Vh ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl Z ddl mZddlmZmZddlmZmZmZdd lmZdd lmZdd lmZdd lmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*ddl+m,Z,e!re"e,dkrddl-Z.ne!rddl.Z. ddlm/Z/dZ0dZ2ddiZ3dZ4e5e6de6dZ7e5ddddddd !Z8gZ9gZ:Gd"d#e;Z<Gd$d%e;Z=d&Z>d'Z?d(Z@d)ZAd*ZBd+ZCd,ZDd-ZEd.ZFdGd/ZGd0ZHd1ZId2ZJd3ZKd4ZLd5ZMd6ZNd7ZOd8ZPd9ZQd:ZRd;ZSd<ZTd=ZUd>ZVd?ZWd@ZXdAZYdBZZdCZ[dDZ\dEZ]e^dFk(re]yy#e1$rdZ0YwxYw)H)absolute_importdivisionprint_functionaw) --- module: postgresql_user short_description: Create, alter, or remove a user (role) from a PostgreSQL server instance description: - Creates, alters, or removes a user (role) from a PostgreSQL server instance ("cluster" in PostgreSQL terminology) and, optionally, grants the user access to an existing database or tables. - A user is a role with login privilege. - You can also use it to grant or revoke user's privileges in a particular database. - You cannot remove a user while it still has any privileges granted to it in any database. - Set I(fail_on_user) to C(false) to make the module ignore failures when trying to remove a user. In this case, the module reports if changes happened as usual and separately reports whether the user has been removed or not. - B(WARNING) The I(priv) option has been B(deprecated) and will be removed in community.postgresql 4.0.0. Please use the M(community.postgresql.postgresql_privs) module instead. options: name: description: - Name of the user (role) to add or remove. type: str required: true aliases: - user password: description: - Set the user's password, before 1.4 this was required. - Password can be passed unhashed or hashed (MD5-hashed). - An unhashed password is automatically hashed when saved into the database if I(encrypted) is set, otherwise it is saved in plain text format. - When passing an MD5-hashed password, you must generate it with the format C('str["md5"] + md5[ password + username ]'), resulting in a total of 35 characters. An easy way to do this is C(echo "md5`echo -n 'verysecretpasswordJOE' | md5sum | awk '{print $1}'`"). - Note that if the provided password string is already in MD5-hashed format, then it is used as-is, regardless of I(encrypted) option. type: str login_db: description: - Name of database to connect to and where user's permissions are granted. - The V(db) alias is deprecated and will be removed in version 5.0.0. type: str default: '' aliases: - db fail_on_user: description: - If C(true), fails when the user (role) cannot be removed. Otherwise just log and continue. default: true type: bool aliases: - fail_on_role priv: description: - This option has been B(deprecated) and will be removed in community.postgresql 4.0.0. Please use the M(community.postgresql.postgresql_privs) module to GRANT/REVOKE permissions instead. - "Slash-separated PostgreSQL privileges string: C(priv1/priv2), where you can define the user's privileges for the database ( allowed options - 'CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL'. For example C(CONNECT) ) or for table ( allowed options - 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL'. For example C(table:SELECT) ). Mixed example of this string: C(CONNECT/CREATE/table1:SELECT/table2:INSERT)." - When