Merge pull request #261 from mcanevet/manage_pg_hba_conf

Add a parameter to (un)manage pg_hba.conf
2013-10-16 06:06:00 -07:00 · 2013-10-16 06:06:00 -07:00 · 42c1b77043
commit 42c1b77043
parent 3877a01224 6f614b0b37
8 changed files with 139 additions and 83 deletions
--- a/README.md
+++ b/README.md
@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo
 ####`manage_firewall`
 This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.

+####`manage_pg_hba_conf`
+This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
+

 ###Class: postgresql::client

--- a/manifests/globals.pp
+++ b/manifests/globals.pp
@ -38,6 +38,7 @@ class postgresql::globals (
  $locale               = undef,

  $manage_firewall      = undef,
+  $manage_pg_hba_conf   = undef,
  $firewall_supported   = undef,

  $manage_package_repo  = undef
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals {
  $locale                     = $locale
  $service_provider           = $service_provider
  $manage_firewall            = $manage_firewall
+  $manage_pg_hba_conf         = pick($manage_pg_hba_conf, true)

  # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
  case $::osfamily {
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -40,6 +40,7 @@ class postgresql::server (
  $locale                     = $postgresql::params::locale,

  $manage_firewall            = $postgresql::params::manage_firewall,
+  $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf,
  $firewall_supported         = $postgresql::params::firewall_supported
 ) inherits postgresql::params {
  $pg = 'postgresql::server'
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@ -12,6 +12,7 @@ class postgresql::server::config {
  $user                       = $postgresql::server::user
  $group                      = $postgresql::server::group
  $version                    = $postgresql::server::version
+  $manage_pg_hba_conf         = $postgresql::server::manage_pg_hba_conf

  File {
    owner => $user,
@ -19,72 +20,75 @@ class postgresql::server::config {
  }

  if ($ensure == 'present' or $ensure == true) {
-    # Prepare the main pg_hba file
-    include concat::setup
-    concat { $pg_hba_conf_path:
-      owner  => 0,
-      group  => $group,
-      mode   => '0640',
-      warn   => true,
-      notify => Class['postgresql::server::reload'],
-    }

-    if $pg_hba_conf_defaults {
-      Postgresql::Server::Pg_hba_rule {
-        database => 'all',
-        user => 'all',
+    if ($manage_pg_hba_conf == true) {
+      # Prepare the main pg_hba file
+      include concat::setup
+      concat { $pg_hba_conf_path:
+        owner  => 0,
+        group  => $group,
+        mode   => '0640',
+        warn   => true,
+        notify => Class['postgresql::server::reload'],
      }

-      # Lets setup the base rules
-      $local_auth_option = $version ? {
-        '8.1'   => 'sameuser',
-        default => undef,
-      }
-      postgresql::server::pg_hba_rule { 'local access as postgres user':
-        type        => 'local',
-        user        => $user,
-        auth_method => 'ident',
-        auth_option => $local_auth_option,
-        order       => '001',
-      }
-      postgresql::server::pg_hba_rule { 'local access to database with same name':
-        type        => 'local',
-        auth_method => 'ident',
-        auth_option => $local_auth_option,
-        order       => '002',
-      }
-      postgresql::server::pg_hba_rule { 'deny access to postgresql user':
-        type        => 'host',
-        user        => $user,
-        address     => $ip_mask_deny_postgres_user,
-        auth_method => 'reject',
-        order       => '003',
-      }
+      if $pg_hba_conf_defaults {
+        Postgresql::Server::Pg_hba_rule {
+          database => 'all',
+          user => 'all',
+        }

-      # ipv4acls are passed as an array of rule strings, here we transform them
-      # into a resources hash, and pass the result to create_resources
-      $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
+        # Lets setup the base rules
+        $local_auth_option = $version ? {
+          '8.1'   => 'sameuser',
+          default => undef,
+        }
+        postgresql::server::pg_hba_rule { 'local access as postgres user':
+          type        => 'local',
+          user        => $user,
+          auth_method => 'ident',
+          auth_option => $local_auth_option,
+          order       => '001',
+        }
+        postgresql::server::pg_hba_rule { 'local access to database with same name':
+          type        => 'local',
+          auth_method => 'ident',
+          auth_option => $local_auth_option,
+          order       => '002',
+        }
+        postgresql::server::pg_hba_rule { 'deny access to postgresql user':
+          type        => 'host',
+          user        => $user,
+          address     => $ip_mask_deny_postgres_user,
+          auth_method => 'reject',
+          order       => '003',
+        }
+
+        # ipv4acls are passed as an array of rule strings, here we transform
+        # them into a resources hash, and pass the result to create_resources
+        $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
        'ipv4acls', 10)
-      create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
+        create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)

