logo标签列表

Ansible如何创建具有访问所有表权限的PostgreSQL用户?

postgresqlansible
18

这应该非常简单。我想创建一个Ansible语句来创建一个Postgres用户,该用户具有连接特定数据库的权限,以及对该特定数据库中所有表进行选择/插入/更新/删除操作的权限。我尝试了以下内容:

  - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: CONNECT/ALL:SELECT,INSERT,UPDATE,DELETE

我收到错误信息:关系\"ALL\"不存在

如果我删掉ALL:,我会收到错误信息:为数据库指定了无效的权限:INSERT UPDATE SELECT DELETE

3个回答
24

我需要做的是先创建用户,然后单独授予权限。现在它能够完美地工作。

 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      name: "myappuser"
      password: "supersecretpassword"

  - name: Ensure we have access from the new user
    become: yes
    become_user: postgres
    postgresql_privs:
      db: mydatabase
      role: myappuser
      objs: ALL_IN_SCHEMA
      privs: SELECT,INSERT,UPDATE,DELETE
4

这里是我使用的playbook,使用debian设置用户和数据库,并赋予用户访问所有数据库的权限:

- hosts: all
  become: yes

  vars:
    ansible_ssh_pipelining: true

  tasks:
    - name: install postgresql server
      apt:
        pkg: postgresql
        state: present

    - name: change postgres network binding
      lineinfile:
        path: /etc/postgresql/9.6/main/postgresql.conf
        regexp: '# listen_addresses'
        line: "listen_addresses = '*'"

    - name: change postgres pg hba access
      lineinfile:
        path: /etc/postgresql/9.6/main/pg_hba.conf
        regexp: 'host  all  all 0.0.0.0/0 md5'
        line: 'host  all  all 0.0.0.0/0 md5'

    - name: start postgresql server
      service:
        enabled: yes
        name: postgresql
        state: restarted

    # psycopg2 needed for user, db creation
    - pip:
        name: psycopg2-binary

    - name: create postgresql user
      postgresql_user:
        user: "root"
        password: "root"
        role_attr_flags: "CREATEDB,NOSUPERUSER"
      become: true
      become_user: postgres

    - name: create postgresql db
      postgresql_db:
        name: "your-db-name"
        state: present
      become: true
      become_user: postgres

您的路径可能有所不同,因此请相应地进行调整。

附上我的Vagrantfile(使用virtualbox):

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Brings up a vm with es and mongodb
Vagrant.configure("2") do |config|
  config.vm.box = "geerlingguy/debian9"
  config.vm.network "private_network", ip: "192.168.33.44"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "2048"
  end

  config.vm.provision "ansible_local" do |ansible|
      ansible.playbook = "ansible_playbook.yml"
      ansible.install = "true"
      ansible.install_mode = "pip"
  end
end

Cheers!

-3
从ansible文档postgressql模块中得知,priv应该是“格式为:table:priv1,priv2的PostgreSQL权限字符串”。 因此,你的任务应该是:
 - name: Create postgres user for my app
    become: yes
    become_user: postgres
    postgresql_user:
      db: "mydatabase"
      name: "myappuser"
      password: "supersecretpassword"
      priv: ALL:SELECT,INSERT,UPDATE,DELETE,CONNECT
3
这对我没有起作用。我收到了一个错误信息:“psycopg2.ProgrammingError: 关系"ALL"不存在”。 - Inti
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接