Merge branch 'manage_pg_hba_conf'

* manage_pg_hba_conf: Add support for optional management of pg_hba.conf
2013-07-08 13:31:02 +01:00 · 2013-07-08 13:31:02 +01:00 · 2e0455ffdf
commit 2e0455ffdf
parent 238c06383d 1f736fcfc0
4 changed files with 90 additions and 78 deletions
--- a/README.md
+++ b/README.md
@ -61,6 +61,7 @@ For a more customized, less restrictive configuration:
        'listen_addresses'           => '*',
        'ipv4acls'                   => ['hostssl all johndoe 192.168.0.0/24 cert'],
        'manage_redhat_firewall'     => true,
+        'manage_pg_hba_conf'         => false,
        'postgres_password'          => 'TPSrep0rt!',
      },
    }
@ -217,6 +218,9 @@ This value defaults to `localhost`, meaning the postgres server will only accept
 ####`manage_redhat_firewall`
 This value defaults to `false`. Many RedHat-based distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you’d like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. *[This parameter is likely to change in future versions.  Possible changes include support for non-RedHat systems and finer-grained control over the firewall rule (currently, it simply opens up the postgres port to all TCP connections).]*

+####`manage_pg_hba_conf`
+This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
+
 ####`ip_mask_allow_all_users`
 This value defaults to `127.0.0.1/32`. By default, Postgres does not allow any database user accounts to connect via TCP from remote machines. If you’d like to allow them to, you can override this setting. You might set it to `0.0.0.0/0` to allow database users to connect from any remote machine, or `192.168.0.0/16` to allow connections from any machine on your local 192.168 subnet.

--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -19,6 +19,7 @@
 #                                       redhat-based systems; this parameter is likely to change in future versions.  Possible
 #                                       changes include support for non-RedHat systems and finer-grained control over the
 #                                       firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#   [*manage_pg_hba_conf*]      - boolean indicating whether or not the module manages pg_hba.conf file.
 #
 #
 # Actions:
@ -33,15 +34,16 @@
 #   }
 #
 class postgresql::config(
-  $postgres_password            = undef,
-  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
-  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
-  $listen_addresses             = $postgresql::params::listen_addresses,
-  $ipv4acls                     = $postgresql::params::ipv4acls,
-  $ipv6acls                     = $postgresql::params::ipv6acls,
-  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
-  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
-  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
+  $postgres_password          = undef,
+  $ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
+  $ip_mask_allow_all_users    = $postgresql::params::ip_mask_allow_all_users,
+  $listen_addresses           = $postgresql::params::listen_addresses,
+  $ipv4acls                   = $postgresql::params::ipv4acls,
+  $ipv6acls                   = $postgresql::params::ipv6acls,
+  $pg_hba_conf_path           = $postgresql::params::pg_hba_conf_path,
+  $postgresql_conf_path       = $postgresql::params::postgresql_conf_path,
+  $manage_redhat_firewall     = $postgresql::params::manage_redhat_firewall,
+  $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf
 ) inherits postgresql::params {

  # Basically, all this class needs to handle is passing parameters on
@ -49,14 +51,15 @@ class postgresql::config(
  #  the proper ordering.

  class { 'postgresql::config::beforeservice':
-    ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
-    ip_mask_allow_all_users       => $ip_mask_allow_all_users,
-    listen_addresses              => $listen_addresses,
-    ipv4acls                      => $ipv4acls,
-    ipv6acls                      => $ipv6acls,
-    pg_hba_conf_path              => $pg_hba_conf_path,
-    postgresql_conf_path          => $postgresql_conf_path,
-    manage_redhat_firewall        => $manage_redhat_firewall,
+    ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
+    ip_mask_allow_all_users    => $ip_mask_allow_all_users,
+    listen_addresses           => $listen_addresses,
+    ipv4acls                   => $ipv4acls,
+    ipv6acls                   => $ipv6acls,
+    pg_hba_conf_path           => $pg_hba_conf_path,
+    postgresql_conf_path       => $postgresql_conf_path,
+    manage_redhat_firewall     => $manage_redhat_firewall,
+    manage_pg_hba_conf         => $manage_pg_hba_conf,
  }

  class { 'postgresql::config::afterservice':
--- a/manifests/config/beforeservice.pp
+++ b/manifests/config/beforeservice.pp
@ -18,6 +18,7 @@
 #                                    redhat-based systems; this parameter is likely to change in future versions.  Possible
 #                                    changes include support for non-RedHat systems and finer-grained control over the
 #                                    firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#   [*manage_pg_hba_conf*]      - boolean indicating whether or not the module manages pg_hba.conf file.
 #
 # Actions:
 #
@ -36,12 +37,13 @@
 class postgresql::config::beforeservice(
  $pg_hba_conf_path,
  $postgresql_conf_path,
-  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
-  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
-  $listen_addresses             = $postgresql::params::listen_addresses,
-  $ipv4acls                     = $postgresql::params::ipv4acls,
-  $ipv6acls                     = $postgresql::params::ipv6acls,
-  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
+  $ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
+  $ip_mask_allow_all_users    = $postgresql::params::ip_mask_allow_all_users,
+  $listen_addresses           = $postgresql::params::listen_addresses,
+  $ipv4acls                   = $postgresql::params::ipv4acls,
+  $ipv6acls                   = $postgresql::params::ipv6acls,
+  $manage_redhat_firewall     = $postgresql::params::manage_redhat_firewall,
+  $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf
 ) inherits postgresql::params {


