postgresql_pg_hba – Add, remove or modify a rule in a pg_hba file¶
New in version 2.8.
- The fundamental function of the module is to create, or delete lines in pg_hba files.
- The lines in the file should be in a typical pg_hba form and lines should be unique per key (type, databases, users, source). If they are not unique and the SID is ‘the one to change’, only one for
state=presentor none for
state=absentof the SID’s will remain.
- The default authentication assumes that on the host, you are either logging in as or sudo’ing to an account with appropriate permissions to read and modify the file.
- This module also returns the pg_hba info. You can use this module to only retrieve it by only specifying dest. The info can be found in the returned data under key pg_hba, being a list, containing a dict per rule.
- This module will sort resulting
pg_hbafiles if a rule change is required. This could give unexpected results with manual created hba files, if it was improperly sorted. For example a rule was created for a net first and for a ip in that net range next. In that situation, the ‘ip specific rule’ will never hit, it is in the
pg_hbafile obsolete. After the
pg_hbafile is rewritten by the postgresql_pg_hba module, the ip specific rule will be sorted above the range rule. And then it will hit, which will give unexpected results.
- With the ‘order’ parameter you can control which field is used to sort first, next and last.
- The module supports a check mode and a diff mode.
- PostgreSQL pg_hba.conf file reference
- Complete reference of the PostgreSQL pg_hba.conf file documentation.
- name: Grant users joe and simon access to databases sales and logistics from ipv6 localhost ::1/128 using peer authentication. postgresql_pg_hba: dest: /var/lib/postgres/data/pg_hba.conf contype: host users: joe,simon source: ::1 databases: sales,logistics method: peer create: true - name: Grant user replication from network 192.168.0.100/24 access for replication with client cert authentication. postgresql_pg_hba: dest: /var/lib/postgres/data/pg_hba.conf contype: host users: replication source: 192.168.0.100/24 databases: replication method: cert - name: Revoke access from local user mary on database mydb. postgresql_pg_hba: dest: /var/lib/postgres/data/pg_hba.conf contype: local users: mary databases: mydb state: absent
Common return values are documented here, the following are the fields unique to this module: