Ansible create postgresql user with access to all

2020-08-10 07:43发布

站内问答 / 前端开发
2001 3 5

This should be very simple. I want to make an Ansible statement to create a Postgres user that has connection privileges to a specific database and select/insert/update/delete privileges to all tables within that specific database. I tried the following:

  - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: CONNECT/ALL:SELECT,INSERT,UPDATE,DELETE

I get relation \"ALL\" does not exist

If I remove ALL:, I get Invalid privs specified for database: INSERT UPDATE SELECT DELETE

3条回答
Juvenile、少年°
2楼-- · 2020-08-10 07:57

What I had to do was first create the user and then grant the privileges separately. It's working like a charm.

 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      name: "myappuser"
      password: "supersecretpassword"

  - name: Ensure we have access from the new user
    become: yes
    become_user: postgres
    postgresql_privs:
      db: mydatabase
      role: myappuser
      objs: ALL_IN_SCHEMA
      privs: SELECT,INSERT,UPDATE,DELETE
查看更多
0人赞 添加讨论(0) 举报
Lonely孤独者°
3楼-- · 2020-08-10 08:01

From ansible documentation postgressql module, priv should be "PostgreSQL privileges string in the format: table:priv1,priv2" So your task should be 

 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: ALL:SELECT,INSERT,UPDATE,DELETE,CONNECT
查看更多
0人赞 添加讨论(0) 举报
Luminary・发光体
4楼-- · 2020-08-10 08:10

Here is the playbook I use, using debian and setting up user and db, as well as giving user access to all databases:

- hosts: all
  become: yes

  vars:
    ansible_ssh_pipelining: true

  tasks:
    - name: install postgresql server
      apt:
        pkg: postgresql
        state: present

    - name: change postgres network binding
      lineinfile:
        path: /etc/postgresql/9.6/main/postgresql.conf
        regexp: '# listen_addresses'
        line: "listen_addresses = '*'"

    - name: change postgres pg hba access
      lineinfile:
        path: /etc/postgresql/9.6/main/pg_hba.conf
        regexp: 'host  all  all 0.0.0.0/0 md5'
        line: 'host  all  all 0.0.0.0/0 md5'

    - name: start postgresql server
      service:
        enabled: yes
        name: postgresql
        state: restarted

    # psycopg2 needed for user, db creation
    - pip:
        name: psycopg2-binary

    - name: create postgresql user
      postgresql_user:
        user: "root"
        password: "root"
        role_attr_flags: "CREATEDB,NOSUPERUSER"
      become: true
      become_user: postgres

    - name: create postgresql db
      postgresql_db:
        name: "your-db-name"
        state: present
      become: true
      become_user: postgres

Your paths may vary so adjust accordingly.

And for bonus here is my Vagrantfile, using virtualbox:

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Brings up a vm with es and mongodb
Vagrant.configure("2") do |config|
  config.vm.box = "geerlingguy/debian9"
  config.vm.network "private_network", ip: "192.168.33.44"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "2048"
  end

  config.vm.provision "ansible_local" do |ansible|
      ansible.playbook = "ansible_playbook.yml"
      ansible.install = "true"
      ansible.install_mode = "pip"
  end
end

Cheers!

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)