community.postgresql.postgresql_privs module – Grant or revoke privileges on PostgreSQL database objects
Note
This module is part of the community.postgresql collection (version 3.9.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.postgresql
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.postgresql.postgresql_privs
.
Synopsis
Grant or revoke privileges on PostgreSQL database objects.
This module is basically a wrapper around most of the functionality of PostgreSQL’s GRANT and REVOKE statements with detection of changes (GRANT/REVOKE privs ON type objs TO/FROM roles).
Requirements
The below requirements are needed on the host that executes this module.
psycopg2 >= 2.5.1
Parameters
Parameter |
Comments |
---|---|
Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server’s certificate will be verified to be signed by one of these authorities. |
|
Any additional parameters to be passed to libpg. These parameters take precedence. Default: |
|
Name of database to connect to. |
|
If Choices:
|
|
Whether Set to grant_option only has an effect if state is Choices:
|
|
Host running the database. If you have connection issues when using Default: |
|
The password this module should use to establish its PostgreSQL session. Default: |
|
Path to a Unix domain socket for local connections. Default: |
|
The username this module should use to establish its PostgreSQL session. Default: |
|
Comma separated list of database objects to set privileges on. If type is
If type is If type is |
|
The password to authenticate with. This option has been deprecated and will be removed in community.postgresql 4.0.0, use the login_password option instead. Mutually exclusive with login_password. Default: |
|
Database port to connect to. Default: |
|
Comma separated list of privileges to grant/revoke. |
|
Comma separated list of role (user/group) names to set permissions for. Roles
|
|
Schema that contains the database objects specified via objs. May only be provided if type is Pay attention, for embedded types when type=type schema can be If not specified, uses |
|
Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of. Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. |
|
Specifies the file name of the client SSL certificate. |
|
Specifies the location for the secret key used for the client certificate. |
|
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. Default of Choices:
|
|
If Choices:
|
|
A list of existing role (user/group) names to set as the default permissions for database objects subsequently created by them. Parameter target_roles is only available with |
|
If It makes sense to use Choices:
|
|
Type of database object to set privileges on. The The The The The The Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in check_mode and return changed status prediction without modifying target. |
Notes
Note
Parameters that accept comma separated lists (privs, objs, roles) have singular alias names (priv, obj, role).
To revoke only
GRANT OPTION
for a specific object, set state topresent
and grant_option tofalse
(see examples).Note that when revoking privileges from a role R, this role may still have access via privileges granted to any role R is a member of including
PUBLIC
.Note that when revoking privileges from a role R, you do so as the user specified via login_user. If R has been granted the same privileges by another user also, R can still access database objects via these privileges.
When revoking privileges,
RESTRICT
is assumed (see PostgreSQL docs).The default authentication assumes that you are either logging in as or sudo’ing to the
postgres
account on the host.To avoid “Peer authentication failed for user postgres” error, use postgres user as a become_user.
This module uses
psycopg
, a Python PostgreSQL database adapter. You must ensure thatpsycopg2 >= 2.5.1
orpsycopg3 >= 3.1.8
is installed on the host before using this module.If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host.
For Ubuntu-based systems, install the
postgresql
,libpq-dev
, andpython3-psycopg2
packages on the remote host before using this module.
See Also
See also
- community.postgresql.postgresql_user
Create, alter, or remove a user (role) from a PostgreSQL server instance.
- community.postgresql.postgresql_owner
Change an owner of PostgreSQL database object.
- community.postgresql.postgresql_membership
Add or remove PostgreSQL roles from groups.
- PostgreSQL privileges
General information about PostgreSQL privileges.
- PostgreSQL GRANT command reference
Complete reference of the PostgreSQL GRANT command documentation.
- PostgreSQL REVOKE command reference
Complete reference of the PostgreSQL REVOKE command documentation.
Examples
# On database "library":
# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors
# TO librarian, reader WITH GRANT OPTION
- name: Grant privs to librarian and reader on database library
community.postgresql.postgresql_privs:
database: library
state: present
privs: SELECT,INSERT,UPDATE
type: table
objs: books,authors
schema: public
roles: librarian,reader
grant_option: true
- name: Same as above leveraging default values
community.postgresql.postgresql_privs:
