ansible/test/integration/targets/postgresql/tasks/session_role.yml
Feike Steenbergen 38e70ea317 Add session_role to postgresql modules (#43650)
* Allow session_role to be set for PostgreSQL

By implementing session_role it becomes possible to run the specific
PostgreSQL commands as a different role.
The usecase that is immediately served by this, is the one that one
ansible playbook can be shared by multiple users, which all have
their
own PostgreSQL login_user. They do not need to share login
credentials,
as they can share the role within the PostgreSQL database.

The following example may give some insight:

$ psql -U jdoe -X -d postgres

postgres=> CREATE DATABASE abc;
ERROR:  permission denied to create database
postgres=> set role postgres;
SET
postgres=# CREATE DATABASE abc;
CREATE DATABASE

fixes #43592

* Tests for session_role in PostgreSQL

* Bump version_added for session_role feature

* Remove explicit encrypted parameter from tests
2019-02-02 20:12:14 +01:00

254 lines
6.7 KiB
YAML

- name: Check that becoming an non-existing user throws an error
become_user: "{{ pg_user }}"
become: True
postgresql_db:
state: present
name: "{{ db_name }}"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role1 }}"
register: result
ignore_errors: True
- assert:
that:
- 'result.failed == True'
- name: Create a high privileged user
become: True
become_user: "{{ pg_user }}"
postgresql_user:
name: "{{ db_session_role1 }}"
state: "present"
password: "password"
role_attr_flags: "CREATEDB,LOGIN,CREATEROLE"
login_user: "{{ pg_user }}"
db: postgres
- name: Create a low privileged user using the newly created user
become: True
become_user: "{{ pg_user }}"
postgresql_user:
name: "{{ db_session_role2 }}"
state: "present"
password: "password"
role_attr_flags: "LOGIN"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role1 }}"
db: postgres
- name: Create DB as session_role
become_user: "{{ pg_user }}"
become: True
postgresql_db:
state: present
name: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role1 }}"
register: result
- name: Check that database created and is owned by correct user
become_user: "{{ pg_user }}"
become: True
shell: echo "select rolname from pg_database join pg_roles on datdba = pg_roles.oid where datname = '{{ db_session_role1 }}';" | psql -AtXq postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '{{ db_session_role1 }}'"
- name: Fail when creating database as low privileged user
become_user: "{{ pg_user }}"
become: True
postgresql_db:
state: present
name: "{{ db_session_role2 }}"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role2 }}"
register: result
ignore_errors: True
- assert:
that:
- 'result.failed == True'
- name: Create schema in own database
become_user: "{{ pg_user }}"
become: True
postgresql_schema:
database: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
name: "{{ db_session_role1 }}"
session_role: "{{ db_session_role1 }}"
- name: Create schema in own database, should be owned by session_role
become_user: "{{ pg_user }}"
become: True
postgresql_schema:
database: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
name: "{{ db_session_role1 }}"
owner: "{{ db_session_role1 }}"
register: result
- assert:
that:
- result.changed == False
- name: Fail when creating schema in postgres database as a regular user
become_user: "{{ pg_user }}"
become: True
postgresql_schema:
database: postgres
login_user: "{{ pg_user }}"
name: "{{ db_session_role1 }}"
session_role: "{{ db_session_role1 }}"
ignore_errors: True
register: result
- assert:
that:
- 'result.failed == True'
# PostgreSQL introduced extensions in 9.1, some checks are still run against older versions, therefore we need to ensure
# we only run these tests against supported PostgreSQL databases
- name: Check that pg_extension exists (postgresql >= 9.1)
become_user: "{{ pg_user }}"
become: True
shell: echo "select count(*) from pg_class where relname='pg_extension' and relkind='r'" | psql -AtXq postgres
register: pg_extension
- name: Remove plpgsql from testdb using postgresql_ext
become_user: "{{ pg_user }}"
become: True
postgresql_ext:
name: plpgsql
db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
state: absent
when:
"pg_extension.stdout_lines[-1] == '1'"
- name: Fail when trying to create an extension as a mere mortal user
become_user: "{{ pg_user }}"
become: True
postgresql_ext:
name: plpgsql
db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role2 }}"
ignore_errors: True
register: result
when:
"pg_extension.stdout_lines[-1] == '1'"
- assert:
that:
- 'result.failed == True'
when:
"pg_extension.stdout_lines[-1] == '1'"
- name: Install extension as session_role
become_user: "{{ pg_user }}"
become: True
postgresql_ext:
name: plpgsql
db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
session_role: "{{ db_session_role1 }}"
when:
"pg_extension.stdout_lines[-1] == '1'"
- name: Check that extension is created and is owned by session_role
become_user: "{{ pg_user }}"
become: True
shell: echo "select rolname from pg_extension join pg_roles on extowner=pg_roles.oid where extname='plpgsql';" | psql -AtXq "{{ db_session_role1 }}"
register: result
when:
"pg_extension.stdout_lines[-1] == '1'"
- assert:
that:
- "result.stdout_lines[-1] == '{{ db_session_role1 }}'"
when:
"pg_extension.stdout_lines[-1] == '1'"
- name: Remove plpgsql from testdb using postgresql_ext
become_user: "{{ pg_user }}"
become: True
postgresql_ext:
name: plpgsql
db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
state: absent
when:
"pg_extension.stdout_lines[-1] == '1'"
# End of postgresql_ext conditional tests against PostgreSQL 9.1+
- name: Create table to be able to grant privileges
become_user: "{{ pg_user }}"
become: True
shell: echo "CREATE TABLE test(i int); CREATE TABLE test2(i int);" | psql -AtXq "{{ db_session_role1 }}"
- name: Grant all privileges on test1 table to low privileged user
become_user: "{{ pg_user }}"
become: True
postgresql_privs:
db: "{{ db_session_role1 }}"
type: table
objs: test
roles: "{{ db_session_role2 }}"
login_user: "{{ pg_user }}"
privs: select
admin_option: yes
- name: Verify admin option was successful for grants
become_user: "{{ pg_user }}"
become: True
postgresql_privs:
db: "{{ db_session_role1 }}"
type: table
objs: test
roles: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
privs: select
session_role: "{{ db_session_role2 }}"
- name: Verify no grants can be granted for test2 table
become_user: "{{ pg_user }}"
become: True
postgresql_privs:
db: "{{ db_session_role1 }}"
type: table
objs: test2
roles: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
privs: update
session_role: "{{ db_session_role2 }}"
ignore_errors: True
register: result
- assert:
that:
- 'result.failed == True'
- name: Drop test db
become_user: "{{ pg_user }}"
become: True
postgresql_db:
state: absent
name: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}"
- name: Drop test users
become: True
become_user: "{{ pg_user }}"
postgresql_user:
name: "{{ item }}"
state: absent
login_user: "{{ pg_user }}"
db: postgres
with_items:
- "{{ db_session_role1 }}"
- "{{ db_session_role2 }}"