postgresql_membership – Add or remove PostgreSQL roles from groups¶
New in version 2.8.
Synopsis¶
- Adds or removes PostgreSQL roles from groups (other roles).
- Users are roles with login privilege.
- Groups are PostgreSQL roles usually without LOGIN privilege.
- Common use case:
- add a new group (groups) by postgresql_user module with role_attr_flags=NOLOGIN
 
- grant them desired privileges by postgresql_privs module
 
- add desired PostgreSQL users to the new group (groups) by this module
 
Parameters¶
| Parameter | Choices/Defaults | Comments | 
|---|---|---|
| ca_cert 
                    string
                                                                 | Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. aliases: ssl_rootcert | |
| db 
                    string
                                                                 | Name of database to connect to. aliases: login_db | |
| fail_on_role 
                    boolean
                                                                 | 
 | If  yes, fail when group or target_role doesn't exist. Ifno, just warn and continue. | 
| groups 
                    list
                     / elements=string                         / required                     | The list of groups (roles) that need to be granted to or revoked from target_roles. aliases: group, source_role, source_roles | |
| login_host 
                    string
                                                                 | Host running the database. | |
| login_password 
                    string
                                                                 | The password used to authenticate with. | |
| login_unix_socket 
                    string
                                                                 | Path to a Unix domain socket for local connections. | |
| login_user 
                    string
                                                                 | Default: "postgres" | The username used to authenticate with. | 
| port 
                    integer
                                                                 | Default: 5432 | Database port to connect to. aliases: login_port | 
| session_role 
                    string
                                                                 | Switch to session_role after connecting. The specified session_role must be a role that the current login_user is a member of. Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. | |
| ssl_mode 
                    string
                                                                 | 
 | Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. Default of  prefermatches libpq default. | 
| state 
                    string
                                                                 | 
 | Membership state. state=present implies the groupsmust be granted to target_roles. state=absent implies the groups must be revoked from target_roles. | 
| target_roles 
                    list
                     / elements=string                         / required                     | The list of target roles (groups will be granted to them). aliases: target_role, users, user | 
Notes¶
Note
- The default authentication assumes that you are either logging in as or sudo’ing to the postgresaccount on the host.
- To avoid “Peer authentication failed for user postgres” error, use postgres user as a become_user.
- This module uses psycopg2, a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on the host before using this module.
- If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host.
- For Ubuntu-based systems, install the postgresql, libpq-dev, and python-psycopg2 packages on the remote host before using this module.
- The ca_cert parameter requires at least Postgres version 8.4 and psycopg2 version 2.4.3.
See Also¶
See also
- postgresql_user – Add or remove a user (role) from a PostgreSQL server instance
- The official documentation on the postgresql_user module.
- postgresql_privs – Grant or revoke privileges on PostgreSQL database objects
- The official documentation on the postgresql_privs module.
- postgresql_owner – Change an owner of PostgreSQL database object
- The official documentation on the postgresql_owner module.
- PostgreSQL role membership reference
- Complete reference of the PostgreSQL role membership documentation.
- PostgreSQL role attributes reference
- Complete reference of the PostgreSQL role attributes documentation.
Examples¶
- name: Grant role read_only to alice and bob
  postgresql_membership:
    group: read_only
    target_roles:
    - alice
    - bob
    state: present
# you can also use target_roles: alice,bob,etc to pass the role list
- name: Revoke role read_only and exec_func from bob. Ignore if roles don't exist
  postgresql_membership:
    groups:
    - read_only
    - exec_func
    target_role: bob
    fail_on_role: no
    state: absent
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Andrew Klychkov (@Andersson007)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
