updated tests and changelog for 54516 (#54670)

* updated tests and changelog for 54516

* Handle errors if PG does not support partitioning.

* Check for PG > 10 in tasks

* Show changes for partitioned tables in ansible

* Added documentation in the tests

* Update test/integration/targets/postgresql/tasks/postgresql_privs.yml

Co-Authored-By: raymondroelands <raymondroelands@users.noreply.github.com>

* Update test/integration/targets/postgresql/tasks/postgresql_privs.yml

Co-Authored-By: raymondroelands <raymondroelands@users.noreply.github.com>

* Added check for 0 tables after revoking rights

* Added test and moved tests
Added check mode test and moved test right after the change.

* Rebased postgresql_privs.py
This commit is contained in:
Raymond Roelands 2019-04-09 13:30:06 +02:00 committed by Martin Krizek
parent bb52390b04
commit 8edae1bc61
3 changed files with 191 additions and 6 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- "Include partition tables in the ALL_IN_SCHEMA option for postgresql-privs (https://github.com/ansible/ansible/issues/54516)"

View file

@ -54,11 +54,11 @@ options:
objs:
description:
- Comma separated list of database objects to set privileges on.
- If I(type) is C(table), C(sequence) or C(function), the special value
C(ALL_IN_SCHEMA) can be provided instead to specify all database
objects of type I(type) in the schema specified via I(schema). (This
also works with PostgreSQL < 9.0.) (C(ALL_IN_SCHEMA) is available for
C(function) from version 2.8)
- If I(type) is C(table), C(partition table), C(sequence) or C(function),
the special valueC(ALL_IN_SCHEMA) can be provided instead to specify all
database objects of type I(type) in the schema specified via I(schema).
(This also works with PostgreSQL < 9.0.) (C(ALL_IN_SCHEMA) is available
for C(function) and C(partition table) from version 2.8)
- If I(type) is C(database), this parameter can be omitted, in which case
privileges are set for the database specified via I(database).
- 'If I(type) is I(function), colons (":") in object names will be
@ -541,7 +541,7 @@ class Connection(object):
query = """SELECT relacl
FROM pg_catalog.pg_class c
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
WHERE nspname = %s AND relkind = 'r' AND relname = ANY (%s)
WHERE nspname = %s AND relkind in ('r','p') AND relname = ANY (%s)
ORDER BY relname"""
self.cursor.execute(query, (schema, tables))
return [t[0] for t in self.cursor.fetchall()]

View file

@ -371,6 +371,189 @@
login_user: "{{ db_user3 }}"
login_password: password
#################################################
# Test ALL_IN_SCHEMA for 'partioned tables type #
#################################################
# Partioning tables is a feature introduced in Postgresql 10.
# (see https://www.postgresql.org/docs/10/ddl-partitioning.html )
# The test below check for this version
# Function ALL_IN_SCHEMA Setup
- name: Create partioned table for test purpose
postgresql_query:
query: CREATE TABLE public.testpt (id int not null, logdate date not null) PARTITION BY RANGE (logdate);
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables in check mode
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
check_mode: yes
# Checks
- name: Check that all partitioned tables don't have select privileges after the check mode task
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result.changed == true
when: postgres_version_resp.stdout is version('10', '>=')
- name: Check that all partitioned tables have select privileges
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 1
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute to all tables again to see no changes are reported
postgresql_privs:
type: table
state: present
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result.changed == false
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Revoke SELECT to all tables
postgresql_privs:
type: table
state: absent
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Checks
- assert:
that: result.changed == true
when: postgres_version_resp.stdout is version('10', '>=')
- name: Check that all partitioned tables don't have select privileges
postgresql_query:
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
db: "{{ db_name }}"
login_user: '{{ db_user2 }}'
login_password: password
named_args:
grantuser: '{{ db_user2 }}'
become: yes
become_user: "{{ pg_user }}"
register: result
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that:
- result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Revoke SELECT to all tables and no changes are reported
postgresql_privs:
type: table
state: absent
privs: SELECT
roles: "{{ db_user2 }}"
objs: ALL_IN_SCHEMA
schema: public
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
register: result
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
- assert:
that: result.changed == false
when: postgres_version_resp.stdout is version('10', '>=')
# Table ALL_IN_SCHEMA cleanup
- name: Remove table for test
postgresql_query:
query: DROP TABLE public.testpt;
db: "{{ db_name }}"
login_user: "{{ db_user3 }}"
login_password: password
ignore_errors: yes
when: postgres_version_resp.stdout is version('10', '>=')
# Cleanup
- name: Remove user given permissions
postgresql_user: