Use pg_roles instead of pg_authid in postgresql (#32624)

This fix adds additional check to get details about roles from pg_roles instead of pg_authid. On AWS RDS instances, access to pg_authid is restricted for security reasons. Fixes: #32358 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2017-12-05 07:41:35 +05:30 · 2017-12-05 07:41:35 +05:30 · 8699f8cf26
commit 8699f8cf26
parent dccf58efe3
1 changed files with 12 additions and 0 deletions
--- a/lib/ansible/modules/database/postgresql/postgresql_user.py
+++ b/lib/ansible/modules/database/postgresql/postgresql_user.py
@ -332,6 +332,18 @@ def user_alter(db_connection, module, user, password, role_attr_flags, encrypted

        pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted)

+        if current_role_attrs is None:
+            try:
+                # AWS RDS instances does not allow user to access pg_authid
+                # so try to get current_role_attrs from pg_roles tables
+                select = "SELECT * FROM pg_roles where rolname=%(user)s"
+                cursor.execute(select, {"user": user})
+                # Grab current role attributes from pg_roles
+                current_role_attrs = cursor.fetchone()
+            except psycopg2.ProgrammingError as e:
+                db_connection.rollback()
+                module.fail_json(msg="Failed to get role details for current user %s: %s" % (user, e))
+
        role_attr_flags_changing = False
        if role_attr_flags:
            role_attr_flags_dict = {}