2013-02-10 01:36:12 +01:00
|
|
|
# This resource manages an individual rule that applies to the file defined in
|
2013-08-27 22:43:47 +02:00
|
|
|
# $target. See README.md for more details.
|
|
|
|
define postgresql::server::pg_hba_rule(
|
2013-02-10 01:36:12 +01:00
|
|
|
$type,
|
|
|
|
$database,
|
|
|
|
$user,
|
|
|
|
$auth_method,
|
2013-08-27 22:43:47 +02:00
|
|
|
$address = undef,
|
2013-02-10 01:36:12 +01:00
|
|
|
$description = 'none',
|
|
|
|
$auth_option = undef,
|
2013-08-27 22:43:47 +02:00
|
|
|
$order = '150',
|
|
|
|
|
|
|
|
# Needed for testing primarily, support for multiple files is not really
|
|
|
|
# working.
|
|
|
|
$target = $postgresql::server::pg_hba_conf_path
|
2013-02-10 01:36:12 +01:00
|
|
|
) {
|
|
|
|
|
2013-02-25 19:28:45 +01:00
|
|
|
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
2013-02-10 01:36:12 +01:00
|
|
|
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
|
|
|
|
|
|
|
|
if($type =~ /^host/ and $address == undef) {
|
|
|
|
fail('You must specify an address property when type is host based')
|
|
|
|
}
|
|
|
|
|
2013-09-22 22:35:18 +02:00
|
|
|
$allowed_auth_methods = $postgresql::server::version ? {
|
|
|
|
'9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
|
|
|
'9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
|
|
|
'9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
|
|
|
'9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
|
|
|
'8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
|
|
|
'8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
|
|
|
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
|
|
|
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
|
|
|
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
|
|
|
}
|
|
|
|
|
|
|
|
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
|
|
|
validate_re($auth_method, $auth_method_regex,
|
|
|
|
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
|
|
|
|
|
2013-02-10 01:36:12 +01:00
|
|
|
# Create a rule fragment
|
|
|
|
$fragname = "pg_hba_rule_${name}"
|
|
|
|
concat::fragment { $fragname:
|
2013-02-15 11:23:18 +01:00
|
|
|
target => $target,
|
2013-02-10 01:36:12 +01:00
|
|
|
content => template('postgresql/pg_hba_rule.conf'),
|
2013-02-15 11:23:18 +01:00
|
|
|
order => $order,
|
|
|
|
owner => $::id,
|
|
|
|
mode => '0600',
|
2013-02-10 01:36:12 +01:00
|
|
|
}
|
|
|
|
}
|