Parameter | Choices/Defaults | Comments |
---|---|---|
ca_cert
string
added in 2.3 |
Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
If the file exists, the server's certificate will be verified to be signed by one of these authorities.
aliases: ssl_rootcert |
|
database
string
/ required
|
Name of database to connect to.
aliases: db, login_db |
|
fail_on_role
boolean
added in 2.8 |
|
If
yes , fail when target role (for whom privs need to be granted) does not exist. Otherwise just warn and continue. |
grant_option
boolean
|
|
Whether
role may grant/revoke the specified privileges/group memberships to others.Set to
no to revoke GRANT OPTION, leave unspecified to make no changes.grant_option only has an effect if state is
present .aliases: admin_option |
host
string
|
Database host address. If unspecified, connect via Unix socket.
aliases: login_host |
|
login
string
|
Default: "postgres"
|
The username to authenticate with.
aliases: login_user |
login_host
string
|
Host running the database.
|
|
login_password
string
|
The password used to authenticate with.
|
|
login_unix_socket
string
|
Path to a Unix domain socket for local connections.
|
|
login_user
string
|
Default: "postgres"
|
The username used to authenticate with.
|
objs
string
|
Comma separated list of database objects to set privileges on.
If type is
table , partition table , sequence or function , the special valueALL_IN_SCHEMA can be provided instead to specify all database objects of type type in the schema specified via schema. (This also works with PostgreSQL < 9.0.) (ALL_IN_SCHEMA is available for function and partition table from version 2.8)If type is
database , this parameter can be omitted, in which case privileges are set for the database specified via database.If type is function, colons (":") in object names will be replaced with commas (needed to specify function signatures, see examples)
aliases: obj |
|
password
string
|
The password to authenticate with.
aliases: login_password |
|
port
integer
|
Default: 5432
|
Database port to connect to.
aliases: login_port |
privs
string
|
Comma separated list of privileges to grant/revoke.
aliases: priv |
|
roles
string
/ required
|
Comma separated list of role (user/group) names to set permissions for.
The special value
PUBLIC can be provided instead to set permissions for the implicitly defined PUBLIC group.aliases: role |
|
schema
string
|
Schema that contains the database objects specified via objs.
May only be provided if type is
table , sequence , function or default_privs . Defaults to public in these cases. |
|
session_role
string
added in 2.8 |
Switch to session_role after connecting.
The specified session_role must be a role that the current login_user is a member of.
Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally.
|
|
ssl_mode
string
added in 2.3 |
|
Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
Default of
prefer matches libpq default. |
state
string
|
|
If
present , the specified privileges are granted, if absent they are revoked. |
target_roles
string
added in 2.8 |
A list of existing role (user/group) names to set as the default permissions for database objects subsequently created by them.
Parameter target_roles is only available with
type=default_privs . |
|
type
string
|
|
Type of database object to set privileges on.
The `default_prives` choice is available starting at version 2.7.
The 'foreign_data_wrapper' and 'foreign_server' object types are available from Ansible version '2.8'.
|
unix_socket
string
|
Path to a Unix domain socket for local connections.
aliases: login_unix_socket |
Note
postgres
user on the remote host. (Ansible’s user
or sudo-user
).GRANT OPTION
for a specific object, set state to present
and grant_option to no
(see examples).PUBLIC
.RESTRICT
is assumed (see PostgreSQL docs).postgres
account on the host.postgresql
, libpq-dev
, and python-psycopg2
packages on the remote host before using this module.# On database "library":
# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors
# TO librarian, reader WITH GRANT OPTION
- name: Grant privs to librarian and reader on database library
postgresql_privs:
database: library
state: present
privs: SELECT,INSERT,UPDATE
type: table
objs: books,authors
schema: public
roles: librarian,reader
grant_option: yes
- name: Same as above leveraging default values
postgresql_privs:
db: library
privs: SELECT,INSERT,UPDATE
objs: books,authors
roles: librarian,reader
grant_option: yes
# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader
# Note that role "reader" will be *granted* INSERT privilege itself if this
# isn't already the case (since state: present).
- name: Revoke privs from reader
postgresql_privs:
db: library
state: present
priv: INSERT
obj: books
role: reader
grant_option: no
# "public" is the default schema. This also works for PostgreSQL 8.x.
- name: REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
postgresql_privs:
db: library
state: absent
privs: INSERT,UPDATE
objs: ALL_IN_SCHEMA
role: reader
- name: GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian
postgresql_privs:
db: library
privs: ALL
type: schema
objs: public,math
role: librarian
# Note the separation of arguments with colons.
- name: GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader
postgresql_privs:
db: library
privs: ALL
type: function
obj: add(int:int)
schema: math
roles: librarian,reader
# Note that group role memberships apply cluster-wide and therefore are not
# restricted to database "library" here.
- name: GRANT librarian, reader TO alice, bob WITH ADMIN OPTION
postgresql_privs:
db: library
type: group
objs: librarian,reader
roles: alice,bob
admin_option: yes
# Note that here "db: postgres" specifies the database to connect to, not the
# database to grant privileges on (which is specified via the "objs" param)
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: postgres
privs: ALL
type: database
obj: library
role: librarian
# If objs is omitted for type "database", it defaults to the database
# to which the connection is established
- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: library
privs: ALL
type: database
role: librarian
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian
postgresql_privs:
db: library
objs: ALL_DEFAULT
privs: ALL
type: default_privs
role: librarian
grant_option: yes
# Available since version 2.7
# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS
# ALL_DEFAULT works only with privs=ALL
# For specific
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 1
postgresql_privs:
db: library
objs: TABLES,SEQUENCES
privs: SELECT
type: default_privs
role: reader
- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 2
postgresql_privs:
db: library
objs: TYPES
privs: USAGE
type: default_privs
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN DATA WRAPPER fdw TO reader
postgresql_privs:
db: test
objs: fdw
privs: ALL
type: foreign_data_wrapper
role: reader
# Available since version 2.8
- name: GRANT ALL PRIVILEGES ON FOREIGN SERVER fdw_server TO reader
postgresql_privs:
db: test
objs: fdw_server
privs: ALL
type: foreign_server
role: reader
# Available since version 2.8
# Grant 'execute' permissions on all functions in schema 'common' to role 'caller'
- name: GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA common TO caller
postgresql_privs:
type: function
state: present
privs: EXECUTE
roles: caller
objs: ALL_IN_SCHEMA
schema: common
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader
# GRANT SELECT privileges for new TABLES objects created by librarian as
# default to the role reader.
# For specific
- name: ALTER privs
postgresql_privs:
db: library
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
# Available since version 2.8
# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader
# REVOKE SELECT privileges for new TABLES objects created by librarian as
# default from the role reader.
# For specific
- name: ALTER privs
postgresql_privs:
db: library
state: absent
schema: library
objs: TABLES
privs: SELECT
type: default_privs
role: reader
target_roles: librarian
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
queries
list
added in 2.8 |
always |
List of executed queries.
Sample:
['REVOKE GRANT OPTION FOR INSERT ON TABLE "books" FROM "reader";']
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.