I(priv) contains tables, the module uses the schema C(public) by default. If you need to specify a different schema, use the C(schema_name.table_name) notation, for example, C(pg_catalog.pg_stat_database:SELECT). type: str role_attr_flags: description: - "PostgreSQL user attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER." - Note that '[NO]CREATEUSER' is deprecated. - To create a simple role for using it like a group, use C(NOLOGIN) flag. - See the full list of supported flags in documentation for your PostgreSQL version. type: str default: '' session_role: description: - Switch to session role after connecting. - The specified session role must be a role that the current login_user is a member of. - Permissions checking for SQL commands is carried out as though the session role were the one that had logged in originally. type: str state: description: - The user (role) state. type: str default: present choices: [ absent, present ] encrypted: description: - Whether the password is stored hashed in the database. - You can specify an unhashed password, and PostgreSQL ensures the stored password is hashed when I(encrypted=true) is set. If you specify a hashed password, the module uses it as-is, regardless of the setting of I(encrypted). - "Note: Postgresql 10 and newer does not support unhashed passwords." - Previous to Ansible 2.6, this was C(false) by default. default: true type: bool expires: description: - The date at which the user's password is to expire. - If set to C('infinity'), user's password never expires. - Note that this value must be a valid SQL date and time type. type: str no_password_changes: description: - If C(true), does not inspect the database for password changes. If the user already exists, skips all password related checks. Useful when C(pg_authid) is not accessible (such as in AWS RDS). Otherwise, makes password changes as necessary. default: false type: bool conn_limit: description: - Specifies the user (role) connection limit. type: int ssl_mode: description: - Determines how an SSL session is negotiated with the server. - See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information on the modes. - Default of C(prefer) matches libpq default. type: str default: prefer choices: [ allow, disable, prefer, require, verify-ca, verify-full ] ca_cert: description: - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). - If the file exists, verifies that the server's certificate is signed by one of these authorities. type: str aliases: [ ssl_rootcert ] comment: description: - Adds a comment on the user (equivalent to the C(COMMENT ON ROLE) statement). - To reset the comment, pass an empty string. type: str version_added: '0.2.0' trust_input: description: - If C(false), checks whether values of options I(name), I(password), I(privs), I(expires), I(role_attr_flags), I(comment), I(session_role) are potentially dangerous. - It makes sense to use C(false) only when SQL injections through the options are possible. type: bool default: true version_added: '0.2.0' configuration: description: - Role-specific configuration parameters that would otherwise be set by C(ALTER ROLE user SET variable TO value;). - Takes