2013-08-27 22:43:47 +02:00
|
|
|
# Define for granting permissions to roles. See README.md for more details.
|
|
|
|
|
define postgresql::server::grant (
|
|
|
|
|
$role,
|
|
|
|
|
$db,
|
|
|
|
|
$privilege = undef,
|
|
|
|
|
$object_type = 'database',
|
|
|
|
|
$object_name = $db,
|
2014-03-07 16:50:03 +01:00
|
|
|
$psql_db = $postgresql::server::default_database,
|
2014-04-17 21:09:07 +02:00
|
|
|
$psql_user = $postgresql::server::user,
|
|
|
|
|
$port = $postgresql::server::port
|
2013-08-27 22:43:47 +02:00
|
|
|
) {
|
|
|
|
|
$group = $postgresql::server::group
|
|
|
|
|
$psql_path = $postgresql::server::psql_path
|
|
|
|
|
|
|
|
|
|
## Munge the input values
|
|
|
|
|
$_object_type = upcase($object_type)
|
|
|
|
|
$_privilege = upcase($privilege)
|
|
|
|
|
|
|
|
|
|
## Validate that the object type is known
|
|
|
|
|
validate_string($_object_type,
|
|
|
|
|
#'COLUMN',
|
|
|
|
|
'DATABASE',
|
|
|
|
|
#'FOREIGN SERVER',
|
|
|
|
|
#'FOREIGN DATA WRAPPER',
|
|
|
|
|
#'FUNCTION',
|
|
|
|
|
#'PROCEDURAL LANGUAGE',
|
2014-04-16 18:26:04 +02:00
|
|
|
'SCHEMA',
|
2013-08-27 22:43:47 +02:00
|
|
|
#'SEQUENCE',
|
|
|
|
|
'TABLE',
|
2014-04-16 18:26:04 +02:00
|
|
|
'ALL TABLES IN SCHEMA',
|
2013-08-27 22:43:47 +02:00
|
|
|
#'TABLESPACE',
|
|
|
|
|
#'VIEW',
|
|
|
|
|
)
