diff --git a/README.md b/README.md index 817db6e..fc44cf1 100644 --- a/README.md +++ b/README.md @@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo ####`manage_firewall` This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly. +####`manage_pg_hba_conf` +This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file. + ###Class: postgresql::client diff --git a/manifests/globals.pp b/manifests/globals.pp index 72329da..103cc8d 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -38,6 +38,7 @@ class postgresql::globals ( $locale = undef, $manage_firewall = undef, + $manage_pg_hba_conf = undef, $firewall_supported = undef, $manage_package_repo = undef diff --git a/manifests/params.pp b/manifests/params.pp index b7b9859..51725ad 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals { $locale = $locale $service_provider = $service_provider $manage_firewall = $manage_firewall + $manage_pg_hba_conf = pick($manage_pg_hba_conf, true) # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'. case $::osfamily { diff --git a/manifests/server.pp b/manifests/server.pp index d7584c3..7b5c43b 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -40,6 +40,7 @@ class postgresql::server ( $locale = $postgresql::params::locale, $manage_firewall = $postgresql::params::manage_firewall, + $manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf, $firewall_supported = $postgresql::params::firewall_supported ) inherits postgresql::params { $pg = 'postgresql::server' diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 00417c1..75d74f4 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -12,6 +12,7 @@ class postgresql::server::config { $user = $postgresql::server::user $group = $postgresql::server::group $version = $postgresql::server::version + $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf File { owner => $user, @@ -19,72 +20,75 @@ class postgresql::server::config { } if ($ensure == 'present' or $ensure == true) { - # Prepare the main pg_hba file - include concat::setup - concat { $pg_hba_conf_path: - owner => 0, - group => $group, - mode => '0640', - warn => true, - notify => Class['postgresql::server::reload'], - } - if $pg_hba_conf_defaults { - Postgresql::Server::Pg_hba_rule { - database => 'all', - user => 'all', + if ($manage_pg_hba_conf == true) { + # Prepare the main pg_hba file + include concat::setup + concat { $pg_hba_conf_path: + owner => 0, + group => $group, + mode => '0640', + warn => true, + notify => Class['postgresql::server::reload'], } - # Lets setup the base rules - $local_auth_option = $version ? { - '8.1' => 'sameuser', - default => undef, - } - postgresql::server::pg_hba_rule { 'local access as postgres user': - type => 'local', - user => $user, - auth_method => 'ident', - auth_option => $local_auth_option, - order => '001', - } - postgresql::server::pg_hba_rule { 'local access to database with same name': - type => 'local', - auth_method => 'ident', - auth_option => $local_auth_option, - order => '002', - } - postgresql::server::pg_hba_rule { 'deny access to postgresql user': - type => 'host', - user => $user, - address => $ip_mask_deny_postgres_user, - auth_method => 'reject', - order => '003', - } + if $pg_hba_conf_defaults { + Postgresql::Server::Pg_hba_rule { + database => 'all', + user => 'all', + } - # ipv4acls are passed as an array of rule strings, here we transform them - # into a resources hash, and pass the result to create_resources - $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, + # Lets setup the base rules + $local_auth_option = $version ? { + '8.1' => 'sameuser', + default => undef, + } + postgresql::server::pg_hba_rule { 'local access as postgres user': + type => 'local', + user => $user, + auth_method => 'ident', + auth_option => $local_auth_option, + order => '001', + } + postgresql::server::pg_hba_rule { 'local access to database with same name': + type => 'local', + auth_method => 'ident', + auth_option => $local_auth_option, + order => '002', + } + postgresql::server::pg_hba_rule { 'deny access to postgresql user': + type => 'host', + user => $user, + address => $ip_mask_deny_postgres_user, + auth_method => 'reject', + order => '003', + } + + # ipv4acls are passed as an array of rule strings, here we transform + # them into a resources hash, and pass the result to create_resources + $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10) - create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources) + create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources) - postgresql::server::pg_hba_rule { 'allow access to all users': - type => 'host', - address => $ip_mask_allow_all_users, - auth_method => 'md5', - order => '100', - } - postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost': - type => 'host', - address => '::1/128', - auth_method => 'md5', - order => '101', - } + postgresql::server::pg_hba_rule { 'allow access to all users': + type => 'host', + address => $ip_mask_allow_all_users, + auth_method => 'md5', + order => '100', + } + postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost': + type => 'host', + address => '::1/128', + auth_method => 'md5', + order => '101', + } - # ipv6acls are passed as an array of rule strings, here we transform them - # into a resources hash, and pass the result to create_resources - $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, + # ipv6acls are passed as an array of rule strings, here we transform + # them into a resources hash, and pass the result to create_resources + $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102) - create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources) + create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources) + } } # We must set a "listen_addresses" line in the postgresql.conf if we diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp index cb45c73..fb20c75 100644 --- a/manifests/server/pg_hba_rule.pp +++ b/manifests/server/pg_hba_rule.pp @@ -15,36 +15,40 @@ define postgresql::server::pg_hba_rule( $target = $postgresql::server::pg_hba_conf_path ) { - validate_re($type, '^(local|host|hostssl|hostnossl)$', + if $postgresql::server::manage_pga_conf == false { + fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests') + } else { + validate_re($type, '^(local|host|hostssl|hostnossl)$', "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl") - if($type =~ /^host/ and $address == undef) { - fail('You must specify an address property when type is host based') - } + if($type =~ /^host/ and $address == undef) { + fail('You must specify an address property when type is host based') + } - $allowed_auth_methods = $postgresql::server::version ? { - '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], - '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], - '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], - '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'], - '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'], - '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'], - '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'], - '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'], - default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt'] - } + $allowed_auth_methods = $postgresql::server::version ? { + '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'], + '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'], + '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'], + '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'], + '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'], + '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'], + default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt'] + } - $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$']) - validate_re($auth_method, $auth_method_regex, + $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$']) + validate_re($auth_method, $auth_method_regex, join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')])) - # Create a rule fragment - $fragname = "pg_hba_rule_${name}" - concat::fragment { $fragname: - target => $target, - content => template('postgresql/pg_hba_rule.conf'), - order => $order, - owner => $::id, - mode => '0600', + # Create a rule fragment + $fragname = "pg_hba_rule_${name}" + concat::fragment { $fragname: + target => $target, + content => template('postgresql/pg_hba_rule.conf'), + order => $order, + owner => $::id, + mode => '0600', + } } } diff --git a/spec/system/server/pg_hba_rule_spec.rb b/spec/system/server/pg_hba_rule_spec.rb index f33a0b2..ec739cd 100644 --- a/spec/system/server/pg_hba_rule_spec.rb +++ b/spec/system/server/pg_hba_rule_spec.rb @@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do r.exit_code.should == 2 end end + + it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do + pp = <<-EOS.unindent + class { 'postgresql::server': + manage_pg_hba_conf => false, + } + postgresql::server::pg_hba_rule { 'foo': + type => "local", + database => "test1", + user => "test1", + auth_method => reject, + order => '001', + } + EOS + puppet_apply(pp) do |r| + r.exit_code.should == 1 + end + end end diff --git a/spec/system/server_spec.rb b/spec/system/server_spec.rb index 5f6bb81..a1d4883 100644 --- a/spec/system/server_spec.rb +++ b/spec/system/server_spec.rb @@ -191,3 +191,27 @@ describe 'server with firewall:' do end end end + +describe 'server without pg_hba.conf:' do + after :all do + puppet_apply("class { 'postgresql::server': ensure => absent }") do |r| + r.exit_code.should_not == 1 + end + end + + context 'test installing postgresql without pg_hba.conf management on' do + it 'perform installation and make sure it is idempotent' do + pp = <<-EOS.unindent + class { "postgresql::server": + manage_pg_hba_conf => false, + } + EOS + + puppet_apply(pp) do |r| + r.exit_code.should == 2 + r.refresh + r.exit_code.should == 0 + end + end + end +end