a dict where the key is the name of the configuration parameter. If the key includes special characters like C(.) and C(-), it needs to be quoted to ensure the YAML is valid. - Sets or updates any parameter in the list that is not present or has the wrong value in the database. - Removes any parameter from the user that is not listed here. - Parameters that are present in the database but are not included in this list will only be reset, if O(reset_unspecified_configuration=true). - Inputs to O(user) as well as keys and values in this parameter are quoted by the module. If you require the user to contain a C("), you need to double it, otherwise the module will fail. C(") and C(') are not allowed in configuration keys and any C(') in the value of a configuration will be escaped by this module. Additionally, parameters and values are checked if O(trust_input) is C(false). type: dict default: {} version_added: '3.5.0' reset_unspecified_configuration: description: - If set to C(true), the user's default configuration parameters will be reset in case they are not included in O(configuration), otherwise existing parameters will not be modified if not included in O(configuration). type: bool default: false version_added: '3.5.0' quote_configuration_values: description: - Automatically quote the values of configuration variables added via I(configuration). The default is C(true) and setting this to C(false) leaves these options open to SQL-injections and makes the user responsible for properly quoting values. - This is required to be C(false) to modify settings like C(search_path), that need to be unquoted. - If this is C(false) you will also need to make sure that strings are properly quoted. For example C("'16MB'") for C(work_mem). - Set this only to C(false) if you know what you are doing! type: bool default: true version_added: '3.11.0' notes: - The module creates a user (role) with login privilege by default. Use C(NOLOGIN) I(role_attr_flags) to change this behaviour. - If you specify C(PUBLIC) as the user (role), then the privilege changes apply to all users (roles). You may not specify password or role_attr_flags when the C(PUBLIC) user is specified. - SCRAM-SHA-256-hashed passwords (SASL Authentication) require PostgreSQL version 10 or newer. On the previous versions the whole hashed string is used as a password. - 'Working with SCRAM-SHA-256-hashed passwords, be sure you use the I(environment:) variable C(PGOPTIONS: "-c password_encryption=scram-sha-256") when it is not default for your PostgreSQL version (see the provided example).' - On some systems (such as AWS RDS), C(pg_authid) is not accessible, thus, the module cannot compare the current and desired C(password). In this case, the module assumes that the passwords are different and changes it reporting that the state has been changed. To skip all password related checks for existing users, use I(no_password_changes=true). - On some systems (such as AWS RDS), C(SUPERUSER) is unavailable. This means the C(SUPERUSER) and C(NOSUPERUSER) I(role_attr_flags) should not be specified to preserve idempotency and avoid InsufficientPrivilege errors. attributes: check_mode: support: full seealso: - module: community.postgresql.postgresql_privs - module: community.postgresql.postgresql_membership - module: community.postgresql.postgresql_owner - name: PostgreSQL database roles description: Complete reference of the PostgreSQL database roles documentation. link: https://www.postgresql.org/docs/current/user-manag.html - name: PostgreSQL SASL Authentication description: Complete reference of the PostgreSQL SASL Authentication. link: https://www.postgresql.org/docs/current/sasl-authentication.html author: - Ansible Core Team extends_documentation_fragment: - community.postgresql.postgres ak # This example uses the 'priv' argument which is deprecated. # You should use the 'postgresql_privs' module instead. - name: Connect to acme database, create django user, and grant access to database and products table community.postgresql.postgresql_user: login_db: acme name: django password: ceec4eif7ya priv: "CONNECT/products:ALL" expires: "Jan 31 2020" - name: Add a comment on django user community.postgresql.postgresql_user: login_db: acme name: django comment: This is a test user # Connect to default database, create rails user, set its password (MD5- or SHA256-hashed), # and grant privilege to create other databases and demote rails from super user status if user exists # the hash from the corresponding pg_authid entry. - name: Create rails user, set MD5-hashed password, grant privs community.postgresql.postgresql_user: name: rails password: md59543f1d82624df2b31672ec0f7050460 # password: SCRAM-SHA-256$4096:zFuajwIVdli9mK=NJkcv1Q++$JC4gWIrEHmF6sqRbEiZw5FFW45HUPrpVzNdoM72o730+;fqA4vLN3mCZGbhcbQyvNYY7anCrUTsem1eCh/4YA94= role_attr_flags: CREATEDB,NOSUPERUSER # When using sha256-hashed password: # environment: # PGOPTIONS: "-c password_encryption=scram-sha-256" # This example uses the 'priv' argument which is deprecated. # You should use the 'postgresql_privs' module instead. - name: Connect to acme database and remove test user privileges from there community.postgresql.postgresql_user: login_db: acme name: test priv: "ALL/products:ALL" state: absent fail_on_user: false # This example uses the 'priv' argument which is deprecated. # You should use the 'postgresql_privs' module instead. - name: Connect to test database, remove test user from cluster community.postgresql.postgresql_user: login_db: test name: test priv: ALL state: absent # This example uses the 'priv' argument which is deprecated. # You should use the 'postgresql_privs' module instead. - name: Connect to acme database and set user's password with no expire date community.postgresql.postgresql_user: login_db: acme name: django password: mysupersecretword priv: "CONNECT/products:ALL" expires: infinity # Example privileges string format # INSERT,UPDATE/table:SELECT/anothertable:ALL - name: Connect to test database and remove an existing user's password community.postgresql.postgresql_user: login_db: test user: test password: "" # Create user with a cleartext password if it does not exist or update its password. # The password will be encrypted with SCRAM algorithm (available since PostgreSQL 10) - name: Create appclient user with SCRAM-hashed password community.postgresql.postgresql_user: name: appclient password: "secret123" environment: PGOPTIONS: "-c password_encryption=scram-sha-256" # This example uses the 'priv' argument which is deprecated. # You should use the 'postgresql_privs' module instead. - name: Create a user, grant SELECT on pg_catalog.pg_stat_database community.postgresql.postgresql_user: name: monitoring priv: 'pg_catalog.pg_stat_database:SELECT' # Create a user and set a default-configuration that is active when they start a session - name: Create a user with config-parameter community.postgresql.postgresql_user: name: appclient password: "secret123" configuration: work_mem: "16MB" # Make sure user has only specified default configuration parameters - name: Clear all configuration that is not explicitly defined for user community.postgresql.postgresql_user: name: appclient password: "secret123" configuration: work_mem: "16MB" reset_unspecified_configuration: true - name: Set search_path for user community.postgresql.postgresql_user: name: postgres_exporter quote_configuration_values: false configuration: search_path: postgres_exporter, pg_catalog, public z queries: description: List of executed queries. returned: success type: list sample: ['CREATE USER "alice"', 'GRANT CONNECT ON DATABASE "acme" TO "alice"'] N) b64decode)md5sha256)to_bytes to_nativeto_text) AnsibleModule) iteritems)saslprep) SQLParseError check_inputpg_quote_identifier) HAS_PSYCOPGPSYCOPG_VERSION connect_to_dbensure_required_libs get_commentget_conn_paramsget_server_versionpg_cursor_argspostgres_common_argument_spec set_comment) LooseVersionz3.0) pbkdf2_hmacTF) SUPERUSER CREATEROLECREATEDBINHERITLOGIN REPLICATION BYPASSRLSiazP^SCRAM-SHA-256\$(\d+):([A-Za-z0-9+\/=]+)\$([A-Za-z0-9+\/=]+):([A-Za-z0-9+\/=]+)$)SELECTINSERTUPDATEDELETETRUNCATE REFERENCESTRIGGERALL)CREATECONNECT TEMPORARYTEMPr,tabledatabaserolsuper rolcreaterole rolcreatedb rolinherit rolcanloginrolreplication rolbypassrls)rrr r!r"r#r$c eZdZy)InvalidFlagsErrorN__name__ __module__ __qualname__x/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/postgresql/plugins/modules/postgresql_user.pyr<r<rBr<c eZdZy)InvalidPrivsErrorNr=rArBrCrFrFrDrBrFcX|dk(ryd}|j|d|i|jdkDS)NPUBLICTz3SELECT rolname FROM pg_roles WHERE rolname=%(user)suserr)executerowcount)cursorrIquerys rC user_existsrNs3 x AE NN564.) ??Q rBct||}ddt||izg} |,|dk7r'| jdd|iz| jd|| jd|| jd d |iz| j|d j| } tj| |j | |y ) z"Create a new database user (role).passwordexpireszCREATE USER %(user)srIWITH %(crypt)scryptPASSWORD %(password)sVALID UNTIL %(expires)sCONNECTION LIMIT %(conn_limit)s conn_limit T)dict_pg_quote_userappendjoinexecuted_queriesrJ) rLrIrQrole_attr_flags encryptedrRrYmodulequery_password_datarMs rCuser_addrds'B #nT62 34 5EB %)(<<= ,- ./ 6, 9SST LL! HHUOEE" NN5-. rBcJ|jd|jdS)NzSHOW password_encryptionpassword_encryption)rJfetchone)rLs rCget_passwd_encryptionrhs" NN-. ?? 