,bob admin_option: yes # Note that here "db: postgres" specifies the database to connect to, not the # database to grant privileges on (which is specified via the "objs" param) - name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian community.postgresql.postgresql_privs: db: postgres privs: ALL type: database obj: library role: librarian # If objs is omitted for type "database", it defaults to the database # to which the connection is established - name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian community.postgresql.postgresql_privs: db: library privs: ALL type: database role: librarian # Available since version 2.7 # Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS # ALL_DEFAULT works only with privs=ALL # For specific - name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian community.postgresql.postgresql_privs: db: library objs: ALL_DEFAULT privs: ALL type: default_privs role: librarian grant_option: yes # Available since version 2.7 # Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS # ALL_DEFAULT works only with privs=ALL # For specific - name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 1 community.postgresql.postgresql_privs: db: library objs: TABLES,SEQUENCES privs: SELECT type: default_privs role: reader - name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 2 community.postgresql.postgresql_privs: db: library objs: TYPES privs: USAGE type: default_privs role: reader # Available since version 2.8 - name: GRANT ALL PRIVILEGES ON FOREIGN DATA WRAPPER fdw TO reader community.postgresql.postgresql_privs: db: test objs: fdw privs: ALL type: foreign_data_wrapper role: reader # Available since community.postgresql 0.2.0 - name: GRANT ALL PRIVILEGES ON TYPE customtype TO reader community.postgresql.postgresql_privs: db: test objs: customtype privs: ALL type: type role: reader # Available since version 2.8 - name: GRANT ALL PRIVILEGES ON FOREIGN SERVER fdw_server TO reader community.postgresql.postgresql_privs: db: test objs: fdw_server privs: ALL type: foreign_server role: reader # Available since version 2.8 # Grant 'execute' permissions on all functions in schema 'common' to role 'caller' - name: GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA common TO caller community.postgresql.postgresql_privs: type: function state: present privs: EXECUTE roles: caller objs: ALL_IN_SCHEMA schema: common # Available since collection version 1.3.0 # Grant 'execute' permissions on all procedures in schema 'common' to role 'caller' # Needs PostreSQL 11 or higher and community.postgresql 1.3.0 or higher - name: GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA common TO caller community.postgresql.postgresql_privs: type: prucedure state: present privs: EXECUTE roles: caller objs: ALL_IN_SCHEMA schema: common # Available since version 2.8 # ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader # GRANT SELECT privileges for new TABLES objects created by librarian as # default to the role reader. # For specific - name: ALTER privs community.postgresql.postgresql_privs: db: library schema: library objs: TABLES privs: SELECT type: default_privs role: reader target_roles: librarian # Available since version 2.8 # ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader # REVOKE SELECT privileges for new TABLES objects created by librarian as # default from the role reader. # For specific - name: ALTER privs community.postgresql.postgresql_privs: db: library state: absent schema: library objs: TABLES privs: SELECT type: default_privs role: reader target_roles: librarian # Available since community.postgresql 0.2.0 - name: Grant type privileges for pg_catalog.numeric type to alice community.postgresql.postgresql_privs: type: type roles: alice privs: ALL objs: numeric schema: pg_catalog db: acme
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
queries list / elements=string | always | List of executed queries. Sample: ['REVOKE GRANT OPTION FOR INSERT ON TABLE "books" FROM "reader";'] |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/community/postgresql/postgresql_privs_module.html