use runuser instead of become to check postgres perms

[evgeni]

fapolicyd doesn't like when we try to execute Python as postgres

[ekohl]

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-directives says there's become_method which points to https://docs.ansible.com/ansible/latest/plugins/become.html#become-plugins. That in turn tells me to list plugins:

$ ansible-doc -t become -l
ansible.builtin.runas Run As user                                                                    
ansible.builtin.su    Substitute User                                                                
ansible.builtin.sudo  Substitute User DO  

I had a bit of hope that there was a runuser method but there's not. At this point I'm starting to think that writing real Python is going to be easier than Ansible.

[evgeni]

A runuser become method would not have helped. It's the whole become mechanism that breaks it for us.

become in Ansible works like this:

• somehow become (heh) the user that was requested
• write out the (generated) python code to disk
• execute the python code (still as that user)
• report the result back to the controller

Now the problem is that fapolicyd detects the python code (correctly) as python code, but the default policy is "don't let users run random python code".

But the policy does allow root to run random Python code.
So as long as we don't use become_user: someone_not_root, our code gets written and executed as root (and only then, inside python does shell out to runuser to switch to someone_not_root), which is fine as far as fapolicyd is concerned.