2 33rBc|yd}||d}t|tr|jd}|dk(r|d}|Stjt |r ||k7rd}|S|t rtjt |rtjt |} t|jd}t|jd} t|jd} tjt|} td t| | |} tj| t } | j#d | j%| k7rd}|St)|s|d k(r ||k7rd}|S|d k(r]t+|}|dk(rFdj-t/t|t|zj1}||k7rd}|S|dk(rd}|S#t&$rd}Y|SwxYw)zCheck if we should change the user's password. Compare the proposed password with the existing one, comparing hashes if encrypted. If we can't access it assume yes. TF rolpasswordasciirSr) digestmods Server Key UNENCRYPTED ENCRYPTEDrzmd5{0}z scram-sha-256) isinstancebytesdecoderematchSCRAM_SHA256_REGEX pbkdf2_foundintgrouprrr rr hmacnewrupdatedigest Exceptionis_pg_passwd_md5rhformatr hexdigest)rLcurrent_role_attrsrIrQra pwchangingcurrent_passwordritsalt server_keynormalized_passwordsalted_passwordserver_key_verifierdefault_pw_encryptionhashed_passwords rCuser_should_we_change_passwordrs!J-m< & ./66w?  r>+! v sXX(( 3++! n e ) HH/1AB+-=>A "_ ,&qwwqz2 '/&7&78I&J#"-hAT8UW[]_"`&*hh&&Q##**=9&--/:=!%J6 'h '9 +E++! " !+ %$9&$A !$-"*//#hx6H8TX>6Y2Z2d2d2f"g"&66!%J '/9" 5 "" . 5 "sCG G-,G-cH|jdrt|dk(rdSdS)Nr#TF) startswithlen)rQs rCrr+s'&&u-#h-62I4TuTrBcd} d}|j|d|i|j}||S d}|j|d|i|j}|S#tj$r|j YRwxYw#tj$r3}|j |j d|d|Yd}~|Sd}~wwxYw)Nz.SELECT * FROM pg_authid where rolname=%(user)srIz-SELECT * FROM pg_roles where rolname=%(user)sz,Failed to get role details for current user : msg)rJrgpsycopgProgrammingErrorrollback fail_json) db_connectionrbrLrIrrMes rCget_role_attrsr1s !@uvtn-#__. %!!_?uvtn-#__. #  # #! !  # #_ UY[\]^^  _s(&A&B#A=<A=C(CCcd}|roi}|jdD]/}|jdrd||jddd<+d||<1|jD]\}}|t||k7sd}|S)NFrZNOrSrlT)splitrreplaceitemsPRIV_TO_AUTHID_COLUMN)r`rrole_attr_flags_changingrole_attr_flags_dictrrole_attr_namerole_attr_values rCneed_to_change_role_attr_flagsrOs %! &&s+ /A||D!?D$QYYtR%;<*.$Q'  / 0D/I/I/K 0 +NO!"7"GHO[+/( 0 $#rBcd}|:|jd|f|jd}||jdk7}|S)NFz$SELECT %s::timestamptz exp_timestamp exp_timestamp rolvaliduntil)rJrgget)rLrRrexpires_changingexpires_with_tzs rCneed_to_change_role_expirationrdsO=zJ //+O<+.@.D.D_.UU rBc|duxr||dk7S)N rolconnlimitrA)rYrs rCneed_to_change_conn_limitrqs d " Wz5G5W'WXrBc&d}|i} |j||tj|d}|S#tj$ru}|j j dk(rBd}|j|j jtj|cYd}~Stj|d}~wtj$rD}|j|j jtjYd}~|Sd}~wwxYw)NFT25006r exception) rJr_r]r InternalErrordiagsqlstatermessage_primary traceback format_excNotSupportedError)rbrL statementparamschangedrs rCexec_alter_userrusG ~Wy&) * N  + 66??g %G   !7!79CWCWCY  ZN''* *  $ $WQVV33y?S?S?UVV NWs.)3DAB6D!B66D 9D  Dc d} |jdit} |dk(r.||jdn|dk7r|jdny|s*| |dk7s||t||| |} t | | |||} t || } t | || }t|| }| s| s|s|syddt||izg}| rP|dk7r(|jd d |iz|jd n|jd |j|n|r|jd |z||jd||jdd|izt||}dj|}t|| ||} | S|r{|dk7rvt||| |} t || } | syddt||izg}|r|jd |zdj|}t|| |} t||| |}| |k7} | S)zPChange user password and/or attributes. Return True if changed, False otherwise.FrHz*cannot change the password for PUBLIC userrrSz1cannot change the role_attr_flags for PUBLIC userzALTER USER %(user)srIrTrUrVzWITH PASSWORD NULLzWITH %srWrXrYrPrZrA) rLrrrrrrrr\r]r[r^r)rrbrIrQr`rarRno_password_changesrYrrLrrrrconn_limit_changingalterrcrnew_role_attrss rC user_alterrseG !] ! ! 3N 3F x     !M  N  "   !T  U H$8Or|S)NFr1rT)r[rrrrr ) rLrIr revoke_funcs check_funcsrtype_name privileges differencess rCrevoke_privilegesr ls }5!;=L1 79KG )%, 7  D*-+e,VT4LK1~# U#FD$ C   NrBc|yttt}ttt}d}|D]<}t ||D])\}}||||||} | ds||||||d}+>|S)NFr1rmT)r[rrrrr ) rLrIr grant_funcsrrrrrr s rCgrant_privilegesr s }3 9;K1 79KG )%, 7  D*-+e,VT4LK1~" E"64zB   NrBctd|jdD}ttjtt |}ttj|d|D}|j |s,tddj|j|zdj|S)a Parse role attributes string for user creation. Format: attributes[,attributes,...] Where: attributes := CREATEDB,CREATEROLE,NOSUPERUSER,... [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEDB", "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", "[NO]BYPASSRLS" ] Note: "[NO]BYPASSRLS" role attribute introduced in 9.5 Note: "[NO]CREATEUSER" role attribute is deprecated. c3BK|]}|s|jywN)upper).0roles rC z#parse_role_attrs..sRtTdjjlRs,c3&K|] }d|z yw)zNO%sNrA)rflags rCrz#parse_role_attrs..s9`D&4-9`sz%Invalid role_attr_flags specified: %srZ) rr itertoolschainFLAGSget_valid_flags_by_versionissubsetr<r^r)r` srv_versionflags valid_flagss rCparse_role_attrsr s$ R/D/DS/IR REIOOE3Mk3Z[\KIOOK9`T_9`abK >>+ & G #)9)9+)F G!HI I 88E?rBct|}d|vr)|jt||jdd|vr"|j d|jd|S)Nr,r0r/)rr} VALID_PRIVSremover)rr new_privss rCrrs\E I U+,  k" rBc ||Siid}|jdD]}d|vr&d}|}td|jdD}n8d}|jdd\}}td |jdD}|jt|s6t d |d d j |j t|t||}||||<|S) a  Parse privilege string to determine permissions for database db. Format: privileges[/privileges/...] Where: privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] | TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...] )r3r2/:r3c3xK|]2}|jr |jj4ywrstriprrrs rCrzparse_privs..s/!I%&aggi"#!2!I8:rr2rlc3xK|]2}|jr |jj4ywrr)r+s rCrzparse_privs..s/!N%&1779"#!2!Nr,zInvalid privs specified for rrZ)rrrr"rFr^rr)rro_privstokenrrpriv_setrs rC parse_privsr1s } GS!( e ED !I*/++c*:!IIHE${{32 D* !N*4*:*:3*?!NNH  U!34#%*CHHX5H5HUZI[5\,]%_` `(%8't#(& NrBcftjDcgc] \}}||k\r|c}}Scc}}w)z Some role attributes were introduced after certain versions. We want to compile a list of valid flags against the current Postgres version. )FLAGS_BY_VERSIONr)rrversion_introduceds rCrrs;)9(>(>(@  $D$ , ,   s-c^t|d|}||nd}||k7rt||d||tyy)zAdd comment on user.rrSTF)rrr_)rLrIcomment check_modecurrent_comments rC add_commentr9s=!&&$7O)8)Do"O/!FGVT:?OPrBcg}|j}|jD].\}}||vr |||k(r||=||vs|s|j|0||dS)zlCompares two configurations and returns a list of values to reset as well as a dict of parameters to update.)resetr})copyrr])currentrreset_unspec_configr;r}keyvalues rCcompare_user_configurationsrAsj E \\^Fmmo U '>ews|3s  $7 LL f --rBc|# td|Dcic] }|d|d c}SiScc}w#t$r|jdYywxYw)zbParses configuration from a list of 'key=value' strings like returned from the database to a dict.Nc&|jddS)N=rl)r)ss rCz*parse_user_configuration..saggc1orBrrlzIExpecting a list of strings where each string has the format 'key=value'.r)map IndexErrorr)rbconfigsts rCparse_user_configurationrKsh a(+,Ew(OP1AaD!A$JP P  Q a   _  a as-(--A  A cd}|j|d|i|j}d}||jdd|izt||d} t | ||} | dD]<} d t ||| d z} t j| |j| d }>| d jD]V\} }|rd t ||| |dz} ndt ||| |dz} t j| |j| d }X |S#tj$r"}|jd||dzYd}~|Sd}~wwxYw)z9Updates the user's configuration parameters if necessary.z8SELECT rolconfig FROM pg_roles WHERE rolname = %(user)s;rIFNz&Can't find user %(user)s in 'pg_roles'r rolconfigr;z$ALTER ROLE %(user)s RESET "%(key)s";)rIr?Tr}z1ALTER ROLE %(user)s SET "%(key)s" TO '%(value)s';)rIr?r@z/ALTER ROLE %(user)s SET "%(key)s" TO %(value)s;zCUnable to update configuration for '%(user)s' due to: %(exception)s)rIr) rJrgrrKrAr\r_r]rrr)rLrbrI configurationr> quote_valuescurrent_config_querycurrent_configrcurrent_config_dictconfig_updatesitemrMr?r@rs rCuser_configurationrU%sU NN'&$8__&NGEQUVW26>+;VW01DmUhiN9#7+ D:nUY[aFbko=ppE  # #E * NN5 !G   )288: JCN"0v">sUZ[\K"0v">sUZ[\  # #E * NN5 !G  N  # #9^"&Q78 9 9 N9sB0DE%EEc|ddk7r|ddk7rtd|zdS|ddk(r|ddk7s|ddk7r|ddk(r|jdyt|dS)zgcorrectly escape users, pg_quote_identifiers will fail if the user contains a dot but is not pre-quotedrrz"%s"rzpThe value of the user-field can't contain a double-quote in the end if it doesn't start with one and vice-versa.N)rr)rIrbs rCr\r\Jsv Aw#~$r(c/"6D=&99 q'S.T"X_$q'S.T"XQT_H I #400rBc t}|jtdddgtdddtddddgtddd d tdd d gd d ddgtdddgtdd tddtdddtddtddtdtddtddtditddtddt|d}|jd}|jd}|jd}|jd}|jdd k(r!