module-postgresql/manifests/server/passwd.pp

# PRIVATE CLASS: do not call directly
class postgresql::server::passwd {
  $ensure            = $postgresql::server::ensure
  $postgres_password = $postgresql::server::postgres_password
  $user              = $postgresql::server::user
  $group             = $postgresql::server::group

  if($ensure == 'present' or $ensure == true) {
    if ($postgres_password != undef) {
      # NOTE: this password-setting logic relies on the pg_hba.conf being
      #  configured to allow the postgres system user to connect via psql
      #  without specifying a password ('ident' or 'trust' security). This is
      #  the default for pg_hba.conf.
      $escaped = postgresql_escape($postgres_password)
      $env = "env PGPASSWORD='${postgres_password}'"
      exec { 'set_postgres_postgrespw':
        # This command works w/no password because we run it as postgres system
        # user
        command     => "psql -c 'ALTER ROLE \"${user}\" PASSWORD ${escaped}'",
        user        => $user,
        group       => $group,
        logoutput   => true,
        cwd         => '/tmp',
        # With this command we're passing -h to force TCP authentication, which
        # does require a password.  We specify the password via the PGPASSWORD
        # environment variable. If the password is correct (current), this
        # command will exit with an exit code of 0, which will prevent the main
        # command from running.
        unless      => "${env} psql -h localhost -c 'select 1' > /dev/null",
        path        => '/usr/bin:/usr/local/bin:/bin',
      }
    }
  }
}
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh> 2013-08-27 22:43:47 +02:00			`# PRIVATE CLASS: do not call directly`
			`class postgresql::server::passwd {`
			`$ensure = $postgresql::server::ensure`
			`$postgres_password = $postgresql::server::postgres_password`
			`$user = $postgresql::server::user`
			`$group = $postgresql::server::group`

			`if($ensure == 'present' or $ensure == true) {`
			`if ($postgres_password != undef) {`
			`# NOTE: this password-setting logic relies on the pg_hba.conf being`
			`# configured to allow the postgres system user to connect via psql`
			`# without specifying a password ('ident' or 'trust' security). This is`
			`# the default for pg_hba.conf.`
			`$escaped = postgresql_escape($postgres_password)`
			`$env = "env PGPASSWORD='${postgres_password}'"`
			`exec { 'set_postgres_postgrespw':`
			`# This command works w/no password because we run it as postgres system`
			`# user`
			`command => "psql -c 'ALTER ROLE \"${user}\" PASSWORD ${escaped}'",`
			`user => $user,`
			`group => $group,`
			`logoutput => true,`
			`cwd => '/tmp',`
			`# With this command we're passing -h to force TCP authentication, which`
			`# does require a password. We specify the password via the PGPASSWORD`
			`# environment variable. If the password is correct (current), this`
			`# command will exit with an exit code of 0, which will prevent the main`
			`# command from running.`
			`unless => "${env} psql -h localhost -c 'select 1' > /dev/null",`
			`path => '/usr/bin:/usr/local/bin:/bin',`
			`}`
			`}`
			`}`
			`}`