postgresql_privs – Grant or revoke privileges on PostgreSQL database objects
Synopsis
- Grant or revoke privileges on PostgreSQL database objects.
- This module is basically a wrapper around most of the functionality of PostgreSQL’s GRANT and REVOKE statements with detection of changes (GRANT/REVOKE privs ON type objs TO/FROM roles).
Requirements
The below requirements are needed on the host that executes this module.
- psycopg2
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| ca_cert string added in 2.3 | Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. aliases: ssl_rootcert | |
| database string / required | Name of database to connect to. aliases: db, login_db | |
| fail_on_role boolean added in 2.8 |
| If yes, fail when target role (for whom privs need to be granted) does not exist. Otherwise just warn and continue. |
| grant_option boolean |
| Whether role may grant/revoke the specified privileges/group memberships to others.Set to no to revoke GRANT OPTION, leave unspecified to make no changes.
grant_option only has an effect if state is present.aliases: admin_option |
| host string | Database host address. If unspecified, connect via Unix socket. aliases: login_host | |
| login string | Default: "postgres" | The username to authenticate with. aliases: login_user |
| login_host string | Host running the database. | |
| login_password string | The password used to authenticate with. | |
| login_unix_socket string | Path to a Unix domain socket for local connections. | |
| login_user string | Default: "postgres" | The username used to authenticate with. |
| objs string | Comma separated list of database objects to set privileges on. If type is table, partition table, sequence or function, the special valueALL_IN_SCHEMA can be provided instead to specify all database objects of type type in the schema specified via schema. (This also works with PostgreSQL < 9.0.) (ALL_IN_SCHEMA is available for function and partition table from version 2.8)If type is database, this parameter can be omitted, in which case privileges are set for the database specified via database.If type is function, colons (":") in object names will be replaced with commas (needed to specify function signatures, see examples) aliases: obj | |
| password string | The password to authenticate with. aliases: login_password | |
| port integer | Default: 5432 | Database port to connect to. aliases: login_port |
| privs string | Comma separated list of privileges to grant/revoke. aliases: priv | |
| roles string / required | Comma separated list of role (user/group) names to set permissions for. The special value PUBLIC can be provided instead to set permissions for the implicitly defined PUBLIC group.aliases: role | |
| schema string | Schema that contains the database objects specified via objs. May only be provided if type is table, sequence, function or default_privs. Defaults to public in these cases. | |
| session_role string added in 2.8 | Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of. Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. | |
| ssl_mode string added in 2.3 |
| Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. Default of prefer matches libpq default. |
| state string |
| If present, the specified privileges are granted, if absent they are revoked. |
| target_roles string added in 2.8 | A list of existing role (user/group) names to set as the default permissions for database objects subsequently created by them. Parameter target_roles is only available with type=default_privs. | |
| type string |
| Type of database object to set privileges on. The `default_privs` choice is available starting at version 2.7. The 'foreign_data_wrapper' and 'foreign_server' object types are available from Ansible version '2.8'. |
| unix_socket string | Path to a Unix domain socket for local connections. aliases: login_unix_socket |
Notes
Note
- Default authentication assumes that postgresql_privs is run by the
postgresuser on the remote host. (Ansible’suserorsudo-user). - This module requires Python package psycopg2 to be installed on the remote host. In the default case of the remote host also being the PostgreSQL server, PostgreSQL has to be installed there as well, obviously. For Debian/Ubuntu-based systems, install packages postgresql and python-psycopg2.
- Parameters that accept comma separated lists (privs, objs, roles) have singular alias names (priv, obj, role).
- To revoke only
GRANT OPTIONfor a specific object, set state topresentand grant_option tono(see examples). - Note that when revoking privileges from a role R, this role may still have access via privileges granted to any role R is a member of including
PUBLIC. - Note that when revoking privileges from a role R, you do so as the user specified via login. If R has been granted the same privileges by another user also, R can still access database objects via these privileges.
- When revoking privileges,
RESTRICTis assumed (see PostgreSQL docs). - The ca_cert parameter requires at least Postgres version 8.4 and psycopg2 version 2.4.3.
- The default authentication assumes that you are either logging in as or sudo’ing to the
postgresaccount on the host. - This module uses psycopg2, a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the
postgresql,libpq-dev, andpython-psycopg2packages on the remote host before using this module. - The ca_cert parameter requires at least Postgres version 8.4 and psycopg2 version 2.4.3.
Examples
# On database "library":
# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors
# TO librarian, reader WITH GRANT OPTION
- name: Grant privs to librarian and reader on database library
postgresql_privs:
database: library
state: present
privs: SELECT,INSERT,UPDATE
type: table
objs: books,authors
schema: public
roles: librarian,reader
grant_option: yes
- name: Same as above leveraging default values
postgresql_privs:
db: library
privs: SELECT,INSERT,UPDATE
objs: books,authors
roles: librarian,reader
grant_option: yes
# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader
# Note that role "reader" will be *granted* INSERT privilege itself if this
# isn't already the case (since state: present).
- name: Revoke privs from reader
postgresql_privs:
db: library
state: present
priv: INSERT
obj: books
role: reader
grant_option: no
# "public" is the default schema. This also works for PostgreSQL 8.x.
- name: REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
postgresql_privs:
db: library
state: absent
privs: INSERT,UPDATE
objs: ALL_IN_SCHEMA
role: reader
- name: GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian
postgresql_privs:
db: library
privs: ALL
type: schema
objs: public,math
role: librarian
# Note the separation of arguments with colons.
- name: GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader
postgresql_privs:
db: library
privs: ALL
type: function
obj: add(int:int)
schema: math
roles: librarian,reader
# Note that group role memberships apply cluster-wide and therefore are not
# restricted to database "library" here.
- name: GRANT librarian, reader TO alice, bob WITH ADMIN OPTION
postgresql_privs:
db: library
type: group
objs: librarian,reader
roles: alice,bob
admin_option: yes
# Note that here "db: postgres" specifies the database to connect to, not the
# database to grant privileges on (which is specified via the "objs" param)
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: postgres
privs: ALL
type: database
obj: library
role: librarian
# If objs is omitted for type "database", it defaults to the database
# to which the connection is established
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: library
privs: ALL
type: database
role: librarian
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: library
objs: ALL_DEFAULT
privs: ALL
type: default_privs
role: librarian
grant_option: yes
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 1
postgresql_privs:
db: library
objs: TABLES,SEQUENCES
privs: SELECT
type: default_privs
role: reader
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 2
postgresql_privs:
db: library
objs: TYPES
privs: USAGE
type: default_privs
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN DATA WRAPPER fdw TO reader
postgresql_privs:
db: test
objs: fdw
privs: ALL
type: foreign_data_wrapper
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN SERVER fdw_server TO reader
postgresql_privs:
db: test
objs: fdw_server
privs: ALL
type: foreign_server
role: reader
# Available since version 2.8
# Grant 'execute' permissions on all functions in schema 'common' to role 'caller'
- name: GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA common TO caller
postgresql_privs:
type: function
state: present
privs: EXECUTE
roles: caller
objs: ALL_IN_SCHEMA
schema: common
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader
# GRANT SELECT privileges for new TABLES objects created by librarian as
# default to the role reader.
# For specific
- name: ALTER privs
postgresql_privs:
db: library
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader
# REVOKE SELECT privileges for new TABLES objects created by librarian as
# default from the role reader.
# For specific
- name: ALTER privs
postgresql_privs:
db: library
state: absent
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| queries list added in 2.8 | always | List of executed queries. Sample: ['REVOKE GRANT OPTION FOR INSERT ON TABLE "books" FROM "reader";'] |
Status
- This module is guaranteed to have no backward incompatible interface changes going forward. [stableinterface]
- This module is maintained by the Ansible Community. [community]
Authors
- Bernhard Weitzhofer (@b6d)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/postgresql_privs_module.html