|jd |j d!"t |jd |jd}|jd#}|jd$rd%}nd&}|jd'} |jd(} |jd)} |jd*} |jd+} |jd,}|jd-}|jd.}|jd/}|st||||| | | | | | t|t||jd0}t||\}}|jd>it}t|}|rF|jD]3\}}d1|vsd2|vr|j d3|jd2d4||<5 t!| |} t|6}d}d}|dk(rzt+||r t-||||| || || }n t1|||| || | |} t7|||xs|}|  t9||| |j:xs|}t?||||||xs|}n^t+||rR|j:rd}d|d9<n> tA|||}tC|||}|xs|}|r|sd:}|j |"||d9<|j:r|jEn|jG|jI|jI||d;<tJ|d<<tLr tL|d=<|jNd>i|y#t"$r9}|j t%|t'j(5Yd}~d}~wwxYw#t.$r9}|j t%|t'j(5Yd}~d}~wwxYw#t2j4$r<}|j d7t%|zt'j(5Yd}~d}~wt.$r9}|j t%|t'j(5Yd}~5d}~wwxYw#t.$r9}|j t%|t'j(5Yd}~hd}~wwxYw#t<$r<}|j d8t%|zt'j(5Yd}~d}~wwxYw#t.$r9}|j t%|t'j(5Yd}~d}~wwxYw)?NstrTr)typerequiredaliases)rZdefaultno_logpresentabsent)rZr]choicesz4.0.0zcommunity.postgreql)rZr]removed_in_versionremoved_from_collectionrSrzcommunity.postgresql)rversioncollection_name)rZr]r\deprecated_aliasesbool fail_on_role)rZr]r\)rZr]Fry)rZr[)rIrQstateprivlogin_db fail_on_userr`rarrRrY session_roler6 trust_inputrNreset_unspecified_configurationquote_configuration_values) argument_specsupports_check_moderIrQrirlrkrjz-privileges require a database to be specifiedrrrarqrprRrYr`r6rmrNrorprn)warn_db_defaultr'zBThe key of a configuration may not contain single or double quotesz''r)rIz5Unable to add user with given requirement due to : %sz!Unable to add comment on role: %s user_removedzUnable to remove userrqueries debug_inforA)(rr}r[r rrr1rrrrrLrrrrr r<r rrrNrrrdrrr r9r7rrUr rrcommitcloser_rw exit_json)rqrbrIrQrirlrrrarRrYr`r6rmrNr>rprn conn_paramsrdummyrLrr?r@rkwrrurs rCmainr~\sh13M utfX >5$t<y8Y:OP udw`u v5"tf"#9 R vtn=MN%4FD1 feEJ%.UD1u%%.fd33(,&%(H#'VT#B/2# F == D}}Z(H MM' "E==0L }}Z B&6==+@+LLM  f-v}}Z/H IE --(=> }}[! ! mmI&G|,Jmm$56OmmI&G==0LMM/2M --(IJ!'/K!L-- .K FD(E7#WlG] T !&&--OK(=M5 !] ! ! 3N 3F$]3K"'--/ :JCczTS[  !ef!&sD!9M#  : M*?KH 4BGL  vt $ U$]FD(%4iJ]_ik  U"64#2Iw TZ\ Q&vtU;FwG   C%fdGV=N=NOZSZ %VVT=J]%?ALDK  vt $  %)>"Y/eDG#.vtV#DL"1\ 1C$$$-%1>"   LLNByM$ByM%<FrO MYq\Y5I5I5KLLM! U  Yq\Y=Q=Q=S TT U ++ C  &35>q\&B+4+?+?+A!CC! U  Yq\Y=Q=Q=S TT U  Q   19M9M9O  P P Q  C  %H9UV<%W+4+?+?+A!CC C$%Y$$1AUAUAW$XXYs8 Q.&R3;S8V "W4X. R07.R++R03 S5<.S00S58V 1U V.VV W .WW  X1XX Y .YY__main__r)_ __future__rrrrZ __metaclass__ DOCUMENTATIONEXAMPLESRETURNr{rrurbase64rhashlibrransible.module_utils._textr r r ansible.module_utils.basicr ansible.module_utils.sixr =ansible_collections.community.postgresql.plugins.module_utilsrFansible_collections.community.postgresql.plugins.module_utils.databaserrrFansible_collections.community.postgresql.plugins.module_utils.postgresrrrrrrrrrrEansible_collections.community.postgresql.plugins.module_utils.versionrpsycopg2rrrx ImportErrorrr3rwr[rr"rr_rwrr<rFrNrdrhrrrrrrrrrrrrrrrrrr r r rr1rr9rArKrUr\r~r>rArBrCrsA@ Z xk Z   CC4.    ?\%%88$L S'h#wx%HJ zo&3\Q^)9^U     *4 TnU <$* Y6Qh "4$G/*4$  ,*> &R  .( "J 1$Up zF]LsE EE