module-postgresql/manifests/role.pp

# puppet-postgresql
# For all details and documentation:
# http://github.com/inkling/puppet-postgresql
#
# Copyright 2012- Inkling Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

define postgresql::role(
    $password_hash    = false,
    $createdb         = false,
    $createrole       = false,
    $db               = 'postgres',
    $login            = false,
    $superuser        = false,
    $replication      = false,
    $connection_limit = '-1',
    $username         = $title
) {
  include postgresql::params

  $login_sql       = $login       ? { true => 'LOGIN'       , default => 'NOLOGIN' }
  $createrole_sql  = $createrole  ? { true => 'CREATEROLE'  , default => 'NOCREATEROLE' }
  $createdb_sql    = $createdb    ? { true => 'CREATEDB'    , default => 'NOCREATEDB' }
  $superuser_sql   = $superuser   ? { true => 'SUPERUSER'   , default => 'NOSUPERUSER' }
  $replication_sql = $replication ? { true => 'REPLICATION' , default => '' }
  if ($password_hash != false) {
    $password_sql = "ENCRYPTED PASSWORD '${password_hash}'"
  } else {
    $password_sql = ""
  }

  Postgresql_psql {
    db         => $db,
    psql_user  => $postgresql::params::user,
    psql_group => $postgresql::params::group,
    psql_path  => $postgresql::params::psql_path,
    require    => Postgresql_psql["CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"],
  }

  postgresql_psql {"CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}":
    unless  => "SELECT rolname FROM pg_roles WHERE rolname='${username}'",
    require => undef,
  }

  postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
    unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolsuper=${superuser}",
  }

  postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
    unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreatedb=${createdb}",
  }

  postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
    unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreaterole=${createrole}",
  }

  postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
    unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}",
  }

  if(versioncmp($postgresql::params::version, '9.1') >= 0) {
    postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
      unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}",
    }
  }

  postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
    unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolconnlimit=${connection_limit}",
  }

  if $password_hash {
    postgresql_psql {"ALTER ROLE \"${username}\" ${password_sql}":
      unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${password_hash}'",
    }
  }
}
Initial commit 2012-04-20 00:37:18 +02:00			`# puppet-postgresql`
			`# For all details and documentation:`
			`# http://github.com/inkling/puppet-postgresql`
			`#`
			`# Copyright 2012- Inkling Systems, Inc.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

Bring database, database_user, and database_grant into alignment with mysql module Renamed a few files and made some tweaks to try to get database_grant, database_user, and database types into a state where they work very similarly to the ones in the mysql module. Also introduced a "postgresql_password" function that can be used to generate an md5 password hash for a postgres user. 2012-06-09 07:30:27 +02:00			`define postgresql::role(`
Adding the ability to create users without a password. 2013-03-16 18:32:27 +01:00			`$password_hash = false,`
Allow to set connection limit for new role 2013-02-28 00:43:24 +01:00			`$createdb = false,`
			`$createrole = false,`
			`$db = 'postgres',`
			`$login = false,`
			`$superuser = false,`
			`$replication = false,`
Change connection_limit default to string, Puppet 2.6 can't parse negative ints 2013-03-21 11:50:16 +01:00			`$connection_limit = '-1',`
Allow to set connection limit for new role 2013-02-28 00:43:24 +01:00			`$username = $title`
Bring database, database_user, and database_grant into alignment with mysql module Renamed a few files and made some tweaks to try to get database_grant, database_user, and database types into a state where they work very similarly to the ones in the mysql module. Also introduced a "postgresql_password" function that can be used to generate an md5 password hash for a postgres user. 2012-06-09 07:30:27 +02:00			`) {`
add optional cwd to the postgres_psql command When the psql command runs from a directory it does not have permission to access, it outputs an error. This error trips up the unless SQL command, causing the other SQL commands to run even if not needed. Rather than ignore stderr (which might hide something else), or use an arbitrary directory like /tmp, this code sets the cwd to the data directory, which will exist and be owned by the postgres user. If someone uses the postgres_psql type and customises the psql_user parameter, they should also set an appropriate cwd. 2012-12-14 13:02:18 +01:00			`include postgresql::params`
Initial commit 2012-04-20 00:37:18 +02:00
Add support for the REPLICATION flag when creating roles 2013-02-20 17:52:41 +01:00			`$login_sql = $login ? { true => 'LOGIN' , default => 'NOLOGIN' }`
			`$createrole_sql = $createrole ? { true => 'CREATEROLE' , default => 'NOCREATEROLE' }`
			`$createdb_sql = $createdb ? { true => 'CREATEDB' , default => 'NOCREATEDB' }`
			`$superuser_sql = $superuser ? { true => 'SUPERUSER' , default => 'NOSUPERUSER' }`
			`$replication_sql = $replication ? { true => 'REPLICATION' , default => '' }`
Adding the ability to create users without a password. 2013-03-16 18:32:27 +01:00			`if ($password_hash != false) {`
			`$password_sql = "ENCRYPTED PASSWORD '${password_hash}'"`
			`} else {`
			`$password_sql = ""`
			`}`
Initial commit 2012-04-20 00:37:18 +02:00
Alter superuser, createdb, createrole, login, replication status and the connection limit of a role that already exists Previously we only created a new user, any updates to the defined resource would not update the role. This patch adds extra logic to modify a role whenever a parameter is changed. System tests have also been added to support this. 2013-06-28 15:19:50 +02:00			`Postgresql_psql {`
			`db => $db,`
			`psql_user => $postgresql::params::user,`
			`psql_group => $postgresql::params::group,`
			`psql_path => $postgresql::params::psql_path,`
			`require => Postgresql_psql["CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"],`
			`}`

Adding the ability to create users without a password. 2013-03-16 18:32:27 +01:00			`postgresql_psql {"CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}":`
Alter superuser, createdb, createrole, login, replication status and the connection limit of a role that already exists Previously we only created a new user, any updates to the defined resource would not update the role. This patch adds extra logic to modify a role whenever a parameter is changed. System tests have also been added to support this. 2013-06-28 15:19:50 +02:00			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}'",`
			`require => undef,`
			`}`

			`postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolsuper=${superuser}",`
			`}`

			`postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreatedb=${createdb}",`
			`}`

			`postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcreaterole=${createrole}",`
			`}`

			`postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}",`
			`}`

			`if(versioncmp($postgresql::params::version, '9.1') >= 0) {`
			`postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}",`
			`}`
			`}`

			`postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":`
			`unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolconnlimit=${connection_limit}",`
			`}`

			`if $password_hash {`
			`postgresql_psql {"ALTER ROLE \"${username}\" ${password_sql}":`
			`unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd='${password_hash}'",`
			`}`
Initial commit 2012-04-20 00:37:18 +02:00			`}`
			`}`