Question

有关如何定义用户权限的postgresql_user模块的documentation与格式有关。格式在选项表中描述如下：

priv | PostgreSQL privileges string in the format: table:priv1,priv2

但是，下面给出的示例使用其他格式

priv: "CONNECT/products:ALL"
priv: "ALL/products:ALL"
# Example privileges string format
INSERT,UPDATE/table:SELECT/anothertable:ALL

博文Ansible Loves PostgreSQL提到了另一种格式：

priv: Privileges in “priv1/priv2” or table privileges in “table:priv1,priv2,…” format

我在创建具有只读访问权限的用户时遇到问题，即所有表的SELECT权限。

有人可以了解使用的正确格式，例如为用户提供所有桌面的只读访问权限吗？

Answer 1

在postgresl_user的来源中，有一个parse_privs功能。这似乎是预期格式Fractional：

的最佳来源

priv

看起来Format: privileges[/privileges/...] Where: privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] | TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...]是特权的分隔符，/是表名的分隔符，以及该表的特权。 :分隔表的权限。

Answer 2

尝试：

priv: "public:USAGE/ALL:SELECT"

这为“公共”模式授予USAGE特权，为该模式中的所有表授予SELECT特权

Answer 3

完全同意。也可以在这里查看：

https://github.com/ansible/ansible-modules-core/blob/devel/database/postgresql/postgresql_user.py#L201

VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')),
    database=frozenset(('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')),
    )

该数据库的权限必须在该列表中。我试图为数据库指定表权限。

Answer 4

这似乎不能仅使用 postgresql_user ansible 模块来完成。它需要单独调用 postgresql_privs 模块。这是在数据库上创建只读用户并为其分配仅连接到数据库和读取数据的能力的示例

    # leaving any "become" calls out of here, but you should add them as needed to become
    # postgres or another user that can assign privs
    - name: Create user and ensure it has access to the database itself
      postgresql_user:
        db: "your_db_name"
        name: "your_db_username"
        password: "your_db_password"
        priv: "CONNECT"  # make this user able to read, but not see anything else
        state: present

    - name: Grant SELECT to the read only user for default privileges
      postgresql_privs:
        db: "your_db_name"
        privs: SELECT
        objs: TABLES,SEQUENCES
        type: default_privs
        role: "your_db_username"
        grant_option: no

    - name: Grant USAGE to the read only user on the specified schema itself
      postgresql_privs:
        db: "your_db_name"
        obj: your_db_schema
        type: schema
        privs: USAGE
        role: "your_db_username"
        grant_option: no

    - name: Grant SELECT to user as schema defaults (I think this is still needed, despite above)
      postgresql_privs:
        db: "your_db_name"
        schema: your_db_schema
        privs: SELECT
        objs: TABLES,SEQUENCES
        type: default_privs
        role: "your_db_username"
        grant_option: no

    - name: Grant SELECT to read only user on tables in schema
      postgresql_privs:
        db: "your_db_name"
        privs: SELECT
        objs: ALL_IN_SCHEMA
        type: table
        schema: your_db_schema
        role: "your_db_username"
        grant_option: no

    - name: Grant SELECT to read only user on sequences in schema
      postgresql_privs:
        db: "your_db_name"
        privs: SELECT
        objs: ALL_IN_SCHEMA
        type: sequence
        schema: your_db_schema
        role: "your_db_username"
        grant_option: no

Ansible“postgresql_user”模块“priv”参数语法清除

4 个答案: