opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-postgresql/manifests/server/grant.pp

253 lines
9 KiB
ObjectPascal
Raw Normal View History

Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
# Define for granting permissions to roles. See README.md for more details.
define postgresql::server::grant (
$role,
$db,
(MODULES-661) Remote DB support Adds connection-settings (for remote DB support) when creating DB resources. Connection-settings allows a hash of options that can be used when connecting the a remote DB (such as PGHOST, PGPORT, PGPASSWORD PGSSLKEY) and a special option DBVERSION indicating the version of the remote database. Including - Puppet updates - Documentation updates - RSpec unit test updates - RSpec acceptance test updates - Some test coverage for connection-settings - Working acceptance test... Basic vagrant setup: * Two boxes, server and client * Runs puppet code to on server to setup a postgres server that allows all connections and md5 connections, creates db puppet to look at * Runs puppet code on client to make a server that a psql command can be run against puppet db on other server * Does some fancy stuff to get the fact of the IP from the first server to connect to - Backwards compatible, with deprecation warnings around old parameters
2015-03-05 01:34:52 +01:00
$privilege = undef,
$object_type = 'database',
$object_name = undef,
$psql_db = $postgresql::server::default_database,
$psql_user = $postgresql::server::user,
$port = $postgresql::server::port,
$onlyif_exists = false,
$connect_settings = $postgresql::server::default_connect_settings,
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
) {
$group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path
Rework defaults for `$object_name` in `postgresql::server::grant` You don't have access to parameters within the parameter list.
2015-03-07 00:49:07 +01:00
if ! $object_name {
$_object_name = $db
} else {
$_object_name = $object_name
}
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
validate_bool($onlyif_exists)
(MODULES-661) Remote DB support Adds connection-settings (for remote DB support) when creating DB resources. Connection-settings allows a hash of options that can be used when connecting the a remote DB (such as PGHOST, PGPORT, PGPASSWORD PGSSLKEY) and a special option DBVERSION indicating the version of the remote database. Including - Puppet updates - Documentation updates - RSpec unit test updates - RSpec acceptance test updates - Some test coverage for connection-settings - Working acceptance test... Basic vagrant setup: * Two boxes, server and client * Runs puppet code to on server to setup a postgres server that allows all connections and md5 connections, creates db puppet to look at * Runs puppet code on client to make a server that a psql command can be run against puppet db on other server * Does some fancy stuff to get the fact of the IP from the first server to connect to - Backwards compatible, with deprecation warnings around old parameters
2015-03-05 01:34:52 +01:00
#
# Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port
#
if $port != undef {
$port_override = $port
} elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') {
$port_override = undef
} else {
$port_override = $postgresql::server::port
}
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
## Munge the input values
$_object_type = upcase($object_type)
$_privilege = upcase($privilege)
## Validate that the object type is known
validate_string($_object_type,
#'COLUMN',
'DATABASE',
#'FOREIGN SERVER',
#'FOREIGN DATA WRAPPER',
#'FUNCTION',
#'PROCEDURAL LANGUAGE',
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'SCHEMA',
Support granting permission on sequences. add spec test for sequence grant and document postgresql::server::grant.
2015-05-08 16:33:26 +02:00
'SEQUENCE',
'ALL SEQUENCES IN SCHEMA',
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
'TABLE',
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'ALL TABLES IN SCHEMA',
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
#'TABLESPACE',
#'VIEW',
)
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
# You can use ALL TABLES IN SCHEMA by passing schema_name to object_name
Support granting permission on sequences. add spec test for sequence grant and document postgresql::server::grant.
2015-05-08 16:33:26 +02:00
# You can use ALL SEQUENCES IN SCHEMA by passing schema_name to object_name
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
## Validate that the object type's privilege is acceptable
Fix granting all privileges on a table
2013-11-12 16:20:52 +01:00
# TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
# we need a way to test for it--and has_database_privilege does not
# recognize 'ALL' as a valid privilege name. So we probably need to
# hard-code a mapping between 'ALL' and the list of actual privileges that
# it entails, and loop over them to check them. That sort of thing will
# probably need to wait until we port this over to ruby, so, for now, we're
# just going to assume that if they have "CREATE" privileges on a database,
# then they have "ALL". (I told you that it was terrible!)
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
case $_object_type {
'DATABASE': {
Fix granting all privileges on a table
2013-11-12 16:20:52 +01:00
$unless_privilege = $_privilege ? {
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'ALL' => 'CREATE',
'ALL PRIVILEGES' => 'CREATE',
default => $_privilege,
Fix granting all privileges on a table
2013-11-12 16:20:52 +01:00
}
validate_string($unless_privilege,'CREATE','CONNECT','TEMPORARY','TEMP',
'ALL','ALL PRIVILEGES')
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
$unless_function = 'has_database_privilege'
$on_db = $psql_db
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
$onlyif_function = undef
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
}
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'SCHEMA': {
$unless_privilege = $_privilege ? {
'ALL' => 'CREATE',
'ALL PRIVILEGES' => 'CREATE',
default => $_privilege,
}
validate_string($_privilege, 'CREATE', 'USAGE', 'ALL', 'ALL PRIVILEGES')
$unless_function = 'has_schema_privilege'
$on_db = $db
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
$onlyif_function = undef
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
}
Support granting permission on sequences. add spec test for sequence grant and document postgresql::server::grant.
2015-05-08 16:33:26 +02:00
'SEQUENCE': {
$unless_privilege = $_privilege ? {
'ALL' => 'USAGE',
default => $_privilege,
}
validate_string($unless_privilege,'USAGE','ALL','ALL PRIVILEGES')
$unless_function = 'has_sequence_privilege'
$on_db = $db
Add missing onlyif_function to sequence grant code
2016-02-15 13:11:26 +01:00
$onlyif_function = undef
Support granting permission on sequences. add spec test for sequence grant and document postgresql::server::grant.
2015-05-08 16:33:26 +02:00
}
'ALL SEQUENCES IN SCHEMA': {
validate_string($_privilege,'USAGE','ALL','ALL PRIVILEGES')
$unless_function = 'custom'
$on_db = $db
Add missing onlyif_function to sequence grant code
2016-02-15 13:11:26 +01:00
$onlyif_function = undef
Support granting permission on sequences. add spec test for sequence grant and document postgresql::server::grant.
2015-05-08 16:33:26 +02:00
$schema = $object_name
$custom_privilege = $_privilege ? {
'ALL' => 'USAGE',
'ALL PRIVILEGES' => 'USAGE',
default => $_privilege,
}
# This checks if there is a difference between the sequences in the
# specified schema and the sequences for which the role has the specified
# privilege. It uses the EXCEPT clause which computes the set of rows
# that are in the result of the first SELECT statement but not in the
# result of the second one. It then counts the number of rows from this
# operation. If this number is zero then the role has the specified
# privilege for all sequences in the schema and the whole query returns a
# single row, which satisfies the `unless` parameter of Postgresql_psql.
# If this number is not zero then there is at least one sequence for which
# the role does not have the specified privilege, making it necessary to
# execute the GRANT statement.
$custom_unless = "SELECT 1 FROM (
SELECT sequence_name
FROM information_schema.sequences
WHERE sequence_schema='${schema}'
EXCEPT DISTINCT
SELECT object_name as sequence_name
FROM information_schema.role_usage_grants
WHERE object_type='SEQUENCE'
AND grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.sequence_name) = 0"
}
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
'TABLE': {
Fix granting all privileges on a table
2013-11-12 16:20:52 +01:00
$unless_privilege = $_privilege ? {
'ALL' => 'INSERT',
default => $_privilege,
}
Add missing privileges
2013-11-15 15:20:15 +01:00
validate_string($unless_privilege,'SELECT','INSERT','UPDATE','DELETE',
'TRUNCATE','REFERENCES','TRIGGER','ALL','ALL PRIVILEGES')
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
$unless_function = 'has_table_privilege'
$on_db = $db
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
$onlyif_function = $onlyif_exists ? {
true => 'table_exists',
default => undef,
}
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
}
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'ALL TABLES IN SCHEMA': {
Make granting on ALL TABLES IN SCHEMA idempotent Define a proper SELECT statement to feed into Postgresql_psql's `unless` parameter that checks if there are any tables in the specified schema for which the specified role *does not* have the specified privilege. Only then allow the GRANT statement to be executed. For details see comments. Note that this, too, suffers from the problem that there is no feasible way to check if a role has ALL PRIVILEGES on a table in plain SQL. By terrible convention the INSERT privilege represents ALL PRIVILEGES here.
2015-02-18 00:47:40 +01:00
validate_string($_privilege,'SELECT','INSERT','UPDATE','DELETE',
'TRUNCATE','REFERENCES','TRIGGER','ALL','ALL PRIVILEGES')
$unless_function = 'custom'
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
$on_db = $db
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
$onlyif_function = undef
Make granting on ALL TABLES IN SCHEMA idempotent Define a proper SELECT statement to feed into Postgresql_psql's `unless` parameter that checks if there are any tables in the specified schema for which the specified role *does not* have the specified privilege. Only then allow the GRANT statement to be executed. For details see comments. Note that this, too, suffers from the problem that there is no feasible way to check if a role has ALL PRIVILEGES on a table in plain SQL. By terrible convention the INSERT privilege represents ALL PRIVILEGES here.
2015-02-18 00:47:40 +01:00
$schema = $object_name
# Again there seems to be no easy way in plain SQL to check if ALL
# PRIVILEGES are granted on a table. By convention we use INSERT
# here to represent ALL PRIVILEGES (truly terrible).
$custom_privilege = $_privilege ? {
'ALL' => 'INSERT',
'ALL PRIVILEGES' => 'INSERT',
default => $_privilege,
}
# This checks if there is a difference between the tables in the
# specified schema and the tables for which the role has the specified
# privilege. It uses the EXCEPT clause which computes the set of rows
# that are in the result of the first SELECT statement but not in the
# result of the second one. It then counts the number of rows from this
# operation. If this number is zero then the role has the specified
# privilege for all tables in the schema and the whole query returns a
# single row, which satisfies the `unless` parameter of Postgresql_psql.
# If this number is not zero then there is at least one table for which
# the role does not have the specified privilege, making it necessary to
# execute the GRANT statement.
$custom_unless = "SELECT 1 FROM (
SELECT table_name
FROM information_schema.tables
WHERE table_schema='${schema}'
EXCEPT DISTINCT
SELECT table_name
FROM information_schema.role_table_grants
WHERE grantee='${role}'
AND table_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.table_name) = 0"
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
}
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
default: {
fail("Missing privilege validation for object type ${_object_type}")
}
}
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
# This is used to give grant to "schemaname"."tablename"
# If you need such grant, use:
# postgresql::grant { 'table:foo':
# role => 'joe',
Fix invalid byte sequence in US-ASCII error
2015-01-09 13:31:37 +01:00
# ...
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
# object_type => 'TABLE',
# object_name => [$schema, $table],
# }
Rework defaults for `$object_name` in `postgresql::server::grant` You don't have access to parameters within the parameter list.
2015-03-07 00:49:07 +01:00
if is_array($_object_name) {
$_togrant_object = join($_object_name, '"."')
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
# Never put double quotes into has_*_privilege function
Rework defaults for `$object_name` in `postgresql::server::grant` You don't have access to parameters within the parameter list.
2015-03-07 00:49:07 +01:00
$_granted_object = join($_object_name, '.')
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
} else {
Rework defaults for `$object_name` in `postgresql::server::grant` You don't have access to parameters within the parameter list.
2015-03-07 00:49:07 +01:00
$_granted_object = $_object_name
$_togrant_object = $_object_name
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
}
$_unless = $unless_function ? {
Make granting on ALL TABLES IN SCHEMA idempotent Define a proper SELECT statement to feed into Postgresql_psql's `unless` parameter that checks if there are any tables in the specified schema for which the specified role *does not* have the specified privilege. Only then allow the GRANT statement to be executed. For details see comments. Note that this, too, suffers from the problem that there is no feasible way to check if a role has ALL PRIVILEGES on a table in plain SQL. By terrible convention the INSERT privilege represents ALL PRIVILEGES here.
2015-02-18 00:47:40 +01:00
false => undef,
'custom' => $custom_unless,
default => "SELECT 1 WHERE ${unless_function}('${role}',
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
'${_granted_object}', '${unless_privilege}')",
}
Add onlyif parameter to postgresql_psql to only run command if onlyif returns true Add option to only attempt table grant if table already exists Make this slightly more generic
2014-11-05 22:39:15 +01:00
$_onlyif = $onlyif_function ? {
'table_exists' => "SELECT true FROM pg_tables WHERE tablename = '${_togrant_object}'",
default => undef,
}
Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA
2014-04-16 18:26:04 +02:00
$grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO
\"${role}\""
Make module compatible with puppetDB
2014-04-16 18:06:43 +02:00
postgresql_psql { "grant:${name}":
(MODULES-661) Remote DB support Adds connection-settings (for remote DB support) when creating DB resources. Connection-settings allows a hash of options that can be used when connecting the a remote DB (such as PGHOST, PGPORT, PGPASSWORD PGSSLKEY) and a special option DBVERSION indicating the version of the remote database. Including - Puppet updates - Documentation updates - RSpec unit test updates - RSpec acceptance test updates - Some test coverage for connection-settings - Working acceptance test... Basic vagrant setup: * Two boxes, server and client * Runs puppet code to on server to setup a postgres server that allows all connections and md5 connections, creates db puppet to look at * Runs puppet code on client to make a server that a psql command can be run against puppet db on other server * Does some fancy stuff to get the fact of the IP from the first server to connect to - Backwards compatible, with deprecation warnings around old parameters
2015-03-05 01:34:52 +01:00
command => $grant_cmd,
db => $on_db,
port => $port_override,
connect_settings => $connect_settings,
psql_user => $psql_user,
psql_group => $group,
psql_path => $psql_path,
unless => $_unless,
onlyif => $_onlyif,
require => Class['postgresql::server']
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
}
if($role != undef and defined(Postgresql::Server::Role[$role])) {
Make module compatible with puppetDB
2014-04-16 18:06:43 +02:00
Postgresql::Server::Role[$role]->Postgresql_psql["grant:${name}"]
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
}
if($db != undef and defined(Postgresql::Server::Database[$db])) {
Make module compatible with puppetDB
2014-04-16 18:06:43 +02:00
Postgresql::Server::Database[$db]->Postgresql_psql["grant:${name}"]
Major rewrite to solve order dependencies and unclear public API This is a very very large change to the module. It started out as a fix to add postgresl::server::config_entry, and quickly became a rewrite to fix a lot of ordering issues inherent in the API. Since this changes the Public API it is considered a backwards compatible change. See the upgrading guide in README.md for more details as to what has been modified in this patch. Signed-off-by: Ken Barber <ken@bob.sh>
2013-08-27 22:43:47 +02:00
}
Add missing onlyif_function to sequence grant code
2016-02-15 13:11:26 +01:00
}
Reference in a new issue Copy permalink