-      postgresql::server::pg_hba_rule { 'allow access to all users':
-        type        => 'host',
-        address     => $ip_mask_allow_all_users,
-        auth_method => 'md5',
-        order       => '100',
-      }
-      postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
-        type        => 'host',
-        address     => '::1/128',
-        auth_method => 'md5',
-        order       => '101',
-      }
+        postgresql::server::pg_hba_rule { 'allow access to all users':
+          type        => 'host',
+          address     => $ip_mask_allow_all_users,
+          auth_method => 'md5',
+          order       => '100',
+        }
+        postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
+          type        => 'host',
+          address     => '::1/128',
+          auth_method => 'md5',
+          order       => '101',
+        }

-      # ipv6acls are passed as an array of rule strings, here we transform them
-      # into a resources hash, and pass the result to create_resources
-      $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
+        # ipv6acls are passed as an array of rule strings, here we transform
+        # them into a resources hash, and pass the result to create_resources
+        $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
        'ipv6acls', 102)
-      create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
+        create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
+      }
    }

    # We must set a "listen_addresses" line in the postgresql.conf if we
--- a/manifests/server/pg_hba_rule.pp
+++ b/manifests/server/pg_hba_rule.pp
@ -15,36 +15,40 @@ define postgresql::server::pg_hba_rule(
  $target      = $postgresql::server::pg_hba_conf_path
 ) {

-  validate_re($type, '^(local|host|hostssl|hostnossl)$',
+  if $postgresql::server::manage_pga_conf == false {
+      fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
+  } else {
+    validate_re($type, '^(local|host|hostssl|hostnossl)$',
    "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")

-  if($type =~ /^host/ and $address == undef) {
-    fail('You must specify an address property when type is host based')
-  }
+    if($type =~ /^host/ and $address == undef) {
+      fail('You must specify an address property when type is host based')
+    }

-  $allowed_auth_methods = $postgresql::server::version ? {
-    '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
-    '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
-    '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
-    '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
-    '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
-    '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
-    '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
-    '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
-    default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
-  }
+    $allowed_auth_methods = $postgresql::server::version ? {
+      '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
+      '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
+      '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
+      '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
+      '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
+      default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
+    }

-  $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
-  validate_re($auth_method, $auth_method_regex,
+    $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
+    validate_re($auth_method, $auth_method_regex,
    join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))

-  # Create a rule fragment
-  $fragname = "pg_hba_rule_${name}"
-  concat::fragment { $fragname:
-    target  => $target,
-    content => template('postgresql/pg_hba_rule.conf'),
-    order   => $order,
-    owner   => $::id,
-    mode    => '0600',
+    # Create a rule fragment
+    $fragname = "pg_hba_rule_${name}"
+    concat::fragment { $fragname:
+      target  => $target,
+      content => template('postgresql/pg_hba_rule.conf'),
+      order   => $order,
+      owner   => $::id,
+      mode    => '0600',
+    }
  }
 }
--- a/spec/system/server/pg_hba_rule_spec.rb
+++ b/spec/system/server/pg_hba_rule_spec.rb
@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do
      r.exit_code.should == 2
    end
  end
+
+  it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do
+    pp = <<-EOS.unindent
+      class { 'postgresql::server':
+        manage_pg_hba_conf => false,
+      }
+      postgresql::server::pg_hba_rule { 'foo':
+        type        => "local",
+        database    => "test1",
+        user        => "test1",
+        auth_method => reject,
+        order       => '001',
+      }
+    EOS
+    puppet_apply(pp) do |r|
+      r.exit_code.should == 1
+    end
+  end
 end
--- a/spec/system/server_spec.rb
+++ b/spec/system/server_spec.rb
@ -191,3 +191,27 @@ describe 'server with firewall:' do
    end
  end
 end
+
+describe 'server without pg_hba.conf:' do
+  after :all do
+    puppet_apply("class { 'postgresql::server': ensure => absent }") do |r|
+      r.exit_code.should_not == 1
+    end
+  end
+
+  context 'test installing postgresql without pg_hba.conf management on' do
+    it 'perform installation and make sure it is idempotent' do
+      pp = <<-EOS.unindent
+        class { "postgresql::server":
+          manage_pg_hba_conf => false,
+        }
+      EOS
+
+      puppet_apply(pp) do |r|
+        r.exit_code.should == 2
+        r.refresh
+        r.exit_code.should == 0
+      end
+    end
+  end
+end