module-postgresql/manifests/db.pp

# Define: postgresql::db
#
# This module creates database instances, a user, and grants that user
# privileges to the database.
#
# Since it requires class postgresql::server, we assume to run all commands as the
# postgresql user against the local postgresql server.
#
# TODO: support an array of privileges for "grant"; currently only supports a single
#  privilege, which is pretty useless unless that privilege is "ALL"
#
# Parameters:
#   [*title*]       - postgresql database name.
#   [*user*]        - username to create and grant access.
#   [*password*]    - user's password.  may be md5-encoded, in the format returned by the "postgresql_password"
#                            function in this module
#   [*charset*]     - database charset. defaults to 'utf8'
#   [*grant*]       - privilege to grant user. defaults to 'all'.
#   [*tablespace*]  - database tablespace. default to use the template database's tablespace.
#   [*locale*]      - locale for database. defaults to 'undef' (effectively 'C').
#
# Actions:
#
# Requires:
#
#   class postgresql::server
#
# Sample Usage:
#
#  postgresql::db { 'mydb':
#    user     => 'my_user',
#    password => 'password',
#    grant    => 'all'
#  }
#
define postgresql::db (
  $user,
  $password,
  $charset     = $postgresql::params::charset,
  $locale      = $postgresql::params::locale,
  $grant       = 'ALL',
  $tablespace = undef
) {
  include postgresql::params

  postgresql::database { $name:
    # TODO: ensure is not yet supported
    #ensure     => present,
    charset     => $charset,
    tablespace  => $tablespace,
    #provider   => 'postgresql',
    require     => Class['postgresql::server'],
    locale      => $locale,
  }

  if ! defined(Postgresql::Database_user[$user]) {
    postgresql::database_user { $user:
      # TODO: ensure is not yet supported
      #ensure         => present,
      password_hash   => $password,
      #provider       => 'postgresql',
      require         => Postgresql::Database[$name],
    }
  }

  postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":
    privilege       => $grant,
    db              => $name,
    role            => $user,
    #provider       => 'postgresql',
    require         => [Postgresql::Database[$name], Postgresql::Database_user[$user]],
  }

}
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`# Define: postgresql::db`
			`#`
			`# This module creates database instances, a user, and grants that user`
			`# privileges to the database.`
			`#`
			`# Since it requires class postgresql::server, we assume to run all commands as the`
			`# postgresql user against the local postgresql server.`
			`#`
			`# TODO: support an array of privileges for "grant"; currently only supports a single`
			`# privilege, which is pretty useless unless that privilege is "ALL"`
			`#`
			`# Parameters:`
			`# [title] - postgresql database name.`
			`# [user] - username to create and grant access.`
			`# [password] - user's password. may be md5-encoded, in the format returned by the "postgresql_password"`
			`# function in this module`
Update CHANGELOG, README, Modulefile for 2.0.0 release 2013-01-16 01:09:10 +01:00			`# [charset] - database charset. defaults to 'utf8'`
			`# [grant] - privilege to grant user. defaults to 'all'.`
Added support for tablespaces 2013-01-28 18:01:11 +01:00			`# [tablespace] - database tablespace. default to use the template database's tablespace.`
Add locale parameter support This adds the parameter 'locale' to the 'postgresql' class so we have a global default, and adds it two the defined resources 'postgresql::db' and 'postgresql::database'. This allows users to either: * Defined a global default for the cluster * Define a per-database default As a side-effect I had to make sure 'charset' was also exposed in a similar manner as some locales need a particular charset to work. Tests were added to test both the 'createdb' case and 'initdb' case for Redhat, and some refactoring was done to make the existing non_default test area use heredocs so my manifests and test code was kept close together. As apposed to entirely different files and places in the directory structure. I cleaned up the related execs a little bit, adding logoutput => on_failure where needed so we can debug failures. Beforehand execs just 'failed', but now we should be able to get better feedback from failed execs helping support. I also add intention comments in parts of the Puppet code that I touched where it made sense. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-02 02:54:33 +01:00			`# [locale] - locale for database. defaults to 'undef' (effectively 'C').`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`#`
			`# Actions:`
			`#`
			`# Requires:`
			`#`
			`# class postgresql::server`
			`#`
			`# Sample Usage:`
			`#`
			`# postgresql::db { 'mydb':`
			`# user => 'my_user',`
			`# password => 'password',`
			`# grant => 'all'`
			`# }`
			`#`
			`define postgresql::db (`
			`$user,`
			`$password,`
Add locale parameter support This adds the parameter 'locale' to the 'postgresql' class so we have a global default, and adds it two the defined resources 'postgresql::db' and 'postgresql::database'. This allows users to either: * Defined a global default for the cluster * Define a per-database default As a side-effect I had to make sure 'charset' was also exposed in a similar manner as some locales need a particular charset to work. Tests were added to test both the 'createdb' case and 'initdb' case for Redhat, and some refactoring was done to make the existing non_default test area use heredocs so my manifests and test code was kept close together. As apposed to entirely different files and places in the directory structure. I cleaned up the related execs a little bit, adding logoutput => on_failure where needed so we can debug failures. Beforehand execs just 'failed', but now we should be able to get better feedback from failed execs helping support. I also add intention comments in parts of the Puppet code that I touched where it made sense. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-02 02:54:33 +01:00			`$charset = $postgresql::params::charset,`
			`$locale = $postgresql::params::locale,`
Added support for tablespaces 2013-01-28 18:01:11 +01:00			`$grant = 'ALL',`
Add locale parameter support This adds the parameter 'locale' to the 'postgresql' class so we have a global default, and adds it two the defined resources 'postgresql::db' and 'postgresql::database'. This allows users to either: * Defined a global default for the cluster * Define a per-database default As a side-effect I had to make sure 'charset' was also exposed in a similar manner as some locales need a particular charset to work. Tests were added to test both the 'createdb' case and 'initdb' case for Redhat, and some refactoring was done to make the existing non_default test area use heredocs so my manifests and test code was kept close together. As apposed to entirely different files and places in the directory structure. I cleaned up the related execs a little bit, adding logoutput => on_failure where needed so we can debug failures. Beforehand execs just 'failed', but now we should be able to get better feedback from failed execs helping support. I also add intention comments in parts of the Puppet code that I touched where it made sense. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-02 02:54:33 +01:00			`$tablespace = undef`
			`) {`
			`include postgresql::params`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00
			`postgresql::database { $name:`
			`# TODO: ensure is not yet supported`
			`#ensure => present,`
			`charset => $charset,`
Added support for tablespaces 2013-01-28 18:01:11 +01:00			`tablespace => $tablespace,`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`#provider => 'postgresql',`
			`require => Class['postgresql::server'],`
Add locale parameter support This adds the parameter 'locale' to the 'postgresql' class so we have a global default, and adds it two the defined resources 'postgresql::db' and 'postgresql::database'. This allows users to either: * Defined a global default for the cluster * Define a per-database default As a side-effect I had to make sure 'charset' was also exposed in a similar manner as some locales need a particular charset to work. Tests were added to test both the 'createdb' case and 'initdb' case for Redhat, and some refactoring was done to make the existing non_default test area use heredocs so my manifests and test code was kept close together. As apposed to entirely different files and places in the directory structure. I cleaned up the related execs a little bit, adding logoutput => on_failure where needed so we can debug failures. Beforehand execs just 'failed', but now we should be able to get better feedback from failed execs helping support. I also add intention comments in parts of the Puppet code that I touched where it made sense. Signed-off-by: Ken Barber <ken@bob.sh> 2013-02-02 02:54:33 +01:00			`locale => $locale,`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`}`

Added check before adding postgresql::user This is to make sure there are no duplicate definitions when creating multiple databases owned by the same user. 2012-11-08 19:50:08 +01:00			`if ! defined(Postgresql::Database_user[$user]) {`
			`postgresql::database_user { $user:`
			`# TODO: ensure is not yet supported`
			`#ensure => present,`
			`password_hash => $password,`
			`#provider => 'postgresql',`
			`require => Postgresql::Database[$name],`
			`}`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`}`

			`postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":`
			`privilege => $grant,`
			`db => $name,`
			`role => $user,`
			`#provider => 'postgresql',`
Fix to 'require' for database_grant 2012-12-06 23:35:42 +01:00			`require => [Postgresql::Database[$name], Postgresql::Database_user[$user]],`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`}`

			`}`