210d711553
This Module allows to manage privileges on PostgreSQL database objects (currently: tables, sequences, functions, databases, schemas, languages and tablespaces) as well as group role memberships. It is basically a wrapper around most of the functionality of PostgreSQL's GRANT and REVOKE statements with additional detection of changes and support for dry-runs (check-mode). postgresql_privs should work with PostgreSQL 8.4 and above. Python Module psycopg2 is required on the remote host.
600 lines
21 KiB
Python
600 lines
21 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
DOCUMENTATION = """
|
|
---
|
|
module: postgresql_privs
|
|
short_description: Grant or revoke privileges on PostgreSQL database objects.
|
|
description:
|
|
- Grant or revoke privileges on PostgreSQL database objects.
|
|
- This module is basically a wrapper around most of the functionality of
|
|
PostgreSQL's GRANT and REVOKE statements with detection of changes
|
|
(GRANT/REVOKE I(privs) ON I(type) I(objs) TO/FROM I(roles))
|
|
options:
|
|
database:
|
|
description:
|
|
- Name of database to connect to.
|
|
- 'Alias: I(db)'
|
|
required: yes
|
|
state:
|
|
description:
|
|
- If C(present), the specified privileges are granted, if C(absent) they
|
|
are revoked.
|
|
required: no
|
|
default: present
|
|
choices: [present, absent]
|
|
privs:
|
|
description:
|
|
- Comma separated list of privileges to grant/revoke.
|
|
- 'Alias: I(priv)'
|
|
required: no
|
|
type:
|
|
description:
|
|
- Type of database object to set privileges on.
|
|
required: no
|
|
default: table
|
|
choices: [table, sequence, function, database,
|
|
schema, language, tablespace, group]
|
|
objs:
|
|
description:
|
|
- Comma separated list of database objects to set privileges on.
|
|
- If I(type) is C(table) or C(sequence), the special value
|
|
C(ALL_IN_SCHEMA) can be provided instead to specify all database
|
|
objects of type I(type) in the schema specified via I(schema). (This
|
|
also works with PostgreSQL < 9.0.)
|
|
- If I(type) is C(database), this parameter can be omitted, in which case
|
|
privileges are set for the database specified via I(database).
|
|
- 'If I(type) is I(function), colons (":") in object names will be
|
|
replaced with commas (needed to specify function signatures, see
|
|
examples)'
|
|
- 'Alias: I(obj)'
|
|
required: no
|
|
schema:
|
|
description:
|
|
- Schema that contains the database objects specified via I(objs).
|
|
- May only be provided if I(type) is C(table), C(sequence) or
|
|
C(function). Defaults to C(public) in these cases.
|
|
required: no
|
|
roles:
|
|
description:
|
|
- Comma separated list of role (user/group) names to set permissions for.
|
|
- The special value C(PUBLIC) can be provided instead to set permissions
|
|
for the implicitly defined PUBLIC group.
|
|
- 'Alias: I(role)'
|
|
required: yes
|
|
grant_option:
|
|
description:
|
|
- Whether C(role) may grant/revoke the specified privileges/group
|
|
memberships to others.
|
|
- Set to C(no) to revoke GRANT OPTION, leave unspecified to
|
|
make no changes.
|
|
- I(grant_option) only has an effect if I(state) is C(present).
|
|
- 'Alias: I(admin_option)'
|
|
required: no
|
|
choices: [yes, no]
|
|
host:
|
|
description:
|
|
- Database host address. If unspecified, connect via Unix socket.
|
|
- 'Alias: I(login_host)'
|
|
default: null
|
|
required: no
|
|
port:
|
|
description:
|
|
- Database port to connect to.
|
|
required: no
|
|
default: 5432
|
|
login:
|
|
description:
|
|
- The username to authenticate with.
|
|
- 'Alias: I(login_user)'
|
|
default: postgres
|
|
password:
|
|
description:
|
|
- The password to authenticate with.
|
|
- 'Alias: I(login_password))'
|
|
default: null
|
|
required: no
|
|
notes:
|
|
- Default authentication assumes that postgresql_privs is run by the
|
|
C(postgres) user on the remote host. (Ansible's C(user) or C(sudo-user)).
|
|
- This module requires Python package I(psycopg2) to be installed on the
|
|
remote host. In the default case of the remote host also being the
|
|
PostgreSQL server, PostgreSQL has to be installed there as well, obviously.
|
|
For Debian/Ubuntu-based systems, install packages I(postgresql) and
|
|
I(python-psycopg2).
|
|
- Parameters that accept comma separated lists (I(privs), I(objs), I(roles))
|
|
have singular alias names (I(priv), I(obj), I(role)).
|
|
- To revoke only C(GRANT OPTION) for a specific object, set I(state) to
|
|
C(present) and I(grant_option) to C(no) (see examples).
|
|
- Note that when revoking privileges from a role R, this role may still have
|
|
access via privileges granted to any role R is a member of including
|
|
C(PUBLIC).
|
|
- Note that when revoking privileges from a role R, you do so as the user
|
|
specified via I(login). If R has been granted the same privileges by
|
|
another user also, R can still access database objects via these privileges.
|
|
- When revoking privileges, C(RESTRICT) is assumed (see PostgreSQL docs).
|
|
requirements: [psycopg2]
|
|
author: Bernhard Weitzhofer
|
|
"""
|
|
|
|
EXAMPLES = """
|
|
# On database "library":
|
|
# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors
|
|
# TO librarian, reader WITH GRANT OPTION
|
|
postgresql_privs: >
|
|
database=library
|
|
state=present
|
|
privs=SELECT,INSERT,UPDATE
|
|
type=table
|
|
objs=books,authors
|
|
schema=public
|
|
roles=librarian,reader
|
|
grant_option=yes
|
|
|
|
# Same as above leveraging default values:
|
|
postgresql_privs: >
|
|
db=library
|
|
privs=SELECT,INSERT,UPDATE
|
|
objs=books,authors
|
|
roles=librarian,reader
|
|
grant_option=yes
|
|
|
|
# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader
|
|
# Note that role "reader" will be *granted* INSERT privilege itself if this
|
|
# isn't already the case (since state=present).
|
|
postgresql_privs: >
|
|
db=library
|
|
state=present
|
|
priv=INSERT
|
|
obj=books
|
|
role=reader
|
|
grant_option=no
|
|
|
|
# REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
|
|
# "public" is the default schema. This also works for PostgreSQL 8.x.
|
|
postgresql_privs: >
|
|
db=library
|
|
state=absent
|
|
privs=INSERT,UPDATE
|
|
objs=ALL_IN_SCHEMA
|
|
role=reader
|
|
|
|
# GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian
|
|
postgresql_privs: >
|
|
db=library
|
|
privs=ALL
|
|
type=schema
|
|
objs=public,math
|
|
role=librarian
|
|
|
|
# GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader
|
|
# Note the separation of arguments with colons.
|
|
postgresql_privs: >
|
|
db=library
|
|
privs=ALL
|
|
type=function
|
|
obj=add(int:int)
|
|
schema=math
|
|
roles=librarian,reader
|
|
|
|
# GRANT librarian, reader TO alice, bob WITH ADMIN OPTION
|
|
# Note that group role memberships apply cluster-wide and therefore are not
|
|
# restricted to database "library" here.
|
|
postgresql_privs: >
|
|
db=library
|
|
type=group
|
|
objs=librarian,reader
|
|
roles=alice,bob
|
|
admin_option=yes
|
|
|
|
# GRANT ALL PRIVILEGES ON DATABASE library TO librarian
|
|
# Note that here "db=postgres" specifies the database to connect to, not the
|
|
# database to grant privileges on (which is specified via the "objs" param)
|
|
postgresql_privs: >
|
|
db=postgres
|
|
privs=ALL
|
|
type=database
|
|
obj=library
|
|
role=librarian
|
|
|
|
# GRANT ALL PRIVILEGES ON DATABASE library TO librarian
|
|
# If objs is omitted for type "database", it defaults to the database
|
|
# to which the connection is established
|
|
postgresql_privs: >
|
|
db=library
|
|
privs=ALL
|
|
type=database
|
|
role=librarian
|
|
"""
|
|
|
|
try:
|
|
import psycopg2
|
|
except ImportError:
|
|
psycopg2 = None
|
|
|
|
|
|
class Error(Exception):
|
|
pass
|
|
|
|
|
|
# We don't have functools.partial in Python < 2.5
|
|
def partial(f, *args, **kwargs):
|
|
"""Partial function application"""
|
|
def g(*g_args, **g_kwargs):
|
|
new_kwargs = kwargs.copy()
|
|
new_kwargs.update(g_kwargs)
|
|
return f(*(args + g_args), **g_kwargs)
|
|
g.f = f
|
|
g.args = args
|
|
g.kwargs = kwargs
|
|
return g
|
|
|
|
|
|
class Connection(object):
|
|
"""Wrapper around a psycopg2 connection with some convenience methods"""
|
|
|
|
def __init__(self, host, port, login, password, database):
|
|
self.database = database
|
|
self.connection = psycopg2.connect(
|
|
host=host, port=port, user=login,
|
|
password=password, database=database
|
|
)
|
|
self.cursor = self.connection.cursor()
|
|
|
|
|
|
def commit(self):
|
|
self.connection.commit()
|
|
|
|
|
|
def rollback(self):
|
|
self.connection.rollback()
|
|
|
|
@property
|
|
def encoding(self):
|
|
return self.connection.encoding
|
|
|
|
|
|
### Methods for querying database objects
|
|
|
|
# PostgreSQL < 9.0 doesn't support "ALL TABLES IN SCHEMA schema"-like
|
|
# phrases in GRANT or REVOKE statements, therefore alternative methods are
|
|
# provided here.
|
|
|
|
def schema_exists(self, schema):
|
|
query = """SELECT count(*)
|
|
FROM pg_catalog.pg_namespace WHERE nspname = %s"""
|
|
self.cursor.execute(query, (schema,))
|
|
return self.cursor.fetchone()[0] > 0
|
|
|
|
|
|
def get_all_tables_in_schema(self, schema):
|
|
if not self.schema_exists(schema):
|
|
raise Error('Schema "%s" does not exist.' % schema)
|
|
query = """SELECT relname
|
|
FROM pg_catalog.pg_class c
|
|
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
|
|
WHERE nspname = %s AND relkind = 'r'"""
|
|
self.cursor.execute(query, (schema,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_all_sequences_in_schema(self, schema):
|
|
if not self.schema_exists(schema):
|
|
raise Error('Schema "%s" does not exist.' % schema)
|
|
query = """SELECT relname
|
|
FROM pg_catalog.pg_class c
|
|
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
|
|
WHERE nspname = %s AND relkind = 'S'"""
|
|
self.cursor.execute(query, (schema,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
|
|
### Methods for getting access control lists and group membership info
|
|
|
|
# To determine whether anything has changed after granting/revoking
|
|
# privileges, we compare the access control lists of the specified database
|
|
# objects before and afterwards. Python's list/string comparison should
|
|
# suffice for change detection, we should not actually have to parse ACLs.
|
|
# The same should apply to group membership information.
|
|
|
|
def get_table_acls(self, schema, tables):
|
|
query = """SELECT relacl
|
|
FROM pg_catalog.pg_class c
|
|
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
|
|
WHERE nspname = %s AND relkind = 'r' AND relname = ANY (%s)
|
|
ORDER BY relname"""
|
|
self.cursor.execute(query, (schema, tables))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_sequence_acls(self, schema, sequences):
|
|
query = """SELECT relacl
|
|
FROM pg_catalog.pg_class c
|
|
JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace
|
|
WHERE nspname = %s AND relkind = 'S' AND relname = ANY (%s)
|
|
ORDER BY relname"""
|
|
self.cursor.execute(query, (schema, sequences))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_function_acls(self, schema, function_signatures):
|
|
funcnames = [f.split('(', 1)[0] for f in function_signatures]
|
|
query = """SELECT proacl
|
|
FROM pg_catalog.pg_proc p
|
|
JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
|
|
WHERE nspname = %s AND proname = ANY (%s)
|
|
ORDER BY proname, proargtypes"""
|
|
self.cursor.execute(query, (schema, funcnames))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_schema_acls(self, schemas):
|
|
query = """SELECT nspacl FROM pg_catalog.pg_namespace
|
|
WHERE nspname = ANY (%s) ORDER BY nspname"""
|
|
self.cursor.execute(query, (schemas,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_language_acls(self, languages):
|
|
query = """SELECT lanacl FROM pg_catalog.pg_language
|
|
WHERE lanname = ANY (%s) ORDER BY lanname"""
|
|
self.cursor.execute(query, (languages,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_tablespace_acls(self, tablespaces):
|
|
query = """SELECT spcacl FROM pg_catalog.pg_tablespace
|
|
WHERE spcname = ANY (%s) ORDER BY spcname"""
|
|
self.cursor.execute(query, (tablespaces,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_database_acls(self, databases):
|
|
query = """SELECT datacl FROM pg_catalog.pg_database
|
|
WHERE datname = ANY (%s) ORDER BY datname"""
|
|
self.cursor.execute(query, (databases,))
|
|
return [t[0] for t in self.cursor.fetchall()]
|
|
|
|
|
|
def get_group_memberships(self, groups):
|
|
query = """SELECT roleid, grantor, member, admin_option
|
|
FROM pg_catalog.pg_auth_members am
|
|
JOIN pg_catalog.pg_roles r ON r.oid = am.roleid
|
|
WHERE r.rolname = ANY(%s)
|
|
ORDER BY roleid, grantor, member"""
|
|
self.cursor.execute(query, (groups,))
|
|
return self.cursor.fetchall()
|
|
|
|
|
|
### Manipulating privileges
|
|
|
|
def manipulate_privs(self, obj_type, privs, objs, roles,
|
|
state, grant_option, schema_qualifier=None):
|
|
"""Manipulate database object privileges.
