bb61d7527f
* #50877: * add support to postgresql_privs to use "FOR { ROLE | USER } target_role" in "ALTER DEFAULT PRIVILEGES" * fix sanity errors * #50877: fix documentation and add a check for correct usage of target_roles * #50877: fix missing absent option for default privs with target_role * #50877: add clear description, when target_roles can be used * #50877: fix conflicts, formatting, and add a changelog fragment * #50877: fix sanity error E335 * #50877: swap conditions and fix error to warning msg * #50877: add tests for default privileges * #50877: fix tests for default privileges * #50877: fix tests for default privileges on centos 6
94 lines
2.1 KiB
YAML
94 lines
2.1 KiB
YAML
---
|
|
|
|
# Setup
|
|
- name: Create DB
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_db:
|
|
state: present
|
|
name: "{{ db_name }}"
|
|
owner: "{{ db_user1 }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Create a user to be given permissions and other tests
|
|
postgresql_user:
|
|
name: "{{ db_user2 }}"
|
|
state: present
|
|
encrypted: yes
|
|
password: password
|
|
role_attr_flags: LOGIN
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
#######################################
|
|
# Test default_privs with target_role #
|
|
#######################################
|
|
|
|
# Test
|
|
- name: Grant default privileges for new table objects
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_privs:
|
|
db: "{{ db_name }}"
|
|
objs: TABLES
|
|
privs: SELECT
|
|
type: default_privs
|
|
role: "{{ db_user2 }}"
|
|
target_roles: "{{ db_user1 }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
|
|
# Checks
|
|
- assert:
|
|
that: result.changed == true
|
|
|
|
- name: Check that default privileges are set
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: psql {{ db_name }} -c "SELECT defaclrole, defaclobjtype, defaclacl FROM pg_default_acl a JOIN pg_roles b ON a.defaclrole=b.oid;" -t
|
|
register: result
|
|
|
|
- assert:
|
|
that: "'{{ db_user2 }}=r/{{ db_user1 }}' in '{{ result.stdout_lines[0] }}'"
|
|
|
|
# Test
|
|
- name: Revoke default privileges for new table objects
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_privs:
|
|
db: "{{ db_name }}"
|
|
state: absent
|
|
objs: TABLES
|
|
privs: SELECT
|
|
type: default_privs
|
|
role: "{{ db_user2 }}"
|
|
target_roles: "{{ db_user1 }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
|
|
# Checks
|
|
- assert:
|
|
that: result.changed == true
|
|
|
|
# Cleanup
|
|
- name: Remove user given permissions
|
|
postgresql_user:
|
|
name: "{{ db_user2 }}"
|
|
state: absent
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Remove user owner of objects
|
|
postgresql_user:
|
|
name: "{{ db_user3 }}"
|
|
state: absent
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Destroy DB
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_db:
|
|
state: absent
|
|
name: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|