postgresql_privs – Grant or revoke privileges on PostgreSQL database objects.

Synopsis

  • Grant or revoke privileges on PostgreSQL database objects.
  • This module is basically a wrapper around most of the functionality of PostgreSQL’s GRANT and REVOKE statements with detection of changes (GRANT/REVOKE privs ON type objs TO/FROM roles)

Requirements

The below requirements are needed on the host that executes this module.

  • psycopg2

Parameters

Parameter Choices/Defaults Comments
database
- / required
Name of database to connect to.
Alias: db
grant_option
boolean
    Choices:
  • no
  • yes
Whether role may grant/revoke the specified privileges/group memberships to others.
Set to no to revoke GRANT OPTION, leave unspecified to make no changes.
grant_option only has an effect if state is present.
Alias: admin_option
host
-
Database host address. If unspecified, connect via Unix socket.
Alias: login_host
login
-
Default:
"postgres"
The username to authenticate with.
Alias: login_user
login_host
-
Host running the database
login_password
-
The password used to authenticate with
login_unix_socket
-
Path to a Unix domain socket for local connections
login_user
-
Default:
"postgres"
The username used to authenticate with
objs
-
Comma separated list of database objects to set privileges on.
If type is table or sequence, the special value ALL_IN_SCHEMA can be provided instead to specify all database objects of type type in the schema specified via schema. (This also works with PostgreSQL < 9.0.)
If type is database, this parameter can be omitted, in which case privileges are set for the database specified via database.
If type is function, colons (":") in object names will be replaced with commas (needed to specify function signatures, see examples)
Alias: obj
password
-
The password to authenticate with.
Alias: login_password)
port
-
Default:
5432
Database port to connect to.
privs
-
Comma separated list of privileges to grant/revoke.
Alias: priv
roles
- / required
Comma separated list of role (user/group) names to set permissions for.
The special value PUBLIC can be provided instead to set permissions for the implicitly defined PUBLIC group.
Alias: role
schema
-
Schema that contains the database objects specified via objs.
May only be provided if type is table, sequence or function. Defaults to public in these cases.
ssl_mode
-
added in 2.3
    Choices:
  • disable
  • allow
  • prefer ←
  • require
  • verify-ca
  • verify-full
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
Default of prefer matches libpq default.
ssl_rootcert
-
added in 2.3
Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities.
state
-
    Choices:
  • present ←
  • absent
If present, the specified privileges are granted, if absent they are revoked.
type
-
    Choices:
  • table ←
  • sequence
  • function
  • database
  • schema
  • language
  • tablespace
  • group
  • default_privs
Type of database object to set privileges on.
The `default_privs` choice is available starting at version 2.7.
unix_socket
-
Path to a Unix domain socket for local connections.
Alias: login_unix_socket

Notes

Note

  • Default authentication assumes that postgresql_privs is run by the postgres user on the remote host. (Ansible’s user or sudo-user).
  • This module requires Python package psycopg2 to be installed on the remote host. In the default case of the remote host also being the PostgreSQL server, PostgreSQL has to be installed there as well, obviously. For Debian/Ubuntu-based systems, install packages postgresql and python-psycopg2.
  • Parameters that accept comma separated lists (privs, objs, roles) have singular alias names (priv, obj, role).
  • To revoke only GRANT OPTION for a specific object, set state to present and grant_option to no (see examples).
  • Note that when revoking privileges from a role R, this role may still have access via privileges granted to any role R is a member of including PUBLIC.
  • Note that when revoking privileges from a role R, you do so as the user specified via login. If R has been granted the same privileges by another user also, R can still access database objects via these privileges.
  • When revoking privileges, RESTRICT is assumed (see PostgreSQL docs).
  • The ssl_rootcert parameter requires at least Postgres version 8.4 and psycopg2 version 2.4.3.
  • The default authentication assumes that you are either logging in as or sudo’ing to the postgres account on the host.
  • This module uses psycopg2, a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the postgresql, libpq-dev, and python-psycopg2 packages on the remote host before using this module.
  • The ssl_rootcert parameter requires at least Postgres version 8.4 and psycopg2 version 2.4.3.

Examples

# On database "library":
# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors
# TO librarian, reader WITH GRANT OPTION
- postgresql_privs:
    database: library
    state: present
    privs: SELECT,INSERT,UPDATE
    type: table
    objs: books,authors
    schema: public
    roles: librarian,reader
    grant_option: yes

# Same as above leveraging default values:
- postgresql_privs:
    db: library
    privs: SELECT,INSERT,UPDATE
    objs: books,authors
    roles: librarian,reader
    grant_option: yes

# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader
# Note that role "reader" will be *granted* INSERT privilege itself if this
# isn't already the case (since state: present).
- postgresql_privs:
    db: library
    state: present
    priv: INSERT
    obj: books
    role: reader
    grant_option: no

# REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
# "public" is the default schema. This also works for PostgreSQL 8.x.
- postgresql_privs:
    db: library
    state: absent
    privs: INSERT,UPDATE
    objs: ALL_IN_SCHEMA
    role: reader

# GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian
- postgresql_privs:
    db: library
    privs: ALL
    type: schema
    objs: public,math
    role: librarian

# GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader
# Note the separation of arguments with colons.
- postgresql_privs:
    db: library
    privs: ALL
    type: function
    obj: add(int:int)
    schema: math
    roles: librarian,reader

# GRANT librarian, reader TO alice, bob WITH ADMIN OPTION
# Note that group role memberships apply cluster-wide and therefore are not
# restricted to database "library" here.
- postgresql_privs:
    db: library
    type: group
    objs: librarian,reader
    roles: alice,bob
    admin_option: yes

# GRANT ALL PRIVILEGES ON DATABASE library TO librarian
# Note that here "db: postgres" specifies the database to connect to, not the
# database to grant privileges on (which is specified via the "objs" param)
- postgresql_privs:
    db: postgres
    privs: ALL
    type: database
    obj: library
    role: librarian

# GRANT ALL PRIVILEGES ON DATABASE library TO librarian
# If objs is omitted for type "database", it defaults to the database
# to which the connection is established
- postgresql_privs:
    db: library
    privs: ALL
    type: database
    role: librarian

# Available since version 2.7
# ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- postgresql_privs:
    db: library
    objs: ALL_DEFAULT
    privs: ALL
    type: default_privs
    role: librarian
    grant_option: yes

# Available since version 2.7
# ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- postgresql_privs:
    db: library
    objs: TABLES,SEQUENCES
    privs: SELECT
    type: default_privs
    role: reader

- postgresql_privs:
    db: library
    objs: TYPES
    privs: USAGE
    type: default_privs
    role: reader

Status

  • This module is guaranteed to have no backward incompatible interface changes going forward. [stableinterface]
  • This module is maintained by the Ansible Community. [community]

Authors

  • Bernhard Weitzhofer (@b6d)

Hint

If you notice any issues in this documentation you can edit this document to improve it.