95 lines
2.1 KiB
YAML
95 lines
2.1 KiB
YAML
|
---
|
||
|
|
||
|
# Setup
|
||
|
- name: Create DB
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_db:
|
||
|
state: present
|
||
|
name: "{{ db_name }}"
|
||
|
owner: "{{ db_user1 }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
|
||
|
- name: Create a user to be given permissions and other tests
|
||
|
postgresql_user:
|
||
|
name: "{{ db_user2 }}"
|
||
|
state: present
|
||
|
encrypted: yes
|
||
|
password: password
|
||
|
role_attr_flags: LOGIN
|
||
|
db: "{{ db_name }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
|
||
|
#######################################
|
||
|
# Test default_privs with target_role #
|
||
|
#######################################
|
||
|
|
||
|
# Test
|
||
|
- name: Grant default privileges for new table objects
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_privs:
|
||
|
db: "{{ db_name }}"
|
||
|
objs: TABLES
|
||
|
privs: SELECT
|
||
|
type: default_privs
|
||
|
role: "{{ db_user2 }}"
|
||
|
target_roles: "{{ db_user1 }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
register: result
|
||
|
|
||
|
# Checks
|
||
|
- assert:
|
||
|
that: result.changed == true
|
||
|
|
||
|
- name: Check that default privileges are set
|
||
|
become: yes
|
||
|
become_user: "{{ pg_user }}"
|
||
|
shell: psql {{ db_name }} -c "SELECT defaclrole, defaclobjtype, defaclacl FROM pg_default_acl a JOIN pg_roles b ON a.defaclrole=b.oid;" -t
|
||
|
register: result
|
||
|
|
||
|
- assert:
|
||
|
that: "'{{ db_user2 }}=r/{{ db_user1 }}' in '{{ result.stdout_lines[0] }}'"
|
||
|
|
||
|
# Test
|
||
|
- name: Revoke default privileges for new table objects
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_privs:
|
||
|
db: "{{ db_name }}"
|
||
|
state: absent
|
||
|
objs: TABLES
|
||
|
privs: SELECT
|
||
|
type: default_privs
|
||
|
role: "{{ db_user2 }}"
|
||
|
target_roles: "{{ db_user1 }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
register: result
|
||
|
|
||
|
# Checks
|
||
|
- assert:
|
||
|
that: result.changed == true
|
||
|
|
||
|
# Cleanup
|
||
|
- name: Remove user given permissions
|
||
|
postgresql_user:
|
||
|
name: "{{ db_user2 }}"
|
||
|
state: absent
|
||
|
db: "{{ db_name }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
|
||
|
- name: Remove user owner of objects
|
||
|
postgresql_user:
|
||
|
name: "{{ db_user3 }}"
|
||
|
state: absent
|
||
|
db: "{{ db_name }}"
|
||
|
login_user: "{{ pg_user }}"
|
||
|
|
||
|
- name: Destroy DB
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_db:
|
||
|
state: absent
|
||
|
name: "{{ db_name }}"
|
||
|
login_user: "{{ pg_user }}"
|