From 6e48c471362e055c39adbe3de44e48779043592f Mon Sep 17 00:00:00 2001
From: Dmitriy Kalinin <kalinin@ap-team.ru>
Date: Thu, 22 Aug 2019 15:01:01 +0300
Subject: [PATCH] Able to set user role attributes while creating; Change user
 privileges module to postgresql_privs

---
 README.md                  | 20 +++++++++++++++++---
 tasks/users.yml            |  1 +
 tasks/users_privileges.yml | 21 +++++++++++----------
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 5a96dc21..ab3887c7 100644
--- a/README.md
+++ b/README.md
@@ -101,9 +101,9 @@ postgresql_database_schemas:
 # List of user privileges to be applied (optional)
 postgresql_user_privileges:
   - name: baz                   # user name
-    db: foobar                  # database
-    priv: "ALL"                 # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL
-    role_attr_flags: "CREATEDB" # role attribute flags
+    schema: foobar              # schema
+    objs: ALL_IN_SCHEMA         # objects to be applied for
+    privs: "SELECT"             # privileges
 ```
 
 There's a lot more knobs and bolts to set, which you can find in the [defaults/main.yml](./defaults/main.yml)
@@ -112,6 +112,20 @@ There's a lot more knobs and bolts to set, which you can find in the [defaults/m
 #### Fork additions
 
 - Add pg_stat_statements variables, if pg_stat_statement in preload libraries;
+- Add role_attr_flags to postgresql_users for create users with some attrs e.g. SUPERUSER;
+- Add postgresql_all_databases_schema variable to create one schema in all databases from postgresql_databases;
+- Updating user privileges now using postgresql_privs ansible module. Example:
+```yaml
+postgresql_user_privileges:
+  - name: readonly_user
+    type: schema
+    objs: dbo
+    privs: "USAGE"
+  - name: readonly_user
+    schema: dbo
+    objs: ALL_IN_SCHEMA
+    privs: "SELECT"
+```
 
 
 #### Testing
diff --git a/tasks/users.yml b/tasks/users.yml
index 12e2c9f2..c241371d 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -13,6 +13,7 @@
     port: "{{postgresql_port}}"
     state: present
     login_user: "{{postgresql_admin_user}}"
+    role_attr_flags: "{{ item.role_attr_flags | default(omit )}}"
   no_log: true
   become: yes
   become_user: "{{postgresql_admin_user}}"
diff --git a/tasks/users_privileges.yml b/tasks/users_privileges.yml
index 94aaea24..36049044 100644
--- a/tasks/users_privileges.yml
+++ b/tasks/users_privileges.yml
@@ -1,16 +1,17 @@
 # file: postgresql/tasks/users_privileges.yml
 
 - name: PostgreSQL | Update the user privileges
-  postgresql_user:
-    name: "{{item.name}}"
-    db: "{{item.db | default(omit)}}"
-    port: "{{postgresql_port}}"
-    priv: "{{item.priv | default(omit)}}"
+  postgresql_privs:
+    database: "{{item[0].name}}"
     state: present
+    type: "{{item[1].type | default(omit)}}"
+    objs: "{{item[1].objs | default(omit)}}"
+    schema: "{{item[1].schema | default(omit)}}"
+    roles: "{{item[1].name}}"
+    privs: "{{item[1].privs}}"
+    port: "{{postgresql_port}}"
     login_host: "{{item.host | default(omit)}}"
     login_user: "{{postgresql_admin_user}}"
-    role_attr_flags: "{{item.role_attr_flags | default(omit)}}"
-  become: yes
-  become_user: "{{postgresql_admin_user}}"
-  with_items: "{{postgresql_user_privileges}}"
-  when: postgresql_users|length > 0
+  with_nested:
+    - "{{ postgresql_databases }}"
+    - "{{ postgresql_user_privileges }}"