|
|
|
|
:param obj_type: Type of database object to grant/revoke
|
|
privileges for.
|
|
:param privs: Either a list of privileges to grant/revoke
|
|
or None if type is "group".
|
|
:param objs: List of database objects to grant/revoke
|
|
privileges for.
|
|
:param roles: Either a list of role names or "PUBLIC"
|
|
for the implicitly defined "PUBLIC" group
|
|
:param state: "present" to grant privileges, "absent" to revoke.
|
|
:param grant_option: Only for state "present": If True, set
|
|
grant/admin option. If False, revoke it.
|
|
If None, don't change grant option.
|
|
:param schema_qualifier: Some object types ("TABLE", "SEQUENCE",
|
|
"FUNCTION") must be qualified by schema.
|
|
Ignored for other Types.
|
|
"""
|
|
# get_status: function to get current status
|
|
if obj_type == 'table':
|
|
get_status = partial(self.get_table_acls, schema_qualifier)
|
|
elif obj_type == 'sequence':
|
|
get_status = partial(self.get_sequence_acls, schema_qualifier)
|
|
elif obj_type == 'function':
|
|
get_status = partial(self.get_function_acls, schema_qualifier)
|
|
elif obj_type == 'schema':
|
|
get_status = self.get_schema_acls
|
|
elif obj_type == 'language':
|
|
get_status = self.get_language_acls
|
|
elif obj_type == 'tablespace':
|
|
get_status = self.get_tablespace_acls
|
|
elif obj_type == 'database':
|
|
get_status = self.get_database_acls
|
|
elif obj_type == 'group':
|
|
get_status = self.get_group_memberships
|
|
else:
|
|
raise Error('Unsupported database object type "%s".' % obj_type)
|
|
|
|
# Return False (nothing has changed) if there are no objs to work on.
|
|
if not objs:
|
|
return False
|
|
|
|
# obj_ids: quoted db object identifiers (sometimes schema-qualified)
|
|
if obj_type == 'function':
|
|
obj_ids = []
|
|
for obj in objs:
|
|
try:
|
|
f, args = obj.split('(', 1)
|
|
except:
|
|
raise Error('Illegal function signature: "%s".' % obj)
|
|
obj_ids.append('"%s"."%s"(%s' % (schema_qualifier, f, args))
|
|
elif obj_type in ['table', 'sequence']:
|
|
obj_ids = ['"%s"."%s"' % (schema_qualifier, o) for o in objs]
|
|
else:
|
|
obj_ids = ['"%s"' % o for o in objs]
|
|
|
|
# set_what: SQL-fragment specifying what to set for the target roless:
|
|
# Either group membership or privileges on objects of a certain type.
|
|
if obj_type == 'group':
|
|
set_what = ','.join(obj_ids)
|
|
else:
|
|
set_what = '%s ON %s %s' % (','.join(privs), obj_type,
|
|
','.join(obj_ids))
|
|
|
|
# for_whom: SQL-fragment specifying for whom to set the above
|
|
if roles == 'PUBLIC':
|
|
for_whom = 'PUBLIC'
|
|
else:
|
|
for_whom = ','.join(['"%s"' % r for r in roles])
|
|
|
|
status_before = get_status(objs)
|
|
if state == 'present':
|
|
if grant_option:
|
|
if obj_type == 'group':
|
|
query = 'GRANT %s TO %s WITH ADMIN OPTION'
|
|
else:
|
|
query = 'GRANT %s TO %s WITH GRANT OPTION'
|
|
else:
|
|
query = 'GRANT %s TO %s'
|
|
self.cursor.execute(query % (set_what, for_whom))
|
|
|
|
# Only revoke GRANT/ADMIN OPTION if grant_option actually is False.
|
|
if grant_option == False:
|
|
if obj_type == 'group':
|
|
query = 'REVOKE ADMIN OPTION FOR %s FROM %s'
|
|
else:
|
|
query = 'REVOKE GRANT OPTION FOR %s FROM %s'
|
|
self.cursor.execute(query % (set_what, for_whom))
|
|
else:
|
|
query = 'REVOKE %s FROM %s'
|
|
self.cursor.execute(query % (set_what, for_whom))
|
|
status_after = get_status(objs)
|
|
return status_before != status_after
|
|
|
|
|
|
def main():
|
|
module = AnsibleModule(
|
|
argument_spec = dict(
|
|
database=dict(required=True, aliases=['db']),
|
|
state=dict(default='present', choices=['present', 'absent']),
|
|
privs=dict(required=False, aliases=['priv']),
|
|
type=dict(default='table',
|
|
choices=['table',
|
|
'sequence',
|
|
'function',
|
|
'database',
|
|
'schema',
|
|
'language',
|
|
'tablespace',
|
|
'group']),
|
|
objs=dict(required=False, aliases=['obj']),
|
|
schema=dict(required=False),
|
|
roles=dict(required=True, aliases=['role']),
|
|
grant_option=dict(required=False, type='bool',
|
|
aliases=['admin_option']),
|
|
host=dict(required=False, aliases=['login_host']),
|
|
port=dict(type='int', default=5432),
|
|
login=dict(default='postgres', aliases=['login_user']),
|
|
password=dict(required=False, aliases=['login_password'])
|
|
),
|
|
supports_check_mode = True
|
|
)
|
|
|
|
# Create type object as namespace for module params
|
|
p = type('Params', (), module.params)
|
|
|
|
# param "schema": default, allowed depends on param "type"
|
|
if p.type in ['table', 'sequence', 'function']:
|
|
p.schema = p.schema or 'public'
|
|
elif p.schema:
|
|
module.fail_json(msg='Argument "schema" is not allowed '
|
|
'for type "%s".' % p.type)
|
|
|
|
# param "objs": default, required depends on param "type"
|
|
if p.type == 'database':
|
|
p.objs = p.objs or p.database
|
|
elif not p.objs:
|
|
module.fail_json(msg='Argument "objs" is required '
|
|
'for type "%s".' % p.type)
|
|
|
|
# param "privs": allowed, required depends on param "type"
|
|
if p.type == 'group':
|
|
if p.privs:
|
|
module.fail_json(msg='Argument "privs" is not allowed '
|
|
'for type "group".')
|
|
elif not p.privs:
|
|
module.fail_json(msg='Argument "privs" is required '
|
|
'for type "%s".' % p.type)
|
|
|
|
# Connect to Database
|
|
if not psycopg2:
|
|
module.fail_json(msg='Python module "psycopg2" must be installed.')
|
|
try:
|
|
conn = Connection(p.host, p.port, p.login, p.password, p.database)
|
|
except psycopg2.Error, e:
|
|
module.fail_json(msg='Could not connect to database: %s' % e)
|
|
|
|
try:
|
|
# privs
|
|
if p.privs:
|
|
privs = p.privs.split(',')
|
|
else:
|
|
privs = None
|
|
|
|
# objs:
|
|
if p.type == 'table' and p.objs == 'ALL_IN_SCHEMA':
|
|
objs = conn.get_all_tables_in_schema(p.schema)
|
|
elif p.type == 'sequence' and p.objs == 'ALL_IN_SCHEMA':
|
|
objs = conn.get_all_sequences_in_schema(p.schema)
|
|
else:
|
|
objs = p.objs.split(',')
|
|
|
|
# function signatures are encoded using ':' to separate args
|
|
if p.type == 'function':
|
|
objs = [obj.replace(':', ',') for obj in objs]
|
|
|
|
# roles
|
|
if p.roles == 'PUBLIC':
|
|
roles = 'PUBLIC'
|
|
else:
|
|
roles = p.roles.split(',')
|
|
|
|
changed = conn.manipulate_privs(
|
|
obj_type = p.type,
|
|
privs = privs,
|
|
objs = objs,
|
|
roles = roles,
|
|
state = p.state,
|
|
grant_option = p.grant_option,
|
|
schema_qualifier=p.schema
|
|
)
|
|
|
|
except Error, e:
|
|
conn.rollback()
|
|
module.fail_json(msg=e.message)
|
|
|
|
except psycopg2.Error, e:
|
|
conn.rollback()
|
|
# psycopg2 errors come in connection encoding, reencode
|
|
msg = e.message.decode(conn.encoding).encode(errors='replace')
|
|
module.fail_json(msg=msg)
|
|
|
|
if module.check_mode:
|
|
conn.rollback()
|
|
else:
|
|
conn.commit()
|
|
module.exit_json(changed=changed)
|
|
|
|
|
|
# this is magic, see lib/ansible/module_common.py
|
|
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
|
main()
|