Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSmQC-001SI0-PF for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 00:17:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tSmQB-006Adw-8R for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 00:17:10 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSmQA-006Adj-SL for pgsql-general@lists.postgresql.org; Wed, 01 Jan 2025 00:17:10 +0000 Received: from ageofdream.com ([2600:3c00::f03c:93ff:fe74:e1a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tSmQ9-001Tpz-0C for pgsql-general@lists.postgresql.org; Wed, 01 Jan 2025 00:17:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1735690627; bh=BOT85gm0ml3xPyHLfH1BOhT0/pMAjTMhZH5VM1VmkaI=; h=Subject:From:To:Date:In-Reply-To:References:From; b=Fhq9OQFGbVTrnjEF3tWCrCUUzLTHwODQLJDM4qtVC6CKn4F6rYkeabslti7V/e28X YKeFSLNijOSeL9zFCL75JQknfUbGcUN16Fv89xMIAkFX/HBoYZkXJunCEP9CnMy9/p K32hyYnma6lnBpLjj6332xcb1fGlV+AdBgLKgaIMgx1DnCtdXzyZyg5E7Q5VH9SG2l vVMReqtQleoyeu0X3q5n3NxKq9ix/fryFaGDGgmcMLpOrAAgOZXVViJAKzzhYeuEkN wdJkM2y0TQ28T6VgbZE0VWQwe5HBAjWa0GmSLulaSv6VgpJZ2thSzmkdCts5lr7NTj d7DB1X2yKqt0A== Received: from [192.168.1.7] (unknown [72.255.194.227]) by ageofdream.com (Postfix) with ESMTPSA id A8246278D7 for ; Tue, 31 Dec 2024 19:17:07 -0500 (EST) Message-ID: <36cebb6894294c521aa92a8f1183d8e9dfb2e379.camel@ageofdream.com> Subject: Re: Initial Postgres admin account setup using Ansible? From: Nick To: pgsql-general@lists.postgresql.org Date: Tue, 31 Dec 2024 19:17:07 -0500 In-Reply-To: References: <75b177a0f2627519419009a2134fe050f3f623cb.camel@ageofdream.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on ageofdream.com List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk >=20 > On Tue, Dec 31, 2024 at 10:32=E2=80=AFPM Nick wro= te: > >=20 > > I'm trying to create an Ansible playbook that sets up and manages > > Postgres on Debian 12. > >=20 > > I'm having issues with the default username/login structure, and > > could > > use some help. > >=20 > > I'm installing the `postgresql` package via apt, and Debian creates > > a > > `postgres` system account that has a locked password. > >=20 > > I can login to Postgres manually by first becoming root then > > running > > `sudo -u postgres psql` as root. But when the Ansible user (which > > has > > passwordless sudo) tries to run `sudo -u postgres psql`, I get: > >=20 > > "Sorry, user Ansible is not allowed to execute '/usr/bin/psql' as > > postgres on example.com." > >=20 > > This is likely because the postgres POSIX account has a locked > > password, so only root can become postgres. Other users with sudo > > permissions can't become a locked account. > >=20 > > So I **could** unlock the `postgres` POSIX account, but I > > understand > > that this account is locked for a reason. > >=20 > > The goal is to have Ansible manage the creation of databases and > > roles > > in the Postgres database. > >=20 > > So I need to create an account in Postgres that Ansible can use as > > the > > super user. I would like to do this in a way that doesn't require > > me to > > manually login to the server, become root, become postgres as root, > > then manually create an Ansible role. > >=20 > > What is the proper (secure) way to let the Ansible POSIX user > > manage > > postgres? It seems there should be a fully automated way to > > bootstrap > > an Ansible user for `postgres`. > >=20 >=20 I think I found a working solution: In `pg_hba.conf`, change: ``` local all postgres peer ``` to: ``` local all all peer map=3Dansible_map ``` In `pg_ident.conf`, add: ``` ansible_map ansible postgres ansible_map postgres postgres ``` Then in the playbook, don't become (stay as `ansible`): ``` - name: Ping PostgreSQL postgresql_ping: db: postgres login_unix_socket: "/var/run/postgresql" login_user: postgres become: false ``` This seems to work, but is it secure? If USER is `all` in `pg_hba.conf`, can any POSIX account login?