The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments |
---|---|---|
database required | Name of database to connect to. Alias: db
| |
grant_option bool |
| Whether role may grant/revoke the specified privileges/group memberships to others.Set to no to revoke GRANT OPTION, leave unspecified to make no changes.
grant_option only has an effect if state is present .Alias: admin_option
|
host | Database host address. If unspecified, connect via Unix socket. Alias: login_host
| |
login | Default: postgres | The username to authenticate with. Alias: login_user
|
login_host | Host running the database | |
login_password | The password used to authenticate with | |
login_unix_socket | Path to a Unix domain socket for local connections | |
login_user | Default: postgres | The username used to authenticate with |
objs | Comma separated list of database objects to set privileges on. If type is table or sequence , the special value ALL_IN_SCHEMA can be provided instead to specify all database objects of type type in the schema specified via schema. (This also works with PostgreSQL < 9.0.)If type is database , this parameter can be omitted, in which case privileges are set for the database specified via database.If type is function, colons (":") in object names will be replaced with commas (needed to specify function signatures, see examples) Alias: obj
| |
password | The password to authenticate with. Alias: login_password) | |
port | Default: 5432 | Database port to connect to. |
privs | Comma separated list of privileges to grant/revoke. Alias: priv
| |
roles required | Comma separated list of role (user/group) names to set permissions for. The special value PUBLIC can be provided instead to set permissions for the implicitly defined PUBLIC group.Alias: role
| |
schema | Schema that contains the database objects specified via objs. May only be provided if type is table , sequence or function . Defaults to public in these cases. | |
ssl_mode (added in 2.3) |
| Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. Default of prefer matches libpq default. |
ssl_rootcert (added in 2.3) | Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. | |
state |
| If present , the specified privileges are granted, if absent they are revoked. |
type |
| Type of database object to set privileges on. The `default_prives` choice is available starting at version 2.7. |
unix_socket | Path to a Unix domain socket for local connections. Alias: login_unix_socket
|
Note
postgres
user on the remote host. (Ansible’s user
or sudo-user
).GRANT OPTION
for a specific object, set state to present
and grant_option to no
(see examples).PUBLIC
.RESTRICT
is assumed (see PostgreSQL docs).postgres
account on the host.postgresql
, libpq-dev
, and python-psycopg2
packages on the remote host before using this module.# On database "library": # GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors # TO librarian, reader WITH GRANT OPTION - postgresql_privs: database: library state: present privs: SELECT,INSERT,UPDATE type: table objs: books,authors schema: public roles: librarian,reader grant_option: yes # Same as above leveraging default values: - postgresql_privs: db: library privs: SELECT,INSERT,UPDATE objs: books,authors roles: librarian,reader grant_option: yes # REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader # Note that role "reader" will be *granted* INSERT privilege itself if this # isn't already the case (since state: present). - postgresql_privs: db: library state: present priv: INSERT obj: books role: reader grant_option: no # REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader # "public" is the default schema. This also works for PostgreSQL 8.x. - postgresql_privs: db: library state: absent privs: INSERT,UPDATE objs: ALL_IN_SCHEMA role: reader # GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian - postgresql_privs: db: library privs: ALL type: schema objs: public,math role: librarian # GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader # Note the separation of arguments with colons. - postgresql_privs: db: library privs: ALL type: function obj: add(int:int) schema: math roles: librarian,reader # GRANT librarian, reader TO alice, bob WITH ADMIN OPTION # Note that group role memberships apply cluster-wide and therefore are not # restricted to database "library" here. - postgresql_privs: db: library type: group objs: librarian,reader roles: alice,bob admin_option: yes # GRANT ALL PRIVILEGES ON DATABASE library TO librarian # Note that here "db: postgres" specifies the database to connect to, not the # database to grant privileges on (which is specified via the "objs" param) - postgresql_privs: db: postgres privs: ALL type: database obj: library role: librarian # GRANT ALL PRIVILEGES ON DATABASE library TO librarian # If objs is omitted for type "database", it defaults to the database # to which the connection is established - postgresql_privs: db: library privs: ALL type: database role: librarian # Available since version 2.7 # ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian # Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS # ALL_DEFAULT works only with privs=ALL # For specific - postgresql_privs: db: library objs: ALL_DEFAULT privs: ALL type: default_privs role: librarian grant_option: yes # Available since version 2.7 # ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader # Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS # ALL_DEFAULT works only with privs=ALL # For specific - postgresql_privs: db: library objs: TABLES,SEQUENCES privs: SELECT type: default_privs role: reader - postgresql_privs: db: library objs: TYPES privs: USAGE type: default_privs role: reader
This module is flagged as stableinterface which means that the maintainers for this module guarantee that no backward incompatible interface changes will be made.
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.7/modules/postgresql_privs_module.html