| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| --- |
| # Grant the specified users permissions to the specified database. |
| # dbName - name of the database |
| # dbHostname - hostname of the database |
| # dbAdminUser - admin user, which is able to grant permissions |
| # dbAdminPassword - password of the admin user, which is able to grant permissions |
| # admins - all users which should have admin access on this database afterwards |
| # readers - all users which should have read access on this database afterwards |
| # writers - all users which should have write access on this database afterwards |
| |
| - set_fact: |
| dbUser: "{{ dbAdminUser | default(db.credentials.admin.user) }}" |
| dbPassword: "{{ dbAdminPassword | default(db.credentials.admin.pass) }}" |
| dbHost: "{{ dbHostname | default(db.host) }}" |
| |
| # If a component uses admin credentials, the admin user will not be added to the list (as it already has all access rights). |
| - set_fact: |
| readerList: "{{ readers | default([]) | difference([dbUser]) }}" |
| writerList: "{{ writers | default([]) | difference([dbUser]) }}" |
| adminList: "{{ admins | default([]) | difference([dbUser]) }}" |
| |
| # http://docs.couchdb.org/en/2.0.0/api/database/security.html |
| - name: grant permissions for CouchDB |
| uri: |
| url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security" |
| method: PUT |
| status_code: 200 |
| body_format: json |
| body: | |
| { |
| "admins": { |
| "names": [ "{{ adminList | join('", "') }}" ], |
| "roles": [] |
| }, |
| "members": { |
| "names": [ "{{ readerList | union(writerList) | join('", "') }}" ], |
| "roles": [] |
| } |
| } |
| user: "{{ dbUser }}" |
| password: "{{ dbPassword }}" |
| force_basic_auth: yes |
| when: db.provider == 'CouchDB' |
| |
| # https://cloud.ibm.com/docs/services/Cloudant/api/authorization.html#authorization |
| - name: grant permissions for Cloudant |
| uri: |
| url: "{{ db.protocol }}://{{ dbHost }}:{{ db.port }}/{{ dbName }}/_security" |
| method: PUT |
| status_code: 200 |
| body_format: json |
| body: | |
| { |
| "cloudant": { |
| {% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %} |
| } |
| } |
| user: "{{ dbUser }}" |
| password: "{{ dbPassword }}" |
| force_basic_auth: yes |
| when: db.provider == 'Cloudant' |
