multiple fixes in user handling

This commit is contained in:
Robert Kaussow 2018-10-18 22:59:39 +02:00
parent dfaa71b52a
commit f96dbc53f7
3 changed files with 46 additions and 4 deletions

View File

@ -5,7 +5,7 @@ postgres_repository_filename: "Postgresql-{{ postgres_version | regex_replace('\
postgres_user: postgres postgres_user: postgres
postgres_group: postgres postgres_group: postgres
# available postgresql.conf options # Available postgresql.conf options
postgres_log_destination: postgres_log_destination:
- stderr - stderr
postgres_log_directory: log postgres_log_directory: log
@ -21,6 +21,7 @@ postgres_socket_directories:
postgres_password_encryption: md5 postgres_password_encryption: md5
# Enable and setup ssl transport security
postgres_tls_enabled: False postgres_tls_enabled: False
postgres_tls_cert_filename: "mycert.pem" postgres_tls_cert_filename: "mycert.pem"
postgres_tls_key_filename: "mykey.pem" postgres_tls_key_filename: "mykey.pem"
@ -29,7 +30,21 @@ postgres_tls_source_use_files: True
postgres_tls_cert_source: mycert.pem postgres_tls_cert_source: mycert.pem
postgres_tls_key_source: mykey.pem postgres_tls_key_source: mykey.pem
postgresql_hba_entries: postgres_users: []
- {type: local, database: all, user: all, auth_method: md5} # - name: jdoe #required; the rest are optional
# password: # defaults to not set
# encrypted: # defaults to 'yes'
# priv: # defaults to not set
# role_attr_flags: # defaults to not set
# db: # defaults to not set
# login_host: # defaults to 'localhost'
# login_password: # defaults to not set
# login_user: # defaults to '{{ postgres_user }}'
# login_unix_socket: # defaults to 1st of postgres_socket_directories
# port: # defaults to not set
# state: # defaults to 'present'
postgres_hba_entries:
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5} - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5} - {type: host, database: all, user: all, address: '::1/128', auth_method: md5}

View File

@ -15,3 +15,30 @@
notify: __postgres_restart notify: __postgres_restart
become: True become: True
become_user: root become_user: root
- name: Ensure linux user '{{ postgresql_users }}' is present
user:
name: "{{ item.name }}"
password: "{{ item.password }}"
with_items: "{{ postgresql_users }}"
when: item.name == postgres_user
- name: Ensure PostgreSQL users are present
postgresql_user:
name: "{{ item.name }}"
password: "{{ item.password | default(omit) }}"
encrypted: "{{ item.encrypted | default('yes') }}"
priv: "{{ item.priv | default(omit) }}"
role_attr_flags: "{{ item.role_attr_flags | default(omit) }}"
db: "{{ item.db | default(omit) }}"
login_host: "{{ item.login_host | default('localhost') }}"
login_password: "{{ item.login_password | default(omit) }}"
login_user: "{{ item.login_user | default(postgresql_user) }}"
login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories[0]) }}"
port: "{{ item.port | default(omit) }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ postgresql_users }}"
loop_control:
label: "{{ item.name }}"
become: true
become_user: "{{ postgresql_user }}"

View File

@ -5,6 +5,6 @@
# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html # See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
{% for client in postgresql_hba_entries %} {% for client in postgres_hba_entries %}
{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }} {{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
{% endfor %} {% endfor %}