db: library
privs: SELECT,INSERT,UPDATE
objs: books,authors
roles: librarian,reader
grant_option: true
# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader
# Note that role "reader" will be *granted* INSERT privilege itself if this
# isn't already the case (since state: present).
- name: Revoke privs from reader
community.postgresql.postgresql_privs:
db: library
state: present
priv: INSERT
obj: books
role: reader
grant_option: false
# "public" is the default schema. This also works for PostgreSQL 8.x.
- name: REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
community.postgresql.postgresql_privs:
db: library
state: absent
privs: INSERT,UPDATE
objs: ALL_IN_SCHEMA
role: reader
- name: GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian
community.postgresql.postgresql_privs:
db: library
privs: ALL
type: schema
objs: public,math
role: librarian
# Note the separation of arguments with colons.
- name: GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader
community.postgresql.postgresql_privs:
db: library
privs: ALL
type: function
obj: add(int:int)
schema: math
roles: librarian,reader
# Note that group role memberships apply cluster-wide and therefore are not
# restricted to database "library" here.
- name: GRANT librarian, reader TO alice, bob WITH ADMIN OPTION
community.postgresql.postgresql_privs:
db: library
type: group
objs: librarian,reader
roles: alice,bob
admin_option: true
# Note that here "db: postgres" specifies the database to connect to, not the
# database to grant privileges on (which is specified via the "objs" param)
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
community.postgresql.postgresql_privs:
db: postgres
privs: ALL
type: database
obj: library
role: librarian
# If objs is omitted for type "database", it defaults to the database
# to which the connection is established
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
community.postgresql.postgresql_privs:
db: library
privs: ALL
type: database
role: librarian
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian
community.postgresql.postgresql_privs:
db: library
objs: ALL_DEFAULT
privs: ALL
type: default_privs
role: librarian
grant_option: true
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 1
community.postgresql.postgresql_privs:
db: library
objs: TABLES,SEQUENCES
privs: SELECT
type: default_privs
role: reader
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 2
community.postgresql.postgresql_privs:
db: library
objs: TYPES
privs: USAGE
type: default_privs
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN DATA WRAPPER fdw TO reader
community.postgresql.postgresql_privs:
db: test
objs: fdw
privs: ALL
type: foreign_data_wrapper
role: reader
# Available since community.postgresql 0.2.0
- name: GRANT ALL PRIVILEGES ON TYPE customtype TO reader
community.postgresql.postgresql_privs:
db: test
objs: customtype
privs: ALL
type: type
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN SERVER fdw_server TO reader
community.postgresql.postgresql_privs:
db: test
objs: fdw_server
privs: ALL
type: foreign_server
role: reader
# Available since version 2.8
# Grant 'execute' permissions on all functions in schema 'common' to role 'caller'
- name: GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA common TO caller
community.postgresql.postgresql_privs:
type: function
state: present
privs: EXECUTE
roles: caller
objs: ALL_IN_SCHEMA
schema: common
# Available since collection version 1.3.0
# Grant 'execute' permissions on all procedures in schema 'common' to role 'caller'
# Needs PostreSQL 11 or higher and community.postgresql 1.3.0 or higher
- name: GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA common TO caller
community.postgresql.postgresql_privs:
type: procedure
state: present
privs: EXECUTE
roles: caller
objs: ALL_IN_SCHEMA
schema: common
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader
# GRANT SELECT privileges for new TABLES objects created by librarian as
# default to the role reader.
# For specific
- name: ALTER privs
community.postgresql.postgresql_privs:
db: library
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader
# REVOKE SELECT privileges for new TABLES objects created by librarian as
# default from the role reader.
# For specific
- name: ALTER privs
community.postgresql.postgresql_privs:
db: library
state: absent
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
# Available since community.postgresql 0.2.0
- name: Grant type privileges for pg_catalog.numeric type to alice
community.postgresql.postgresql_privs:
type: type
roles: alice
privs: ALL
objs: numeric
schema: pg_catalog
db: acme
- name: Alter default privileges grant usage on schemas to datascience
community.postgresql.postgresql_privs:
database: test
type: default_privs
privs: usage
objs: schemas
role: datascience
# Available since community.postgresql 3.1.0
# Needs PostgreSQL 15 or higher
- name: GRANT SET ON PARAMETER log_destination,log_line_prefix TO logtest
community.postgresql.postgresql_privs:
database: logtest
state: present
privs: SET
type: parameter
objs: log_destination,log_line_prefix
roles: logtest
- name: GRANT ALTER SYSTEM ON PARAMETER primary_conninfo,synchronous_standby_names TO replicamgr
community.postgresql.postgresql_privs:
database: replicamgr
state: present
privs: ALTER_SYSTEM
type: parameter
objs: primary_conninfo,synchronous_standby_names
roles: replicamgr
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
List of executed queries. Returned: success Sample: |