module-postgresql/manifests/database_grant.pp

# puppet-postgresql
# For all details and documentation:
# http://github.com/inkling/puppet-postgresql
#
# Copyright 2012- Inkling Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';
#  I think that the API for the resource type should split these up, because it's
#  easier / safer to recombine them for mysql than it is to parse them for other
#  databases.  Also, in the mysql module, the hostname portion of that string
#  affects the user's ability to connect from remote hosts.  In postgres this is
#  managed via pg_hba.conf; not sure if we want to try to reconcile that difference
#  in the modules or not.

define postgresql::database_grant(
    # TODO: mysql supports an array of privileges here.  We should do that if we
    #  port this to ruby.
    $privilege,
    $db,
    $role,
    $psql_db = 'postgres',
    $psql_user='postgres',
) {

  # TODO: FIXME: only works on databases, due to using has_database_privilege

  # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
  #  we need a way to test for it--and has_database_privilege does not recognize
  #  'ALL' as a valid privelege name.  So we probably need to hard-code a mapping
  #  between 'ALL' and the list of actual privileges that it entails, and loop
  #  over them to check them.  That sort of thing will probably need to wait until
  #  we port this over to ruby, so, for now, we're just going to assume that if
  #  they have "CREATE" privileges on a database, then they have "ALL".  (I told
  #  you that it was terrible!)
  $unless_privilege = $privilege ? {
    'ALL'   => 'CREATE',
    default => $privilege,
  }

  postgresql::psql {"GRANT $privilege ON database $db TO $role":
    db      => $psql_db,
    user    => $psql_user,
    unless  => "SELECT 1 WHERE has_database_privilege('$role', '$db', '$unless_privilege')",
  }
}
Bring database, database_user, and database_grant into alignment with mysql module Renamed a few files and made some tweaks to try to get database_grant, database_user, and database types into a state where they work very similarly to the ones in the mysql module. Also introduced a "postgresql_password" function that can be used to generate an md5 password hash for a postgres user. 2012-06-09 07:30:27 +02:00			`# puppet-postgresql`
			`# For all details and documentation:`
			`# http://github.com/inkling/puppet-postgresql`
			`#`
			`# Copyright 2012- Inkling Systems, Inc.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';`
			`# I think that the API for the resource type should split these up, because it's`
			`# easier / safer to recombine them for mysql than it is to parse them for other`
			`# databases. Also, in the mysql module, the hostname portion of that string`
			`# affects the user's ability to connect from remote hosts. In postgres this is`
			`# managed via pg_hba.conf; not sure if we want to try to reconcile that difference`
			`# in the modules or not.`

			`define postgresql::database_grant(`
			`# TODO: mysql supports an array of privileges here. We should do that if we`
			`# port this to ruby.`
			`$privilege,`
			`$db,`
			`$role,`
			`$psql_db = 'postgres',`
			`$psql_user='postgres',`
			`) {`

			`# TODO: FIXME: only works on databases, due to using has_database_privilege`

			`# TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,`
			`# we need a way to test for it--and has_database_privilege does not recognize`
			`# 'ALL' as a valid privelege name. So we probably need to hard-code a mapping`
			`# between 'ALL' and the list of actual privileges that it entails, and loop`
			`# over them to check them. That sort of thing will probably need to wait until`
			`# we port this over to ruby, so, for now, we're just going to assume that if`
			`# they have "CREATE" privileges on a database, then they have "ALL". (I told`
			`# you that it was terrible!)`
			`$unless_privilege = $privilege ? {`
			`'ALL' => 'CREATE',`
			`default => $privilege,`
			`}`

			`postgresql::psql {"GRANT $privilege ON database $db TO $role":`
			`db => $psql_db,`
			`user => $psql_user,`
			`unless => "SELECT 1 WHERE has_database_privilege('$role', '$db', '$unless_privilege')",`
			`}`
			`}`