创建业务用户
如何在用户集群中新建或修改业务用户?
剧本概览
创建业务用户:可以在现有集群中创建新的用户或修改现有用户:pgsql-createuser.yml
日常管理
# 在 pg-test 集群创建名为 test 的用户
./pgsql-createuser.yml -l pg-test -e pg_user=test
请注意,pg_user 指定的用户,必须已经存在于集群pg_users的定义中,否则会报错。这意味着用户必须先定义用户,再创建用户。
剧本说明
#!/usr/bin/env ansible-playbook
---
#==============================================================#
# File : pgsql-createuser.yml
# Ctime : 2021-02-27
# Mtime : 2021-02-27
# Desc : create user on running cluster
# Path : pgsql-createuser.yml
# Deps : templates/pg-user.sql
# Copyright (C) 2018-2021 Ruohang Feng
#==============================================================#
#=============================================================================#
# How to create user ?
# 1. define user in your configuration file! <cluster>.vars.pg_usesrs
# 2. execute this playbook with pg_user set to your new user.name
# 3. run playbook on target cluster
# It essentially does:
# 1. create sql file in /pg/tmp/pg-user-{{ user.name }}.sql
# 2. create user on primary instance with that sql
# 3. if {{ user.pgbouncer }}, add to all cluster members and reload
#=============================================================================#
- name: Create user in cluster
become: yes
hosts: all
gather_facts: no
vars:
##################################################################################
# IMPORTANT: Change this or use cli-arg to specify target user in inventory #
##################################################################################
pg_user: test
tasks:
#------------------------------------------------------------------------------
# pre-flight check: validate pg_user and user definition
# ------------------------------------------------------------------------------
- name: Preflight
block:
- name: Check parameter pg_user
connection: local
assert:
that:
- pg_user is defined
- pg_user != ''
- pg_user != 'postgres'
fail_msg: variable 'pg_user' should be specified to create target user
- name: Fetch user definition
connection: local
set_fact:
pg_user_definition={{ pg_users | json_query(pg_user_definition_query) }}
vars:
pg_user_definition_query: "[?name=='{{ pg_user }}'] | [0]"
# print user definition
- debug:
msg: "{{ pg_user_definition }}"
- name: Check user definition
assert:
that:
- pg_user_definition is defined
- pg_user_definition != None
- pg_user_definition != ''
- pg_user_definition != {}
fail_msg: user definition for {{ pg_user }} should exists in pg_users
#------------------------------------------------------------------------------
# Create user on cluster primary and add pgbouncer entry to cluster members
#------------------------------------------------------------------------------
# create user according to user definition
- include_tasks: roles/postgres/tasks/createuser.yml
vars:
user: "{{ pg_user_definition }}"
#------------------------------------------------------------------------------
# Pgbouncer Reload (entire cluster)
#------------------------------------------------------------------------------
- name: Reload pgbouncer to add user
when: pg_user_definition.pgbouncer is defined and pg_user_definition.pgbouncer|bool
tags: pgbouncer_reload
systemd: name=pgbouncer state=reloaded enabled=yes daemon_reload=yes
...
使用样例
./pgsql-createuser.yml -l pg-test -e pg_user=test
执行结果
$ ./pgsql-createuser.yml -l pg-test -e pg_user=test
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Create user in cluster] *****************************************************************************************************************************************************
TASK [Check parameter pg_user] ****************************************************************************************************************************************************
ok: [10.10.10.11] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [10.10.10.12] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [10.10.10.13] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Fetch user definition] ******************************************************************************************************************************************************
ok: [10.10.10.11]
ok: [10.10.10.12]
ok: [10.10.10.13]
TASK [debug] **********************************************************************************************************************************************************************
ok: [10.10.10.11] => {
"msg": {
"comment": "default test user for production usage",
"name": "test",
"password": "test",
"pgbouncer": true,
"roles": [
"dbrole_readwrite"
]
}
}
ok: [10.10.10.12] => {
"msg": {
"comment": "default test user for production usage",
"name": "test",
"password": "test",
"pgbouncer": true,
"roles": [
"dbrole_readwrite"
]
}
}
ok: [10.10.10.13] => {
"msg": {
"comment": "default test user for production usage",
"name": "test",
"password": "test",
"pgbouncer": true,
"roles": [
"dbrole_readwrite"
]
}
}
TASK [Check user definition] ******************************************************************************************************************************************************
ok: [10.10.10.11] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [10.10.10.12] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [10.10.10.13] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [include_tasks] **************************************************************************************************************************************************************
included: /Volumes/Data/pigsty/roles/postgres/tasks/createuser.yml for 10.10.10.11, 10.10.10.12, 10.10.10.13
TASK [Render user test creation sql] **********************************************************************************************************************************************
skipping: [10.10.10.12]
skipping: [10.10.10.13]
changed: [10.10.10.11]
TASK [Execute user test creation sql on primary] **********************************************************************************************************************************
skipping: [10.10.10.12]
skipping: [10.10.10.13]
changed: [10.10.10.11]
TASK [Add user to pgbouncer] ******************************************************************************************************************************************************
changed: [10.10.10.11]
changed: [10.10.10.13]
changed: [10.10.10.12]
TASK [Reload pgbouncer to add user] ***********************************************************************************************************************************************
changed: [10.10.10.11]
changed: [10.10.10.12]
changed: [10.10.10.13]
PLAY RECAP ************************************************************************************************************************************************************************
10.10.10.11 : ok=9 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.10.10.12 : ok=7 changed=2 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
10.10.10.13 : ok=7 changed=2 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
任务详情
默认任务如下:
playbook: ./pgsql-createuser.yml
play #1 (all): Create user in cluster TAGS: []
tasks:
Check parameter pg_user TAGS: []
Fetch user definition TAGS: []
debug TAGS: []
Check user definition TAGS: []
include_tasks TAGS: []
Reload pgbouncer to add user TAGS: [pgbouncer_reload]
最后修改 2021-03-25: update docs (3f322bf)