@ -50,66 +52,68 @@ class postgresql::config::beforeservice(
    group  => $postgresql::params::group,
  }

-  # Create the main pg_hba resource
-  postgresql::pg_hba { 'main':
-    notify => Exec['reload_postgresql'],
-  }
+  if $manage_pg_hba_conf {
+    # Create the main pg_hba resource
+    postgresql::pg_hba { 'main':
+      notify => Exec['reload_postgresql'],
+    }

-  Postgresql::Pg_hba_rule {
-    database => 'all',
-    user => 'all',
-  }
+    Postgresql::Pg_hba_rule {
+      database => 'all',
+      user => 'all',
+    }

-  # Lets setup the base rules
-  postgresql::pg_hba_rule { 'local access as postgres user':
-    type        => 'local',
-    user        => $postgresql::params::user,
-    auth_method => 'ident',
-    auth_option => $postgresql::params::version ? {
-      '8.1'   => 'sameuser',
-      default => undef,
-    },
-    order       => '001',
-  }
-  postgresql::pg_hba_rule { 'local access to database with same name':
-    type        => 'local',
-    auth_method => 'ident',
-    auth_option => $postgresql::params::version ? {
-      '8.1'   => 'sameuser',
-      default => undef,
-    },
-    order       => '002',
-  }
-  postgresql::pg_hba_rule { 'deny access to postgresql user':
-    type        => 'host',
-    user        => $postgresql::params::user,
-    address     => $ip_mask_deny_postgres_user,
-    auth_method => 'reject',
-    order       => '003',
-  }
+    # Lets setup the base rules
+    postgresql::pg_hba_rule { 'local access as postgres user':
+      type        => 'local',
+      user        => $postgresql::params::user,
+      auth_method => 'ident',
+      auth_option => $postgresql::params::version ? {
+        '8.1'   => 'sameuser',
+        default => undef,
+      },
+      order       => '001',
+    }
+    postgresql::pg_hba_rule { 'local access to database with same name':
+      type        => 'local',
+      auth_method => 'ident',
+      auth_option => $postgresql::params::version ? {
+        '8.1'   => 'sameuser',
+        default => undef,
+      },
+      order       => '002',
+    }
+    postgresql::pg_hba_rule { 'deny access to postgresql user':
+      type        => 'host',
+      user        => $postgresql::params::user,
+      address     => $ip_mask_deny_postgres_user,
+      auth_method => 'reject',
+      order       => '003',
+    }

-  # ipv4acls are passed as an array of rule strings, here we transform them into
-  # a resources hash, and pass the result to create_resources
-  $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10)
-  create_resources('postgresql::pg_hba_rule', $ipv4acl_resources)
+    # ipv4acls are passed as an array of rule strings, here we transform them into
+    # a resources hash, and pass the result to create_resources
+    $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10)
+    create_resources('postgresql::pg_hba_rule', $ipv4acl_resources)

-  postgresql::pg_hba_rule { 'allow access to all users':
-    type        => 'host',
-    address     => $ip_mask_allow_all_users,
-    auth_method => 'md5',
-    order       => '100',
-  }
-  postgresql::pg_hba_rule { 'allow access to ipv6 localhost':
-    type        => 'host',
-    address     => '::1/128',
-    auth_method => 'md5',
-    order       => '101',
-  }
+    postgresql::pg_hba_rule { 'allow access to all users':
+      type        => 'host',
+      address     => $ip_mask_allow_all_users,
+      auth_method => 'md5',
+      order       => '100',
+    }
+    postgresql::pg_hba_rule { 'allow access to ipv6 localhost':
+      type        => 'host',
+      address     => '::1/128',
+      auth_method => 'md5',
+      order       => '101',
+    }

-  # ipv6acls are passed as an array of rule strings, here we transform them into
-  # a resources hash, and pass the result to create_resources
-  $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
-  create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
+    # ipv6acls are passed as an array of rule strings, here we transform them into
+    # a resources hash, and pass the result to create_resources
+    $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
+    create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
+  }

  # We must set a "listen_addresses" line in the postgresql.conf if we
  #  want to allow any connections from remote hosts.
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -53,6 +53,7 @@ class postgresql::params(
  $listen_addresses             = 'localhost'
  $ipv4acls                     = []
  $ipv6acls                     = []
+  $manage_pg_hba_conf           = true
  # TODO: figure out a way to make this not platform-specific
  $manage_redhat_firewall       = false