Add support for optional management of pg_hba.conf

This patch adds support for disabling management of pg_hba.conf by the module,
through the parameter `manage_pg_hba_conf`.
This commit is contained in:
Mickaël Canévet 2013-07-03 16:11:54 +02:00 committed by Ken Barber
parent 238c06383d
commit 1f736fcfc0
4 changed files with 90 additions and 78 deletions

View file

@ -61,6 +61,7 @@ For a more customized, less restrictive configuration:
'listen_addresses' => '*',
'ipv4acls' => ['hostssl all johndoe 192.168.0.0/24 cert'],
'manage_redhat_firewall' => true,
'manage_pg_hba_conf' => false,
'postgres_password' => 'TPSrep0rt!',
},
}
@ -217,6 +218,9 @@ This value defaults to `localhost`, meaning the postgres server will only accept
####`manage_redhat_firewall`
This value defaults to `false`. Many RedHat-based distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If youd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. *[This parameter is likely to change in future versions. Possible changes include support for non-RedHat systems and finer-grained control over the firewall rule (currently, it simply opens up the postgres port to all TCP connections).]*
####`manage_pg_hba_conf`
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
####`ip_mask_allow_all_users`
This value defaults to `127.0.0.1/32`. By default, Postgres does not allow any database user accounts to connect via TCP from remote machines. If youd like to allow them to, you can override this setting. You might set it to `0.0.0.0/0` to allow database users to connect from any remote machine, or `192.168.0.0/16` to allow connections from any machine on your local 192.168 subnet.

View file

@ -19,6 +19,7 @@
# redhat-based systems; this parameter is likely to change in future versions. Possible
# changes include support for non-RedHat systems and finer-grained control over the
# firewall rule (currently, it simply opens up the postgres port to all TCP connections).
# [*manage_pg_hba_conf*] - boolean indicating whether or not the module manages pg_hba.conf file.
#
#
# Actions:
@ -33,15 +34,16 @@
# }
#
class postgresql::config(
$postgres_password = undef,
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
$postgres_password = undef,
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall,
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf
) inherits postgresql::params {
# Basically, all this class needs to handle is passing parameters on
@ -49,14 +51,15 @@ class postgresql::config(
# the proper ordering.
class { 'postgresql::config::beforeservice':
ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
ip_mask_allow_all_users => $ip_mask_allow_all_users,
listen_addresses => $listen_addresses,
ipv4acls => $ipv4acls,
ipv6acls => $ipv6acls,
pg_hba_conf_path => $pg_hba_conf_path,
postgresql_conf_path => $postgresql_conf_path,
manage_redhat_firewall => $manage_redhat_firewall,
ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
ip_mask_allow_all_users => $ip_mask_allow_all_users,
listen_addresses => $listen_addresses,
ipv4acls => $ipv4acls,
ipv6acls => $ipv6acls,
pg_hba_conf_path => $pg_hba_conf_path,
postgresql_conf_path => $postgresql_conf_path,
manage_redhat_firewall => $manage_redhat_firewall,
manage_pg_hba_conf => $manage_pg_hba_conf,
}
class { 'postgresql::config::afterservice':

View file

@ -18,6 +18,7 @@
# redhat-based systems; this parameter is likely to change in future versions. Possible
# changes include support for non-RedHat systems and finer-grained control over the
# firewall rule (currently, it simply opens up the postgres port to all TCP connections).
# [*manage_pg_hba_conf*] - boolean indicating whether or not the module manages pg_hba.conf file.
#
# Actions:
#
@ -36,12 +37,13 @@
class postgresql::config::beforeservice(
$pg_hba_conf_path,
$postgresql_conf_path,
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall,
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf
) inherits postgresql::params {
@ -50,66 +52,68 @@ class postgresql::config::beforeservice(
group => $postgresql::params::group,
}
# Create the main pg_hba resource
postgresql::pg_hba { 'main':
notify => Exec['reload_postgresql'],
}
if $manage_pg_hba_conf {
# Create the main pg_hba resource
postgresql::pg_hba { 'main':
notify => Exec['reload_postgresql'],
}
Postgresql::Pg_hba_rule {
database => 'all',
user => 'all',
}
Postgresql::Pg_hba_rule {
database => 'all',
user => 'all',
}
# Lets setup the base rules
postgresql::pg_hba_rule { 'local access as postgres user':
type => 'local',
user => $postgresql::params::user,
auth_method => 'ident',
auth_option => $postgresql::params::version ? {
'8.1' => 'sameuser',
default => undef,
},
order => '001',
}
postgresql::pg_hba_rule { 'local access to database with same name':
type => 'local',
auth_method => 'ident',
auth_option => $postgresql::params::version ? {
'8.1' => 'sameuser',
default => undef,
},
order => '002',
}
postgresql::pg_hba_rule { 'deny access to postgresql user':
type => 'host',
user => $postgresql::params::user,
address => $ip_mask_deny_postgres_user,
auth_method => 'reject',
order => '003',
}
# Lets setup the base rules
postgresql::pg_hba_rule { 'local access as postgres user':
type => 'local',
user => $postgresql::params::user,
auth_method => 'ident',
auth_option => $postgresql::params::version ? {
'8.1' => 'sameuser',
default => undef,
},
order => '001',
}
postgresql::pg_hba_rule { 'local access to database with same name':
type => 'local',
auth_method => 'ident',
auth_option => $postgresql::params::version ? {
'8.1' => 'sameuser',
default => undef,
},
order => '002',
}
postgresql::pg_hba_rule { 'deny access to postgresql user':
type => 'host',
user => $postgresql::params::user,
address => $ip_mask_deny_postgres_user,
auth_method => 'reject',
order => '003',
}
# ipv4acls are passed as an array of rule strings, here we transform them into
# a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10)
create_resources('postgresql::pg_hba_rule', $ipv4acl_resources)
# ipv4acls are passed as an array of rule strings, here we transform them into
# a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10)
create_resources('postgresql::pg_hba_rule', $ipv4acl_resources)
postgresql::pg_hba_rule { 'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
auth_method => 'md5',
order => '100',
}
postgresql::pg_hba_rule { 'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
auth_method => 'md5',
order => '101',
}
postgresql::pg_hba_rule { 'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
auth_method => 'md5',
order => '100',
}
postgresql::pg_hba_rule { 'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
auth_method => 'md5',
order => '101',
}
# ipv6acls are passed as an array of rule strings, here we transform them into
# a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
# ipv6acls are passed as an array of rule strings, here we transform them into
# a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
}
# We must set a "listen_addresses" line in the postgresql.conf if we
# want to allow any connections from remote hosts.

View file

@ -53,6 +53,7 @@ class postgresql::params(
$listen_addresses = 'localhost'
$ipv4acls = []
$ipv6acls = []
$manage_pg_hba_conf = true
# TODO: figure out a way to make this not platform-specific
$manage_redhat_firewall = false