From f96dbc53f7033bafd90e5d9baad74628b382c73e Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 18 Oct 2018 22:59:39 +0200 Subject: [PATCH] multiple fixes in user handling --- defaults/main.yml | 21 +++++++++++++++--- tasks/config.yml | 27 ++++++++++++++++++++++++ templates/postgresql/data/pg_hba.conf.j2 | 2 +- 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 72065d0..cfa145b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,7 +5,7 @@ postgres_repository_filename: "Postgresql-{{ postgres_version | regex_replace('\ postgres_user: postgres postgres_group: postgres -# available postgresql.conf options +# Available postgresql.conf options postgres_log_destination: - stderr postgres_log_directory: log @@ -21,6 +21,7 @@ postgres_socket_directories: postgres_password_encryption: md5 +# Enable and setup ssl transport security postgres_tls_enabled: False postgres_tls_cert_filename: "mycert.pem" postgres_tls_key_filename: "mykey.pem" @@ -29,7 +30,21 @@ postgres_tls_source_use_files: True postgres_tls_cert_source: mycert.pem postgres_tls_key_source: mykey.pem -postgresql_hba_entries: - - {type: local, database: all, user: all, auth_method: md5} +postgres_users: [] +# - name: jdoe #required; the rest are optional +# password: # defaults to not set +# encrypted: # defaults to 'yes' +# priv: # defaults to not set +# role_attr_flags: # defaults to not set +# db: # defaults to not set +# login_host: # defaults to 'localhost' +# login_password: # defaults to not set +# login_user: # defaults to '{{ postgres_user }}' +# login_unix_socket: # defaults to 1st of postgres_socket_directories +# port: # defaults to not set +# state: # defaults to 'present' + +postgres_hba_entries: + - {type: local, database: all, user: all, auth_method: peer} - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5} - {type: host, database: all, user: all, address: '::1/128', auth_method: md5} diff --git a/tasks/config.yml b/tasks/config.yml index 9385096..da46ef7 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -15,3 +15,30 @@ notify: __postgres_restart become: True become_user: root + +- name: Ensure linux user '{{ postgresql_users }}' is present + user: + name: "{{ item.name }}" + password: "{{ item.password }}" + with_items: "{{ postgresql_users }}" + when: item.name == postgres_user + +- name: Ensure PostgreSQL users are present + postgresql_user: + name: "{{ item.name }}" + password: "{{ item.password | default(omit) }}" + encrypted: "{{ item.encrypted | default('yes') }}" + priv: "{{ item.priv | default(omit) }}" + role_attr_flags: "{{ item.role_attr_flags | default(omit) }}" + db: "{{ item.db | default(omit) }}" + login_host: "{{ item.login_host | default('localhost') }}" + login_password: "{{ item.login_password | default(omit) }}" + login_user: "{{ item.login_user | default(postgresql_user) }}" + login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}" + port: "{{ item.port | default(omit) }}" + state: "{{ item.state | default('present') }}" + with_items: "{{ postgresql_users }}" + loop_control: + label: "{{ item.name }}" + become: true + become_user: "{{ postgresql_user }}" diff --git a/templates/postgresql/data/pg_hba.conf.j2 b/templates/postgresql/data/pg_hba.conf.j2 index bbcaeac..3cb1dc7 100644 --- a/templates/postgresql/data/pg_hba.conf.j2 +++ b/templates/postgresql/data/pg_hba.conf.j2 @@ -5,6 +5,6 @@ # See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html # TYPE DATABASE USER ADDRESS METHOD -{% for client in postgresql_hba_entries %} +{% for client in postgres_hba_entries %} {{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }} {% endfor %}