multiple fixes in user handling
This commit is contained in:
parent
dfaa71b52a
commit
f96dbc53f7
@ -5,7 +5,7 @@ postgres_repository_filename: "Postgresql-{{ postgres_version | regex_replace('\
|
|||||||
postgres_user: postgres
|
postgres_user: postgres
|
||||||
postgres_group: postgres
|
postgres_group: postgres
|
||||||
|
|
||||||
# available postgresql.conf options
|
# Available postgresql.conf options
|
||||||
postgres_log_destination:
|
postgres_log_destination:
|
||||||
- stderr
|
- stderr
|
||||||
postgres_log_directory: log
|
postgres_log_directory: log
|
||||||
@ -21,6 +21,7 @@ postgres_socket_directories:
|
|||||||
|
|
||||||
postgres_password_encryption: md5
|
postgres_password_encryption: md5
|
||||||
|
|
||||||
|
# Enable and setup ssl transport security
|
||||||
postgres_tls_enabled: False
|
postgres_tls_enabled: False
|
||||||
postgres_tls_cert_filename: "mycert.pem"
|
postgres_tls_cert_filename: "mycert.pem"
|
||||||
postgres_tls_key_filename: "mykey.pem"
|
postgres_tls_key_filename: "mykey.pem"
|
||||||
@ -29,7 +30,21 @@ postgres_tls_source_use_files: True
|
|||||||
postgres_tls_cert_source: mycert.pem
|
postgres_tls_cert_source: mycert.pem
|
||||||
postgres_tls_key_source: mykey.pem
|
postgres_tls_key_source: mykey.pem
|
||||||
|
|
||||||
postgresql_hba_entries:
|
postgres_users: []
|
||||||
- {type: local, database: all, user: all, auth_method: md5}
|
# - name: jdoe #required; the rest are optional
|
||||||
|
# password: # defaults to not set
|
||||||
|
# encrypted: # defaults to 'yes'
|
||||||
|
# priv: # defaults to not set
|
||||||
|
# role_attr_flags: # defaults to not set
|
||||||
|
# db: # defaults to not set
|
||||||
|
# login_host: # defaults to 'localhost'
|
||||||
|
# login_password: # defaults to not set
|
||||||
|
# login_user: # defaults to '{{ postgres_user }}'
|
||||||
|
# login_unix_socket: # defaults to 1st of postgres_socket_directories
|
||||||
|
# port: # defaults to not set
|
||||||
|
# state: # defaults to 'present'
|
||||||
|
|
||||||
|
postgres_hba_entries:
|
||||||
|
- {type: local, database: all, user: all, auth_method: peer}
|
||||||
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
|
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
|
||||||
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
|
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
|
||||||
|
@ -15,3 +15,30 @@
|
|||||||
notify: __postgres_restart
|
notify: __postgres_restart
|
||||||
become: True
|
become: True
|
||||||
become_user: root
|
become_user: root
|
||||||
|
|
||||||
|
- name: Ensure linux user '{{ postgresql_users }}' is present
|
||||||
|
user:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
password: "{{ item.password }}"
|
||||||
|
with_items: "{{ postgresql_users }}"
|
||||||
|
when: item.name == postgres_user
|
||||||
|
|
||||||
|
- name: Ensure PostgreSQL users are present
|
||||||
|
postgresql_user:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
password: "{{ item.password | default(omit) }}"
|
||||||
|
encrypted: "{{ item.encrypted | default('yes') }}"
|
||||||
|
priv: "{{ item.priv | default(omit) }}"
|
||||||
|
role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
|
||||||
|
db: "{{ item.db | default(omit) }}"
|
||||||
|
login_host: "{{ item.login_host | default('localhost') }}"
|
||||||
|
login_password: "{{ item.login_password | default(omit) }}"
|
||||||
|
login_user: "{{ item.login_user | default(postgresql_user) }}"
|
||||||
|
login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
|
||||||
|
port: "{{ item.port | default(omit) }}"
|
||||||
|
state: "{{ item.state | default('present') }}"
|
||||||
|
with_items: "{{ postgresql_users }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.name }}"
|
||||||
|
become: true
|
||||||
|
become_user: "{{ postgresql_user }}"
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
|
# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
|
||||||
|
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
# TYPE DATABASE USER ADDRESS METHOD
|
||||||
{% for client in postgresql_hba_entries %}
|
{% for client in postgres_hba_entries %}
|
||||||
{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
|
{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
Loading…
Reference in New Issue
Block a user