|
2014-04-16 18:26:04 +02:00
|
|
|
# You can use ALL TABLES IN SCHEMA by passing schema_name to object_name
|
2013-08-27 22:43:47 +02:00
|
|
|
|
|
|
|
|
## Validate that the object type's privilege is acceptable
|
2013-11-12 16:20:52 +01:00
|
|
|
# TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
|
|
|
|
|
# we need a way to test for it--and has_database_privilege does not
|
|
|
|
|
# recognize 'ALL' as a valid privilege name. So we probably need to
|
|
|
|
|
# hard-code a mapping between 'ALL' and the list of actual privileges that
|
|
|
|
|
# it entails, and loop over them to check them. That sort of thing will
|
|
|
|
|
# probably need to wait until we port this over to ruby, so, for now, we're
|
|
|
|
|
# just going to assume that if they have "CREATE" privileges on a database,
|
|
|
|
|
# then they have "ALL". (I told you that it was terrible!)
|
2013-08-27 22:43:47 +02:00
|
|
|
case $_object_type {
|
|
|
|
|
'DATABASE': {
|
2013-11-12 16:20:52 +01:00
|
|
|
$unless_privilege = $_privilege ? {
|
2014-04-16 18:26:04 +02:00
|
|
|
'ALL' => 'CREATE',
|
|
|
|
|
'ALL PRIVILEGES' => 'CREATE',
|
|
|
|
|
default => $_privilege,
|
2013-11-12 16:20:52 +01:00
|
|
|
}
|
|
|
|
|
validate_string($unless_privilege,'CREATE','CONNECT','TEMPORARY','TEMP',
|
|
|
|
|
'ALL','ALL PRIVILEGES')
|
2013-08-27 22:43:47 +02:00
|
|
|
$unless_function = 'has_database_privilege'
|
|
|
|
|
$on_db = $psql_db
|
|
|
|
|
}
|
2014-04-16 18:26:04 +02:00
|
|
|
'SCHEMA': {
|
|
|
|
|
$unless_privilege = $_privilege ? {
|
|
|
|
|
'ALL' => 'CREATE',
|
|
|
|
|
'ALL PRIVILEGES' => 'CREATE',
|
|
|
|
|
default => $_privilege,
|
|
|
|
|
}
|
|
|
|
|
validate_string($_privilege, 'CREATE', 'USAGE', 'ALL', 'ALL PRIVILEGES')
|
|
|
|
|
$unless_function = 'has_schema_privilege'
|
|
|
|
|
$on_db = $db
|
|
|
|
|
}
|
2013-08-27 22:43:47 +02:00
|
|
|
'TABLE': {
|
2013-11-12 16:20:52 +01:00
|
|
|
$unless_privilege = $_privilege ? {
|
|
|
|
|
'ALL' => 'INSERT',
|
|
|
|
|
default => $_privilege,
|
|
|
|
|
}
|
2013-11-15 15:20:15 +01:00
|
|
|
validate_string($unless_privilege,'SELECT','INSERT','UPDATE','DELETE',
|
|
|
|
|
'TRUNCATE','REFERENCES','TRIGGER','ALL','ALL PRIVILEGES')
|
2013-08-27 22:43:47 +02:00
|
|
|
$unless_function = 'has_table_privilege'
|
|
|
|
|
$on_db = $db
|
|
|
|
|
}
|
2014-04-16 18:26:04 +02:00
|
|
|
'ALL TABLES IN SCHEMA': {
|
|
|
|
|
validate_string($_privilege, 'SELECT', 'INSERT', 'UPDATE', 'REFERENCES',
|
|
|
|
|
'ALL', 'ALL PRIVILEGES')
|
|
|
|
|
$unless_function = false # There is no way to test it simply
|
|
|
|
|
$on_db = $db
|
|
|
|
|
}
|
2013-08-27 22:43:47 +02:00
|
|
|
default: {
|
|
|
|
|
fail("Missing privilege validation for object type ${_object_type}")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-16 18:26:04 +02:00
|
|
|
# This is used to give grant to "schemaname"."tablename"
|
|
|
|
|
# If you need such grant, use:
|
|
|
|
|
# postgresql::grant { 'table:foo':
|
|
|
|
|
# role => 'joe',
|
2015-01-09 13:31:37 +01:00
|
|
|
# ...
|
2014-04-16 18:26:04 +02:00
|
|
|
# object_type => 'TABLE',
|
|
|
|
|
# object_name => [$schema, $table],
|
|
|
|
|
# }
|
|
|
|
|
if is_array($object_name) {
|
|
|
|
|
$_togrant_object = join($object_name, '"."')
|
|
|
|
|
# Never put double quotes into has_*_privilege function
|
|
|
|
|
$_granted_object = join($object_name, '.')
|
|
|
|
|
} else {
|
|
|
|
|
$_granted_object = $object_name
|
|
|
|
|
$_togrant_object = $object_name
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$_unless = $unless_function ? {
|
|
|
|
|
false => undef,
|
|
|
|
|
default => "SELECT 1 WHERE ${unless_function}('${role}',
|
|
|
|
|
'${_granted_object}', '${unless_privilege}')",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO
|
|
|
|
|
\"${role}\""
|
2014-04-16 18:06:43 +02:00
|
|
|
postgresql_psql { "grant:${name}":
|
|
|
|
|
command => $grant_cmd,
|
2013-08-27 22:43:47 +02:00
|
|
|
db => $on_db,
|
2014-04-17 21:09:07 +02:00
|
|
|
port => $port,
|
2013-08-27 22:43:47 +02:00
|
|
|
psql_user => $psql_user,
|
|
|
|
|
psql_group => $group,
|
|
|
|
|
psql_path => $psql_path,
|
2014-04-16 18:26:04 +02:00
|
|
|
unless => $_unless,
|
2013-08-27 22:43:47 +02:00
|
|
|
require => Class['postgresql::server']
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if($role != undef and defined(Postgresql::Server::Role[$role])) {
|
2014-04-16 18:06:43 +02:00
|
|
|
Postgresql::Server::Role[$role]->Postgresql_psql["grant:${name}"]
|
2013-08-27 22:43:47 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if($db != undef and defined(Postgresql::Server::Database[$db])) {
|
2014-04-16 18:06:43 +02:00
|
|
|
Postgresql::Server::Database[$db]->Postgresql_psql["grant:${name}"]
|
2013-08-27 22:43:47 +02:00
|
|
|
}
|
|
|
|
|
}
|
