Ansible 创建可以访问所有表的 postgresql 用户？

Question

这个应该很简单。我想创建一个 Ansible 语句来创建一个 Postgres 用户，该用户具有特定数据库的连接权限和该特定数据库中所有表的 select/insert/update/delete 权限。我尝试了以下方法：

  - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: CONNECT/ALL:SELECT,INSERT,UPDATE,DELETE

我得到relation \"ALL\" does not exist

如果我删除 ALL:，我会得到 Invalid privs specified for database: INSERT UPDATE SELECT DELETE

Answer 1

根据 ansible 文档 postgressql module，priv 应该是 "PostgreSQL privileges string in the format: table:priv1,priv2" 所以你的任务应该是

 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: ALL:SELECT,INSERT,UPDATE,DELETE,CONNECT

Answer 2

我要做的就是先创建用户，然后单独授予权限。它就像一个魅力。

 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      name: "myappuser"
      password: "supersecretpassword"

  - name: Ensure we have access from the new user
    become: yes
    become_user: postgres
    postgresql_privs:
      db: mydatabase
      role: myappuser
      objs: ALL_IN_SCHEMA
      privs: SELECT,INSERT,UPDATE,DELETE

Answer 3

这是我使用的剧本，使用 debian 并设置用户和数据库，以及授予用户访问所有数据库的权限：

- hosts: all
  become: yes

  vars:
    ansible_ssh_pipelining: true

  tasks:
    - name: install postgresql server
      apt:
        pkg: postgresql
        state: present

    - name: change postgres network binding
      lineinfile:
        path: /etc/postgresql/9.6/main/postgresql.conf
        regexp: '# listen_addresses'
        line: "listen_addresses = '*'"

    - name: change postgres pg hba access
      lineinfile:
        path: /etc/postgresql/9.6/main/pg_hba.conf
        regexp: 'host  all  all 0.0.0.0/0 md5'
        line: 'host  all  all 0.0.0.0/0 md5'

    - name: start postgresql server
      service:
        enabled: yes
        name: postgresql
        state: restarted

    # psycopg2 needed for user, db creation
    - pip:
        name: psycopg2-binary

    - name: create postgresql user
      postgresql_user:
        user: "root"
        password: "root"
        role_attr_flags: "CREATEDB,NOSUPERUSER"
      become: true
      become_user: postgres

    - name: create postgresql db
      postgresql_db:
        name: "your-db-name"
        state: present
      become: true
      become_user: postgres

您的路径可能会有所不同，因此请相应地进行调整。

作为奖励，这里是我的 Vagrantfile，使用 virtualbox：

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Brings up a vm with es and mongodb
Vagrant.configure("2") do |config|
  config.vm.box = "geerlingguy/debian9"
  config.vm.network "private_network", ip: "192.168.33.44"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "2048"
  end

  config.vm.provision "ansible_local" do |ansible|
      ansible.playbook = "ansible_playbook.yml"
      ansible.install = "true"
      ansible.install_mode = "pip"
  end
end

干杯！

Ansible 创建可以访问所有表的 postgresql 用户？

Ansible create postgresql user with access to all tables?

postgresql

ansible

ansible-playbook