community.postgresql
community.postgresql copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
community.postgresql.postgresql_privs puzzling behaviour on state: absent
SUMMARY
Puzzling behaviour when revoking default_privs: using state: absent disregards both objs and privs, and just revokes all on TABLES, SEQUENCES and TYPES
ISSUE TYPE
- Bug Report
COMPONENT NAME
community.postgresql.postgresql_privs
ANSIBLE VERSION
ansible [core 2.15.4]
config file = /Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg
configured module search path = ['/Users/dmorel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/dmorel/git/seenons-x-infra/.venv/lib/python3.10/site-packages/ansible
ansible collection location = /Users/dmorel/.ansible/collections:/usr/share/ansible/collections
executable location = /Users/dmorel/git/seenons-x-infra/.venv/bin/ansible
python version = 3.10.12 (main, Jun 20 2023, 08:52:58) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/dmorel/git/seenons-x-infra/.venv/bin/python)
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
# /Users/dmorel/.ansible/collections/ansible_collections
Collection Version
-------------------- -------
community.postgresql 3.2.0
# /Users/dmorel/.pyenv/versions/3.10.12/lib/python3.10/site-packages/ansible_collections
Collection Version
-------------------- -------
community.postgresql 2.4.2
CONFIGURATION
CONFIG_FILE() = /Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg
DEFAULT_HOST_LIST(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ['/Users/dmorel/git/seenons-x-infra/ansible/hosts']
DEFAULT_REMOTE_USER(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ec2-user
DEFAULT_ROLES_PATH(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ['/Users/dmorel/git/seenons-x-infra/ansible/roles']
EDITOR(env: EDITOR) = vim
HOST_KEY_CHECKING(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = auto_silent
PAGER(env: PAGER) = less
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: Grant default privileges
community.postgresql.postgresql_privs:
database: coredb_dev
schema: public
objs: TABLES
type: default_privs
target_roles: writers
roles: developers
privs: TRUNCATE,TRIGGER
login_user: "{{ login_user }}"
login_password: "{{ login_password }}"
login_host: "{{ login_host }}"
login_db: "{{ login_db }}"
state: absent
EXPECTED RESULTS
I expect this to run: ALTER DEFAULT PRIVILEGES FOR ROLE writers IN SCHEMA public REVOKE TRUNCATE,TRIGGER ON TABLES FROM developers
ACTUAL RESULTS
What it runs (as indicated by ansible-playbook -vvv):
"queries": [
"ALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON TABLES FROM \"developers\";\nALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON SEQUENCES FROM \"developers\";\nALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON TYPES FROM \"developers\";"
]
my assumption is "state: absent" triggers a default behaviour that removes all permissions for a hardcoded list of object types, and that's it.
