Add a parameter to (un)manage pg_hba.conf

This commit is contained in:
Mickaël Canévet 2013-10-02 14:43:21 +02:00
parent 3877a01224
commit 6f614b0b37
8 changed files with 139 additions and 83 deletions

View file

@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo
####`manage_firewall`
This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.
####`manage_pg_hba_conf`
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
###Class: postgresql::client

View file

@ -38,6 +38,7 @@ class postgresql::globals (
$locale = undef,
$manage_firewall = undef,
$manage_pg_hba_conf = undef,
$firewall_supported = undef,
$manage_package_repo = undef

View file

@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals {
$locale = $locale
$service_provider = $service_provider
$manage_firewall = $manage_firewall
$manage_pg_hba_conf = pick($manage_pg_hba_conf, true)
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
case $::osfamily {

View file

@ -40,6 +40,7 @@ class postgresql::server (
$locale = $postgresql::params::locale,
$manage_firewall = $postgresql::params::manage_firewall,
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf,
$firewall_supported = $postgresql::params::firewall_supported
) inherits postgresql::params {
$pg = 'postgresql::server'

View file

@ -12,6 +12,7 @@ class postgresql::server::config {
$user = $postgresql::server::user
$group = $postgresql::server::group
$version = $postgresql::server::version
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
File {
owner => $user,
@ -19,72 +20,75 @@ class postgresql::server::config {
}
if ($ensure == 'present' or $ensure == true) {
# Prepare the main pg_hba file
include concat::setup
concat { $pg_hba_conf_path:
owner => 0,
group => $group,
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
if $pg_hba_conf_defaults {
Postgresql::Server::Pg_hba_rule {
database => 'all',
user => 'all',
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file
include concat::setup
concat { $pg_hba_conf_path:
owner => 0,
group => $group,
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
# Lets setup the base rules
$local_auth_option = $version ? {
'8.1' => 'sameuser',
default => undef,
}
postgresql::server::pg_hba_rule { 'local access as postgres user':
type => 'local',
user => $user,
auth_method => 'ident',
auth_option => $local_auth_option,
order => '001',
}
postgresql::server::pg_hba_rule { 'local access to database with same name':
type => 'local',
auth_method => 'ident',
auth_option => $local_auth_option,
order => '002',
}
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
type => 'host',
user => $user,
address => $ip_mask_deny_postgres_user,
auth_method => 'reject',
order => '003',
}
if $pg_hba_conf_defaults {
Postgresql::Server::Pg_hba_rule {
database => 'all',
user => 'all',
}
# ipv4acls are passed as an array of rule strings, here we transform them
# into a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
# Lets setup the base rules
$local_auth_option = $version ? {
'8.1' => 'sameuser',
default => undef,
}
postgresql::server::pg_hba_rule { 'local access as postgres user':
type => 'local',
user => $user,
auth_method => 'ident',
auth_option => $local_auth_option,
order => '001',
}
postgresql::server::pg_hba_rule { 'local access to database with same name':
type => 'local',
auth_method => 'ident',
auth_option => $local_auth_option,
order => '002',
}
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
type => 'host',
user => $user,
address => $ip_mask_deny_postgres_user,
auth_method => 'reject',
order => '003',
}
# ipv4acls are passed as an array of rule strings, here we transform
# them into a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
'ipv4acls', 10)
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
postgresql::server::pg_hba_rule { 'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
auth_method => 'md5',
order => '100',
}
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
auth_method => 'md5',
order => '101',
}
postgresql::server::pg_hba_rule { 'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
auth_method => 'md5',
order => '100',
}
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
auth_method => 'md5',
order => '101',
}
# ipv6acls are passed as an array of rule strings, here we transform them
# into a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
# ipv6acls are passed as an array of rule strings, here we transform
# them into a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
'ipv6acls', 102)
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
}
}
# We must set a "listen_addresses" line in the postgresql.conf if we

View file

@ -15,36 +15,40 @@ define postgresql::server::pg_hba_rule(
$target = $postgresql::server::pg_hba_conf_path
) {
validate_re($type, '^(local|host|hostssl|hostnossl)$',
if $postgresql::server::manage_pga_conf == false {
fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
} else {
validate_re($type, '^(local|host|hostssl|hostnossl)$',
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
if($type =~ /^host/ and $address == undef) {
fail('You must specify an address property when type is host based')
}
if($type =~ /^host/ and $address == undef) {
fail('You must specify an address property when type is host based')
}
$allowed_auth_methods = $postgresql::server::version ? {
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
}
$allowed_auth_methods = $postgresql::server::version ? {
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
}
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
validate_re($auth_method, $auth_method_regex,
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
validate_re($auth_method, $auth_method_regex,
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
# Create a rule fragment
$fragname = "pg_hba_rule_${name}"
concat::fragment { $fragname:
target => $target,
content => template('postgresql/pg_hba_rule.conf'),
order => $order,
owner => $::id,
mode => '0600',
# Create a rule fragment
$fragname = "pg_hba_rule_${name}"
concat::fragment { $fragname:
target => $target,
content => template('postgresql/pg_hba_rule.conf'),
order => $order,
owner => $::id,
mode => '0600',
}
}
}

View file

@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do
r.exit_code.should == 2
end
end
it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do
pp = <<-EOS.unindent
class { 'postgresql::server':
manage_pg_hba_conf => false,
}
postgresql::server::pg_hba_rule { 'foo':
type => "local",
database => "test1",
user => "test1",
auth_method => reject,
order => '001',
}
EOS
puppet_apply(pp) do |r|
r.exit_code.should == 1
end
end
end

View file

@ -191,3 +191,27 @@ describe 'server with firewall:' do
end
end
end
describe 'server without pg_hba.conf:' do
after :all do
puppet_apply("class { 'postgresql::server': ensure => absent }") do |r|
r.exit_code.should_not == 1
end
end
context 'test installing postgresql without pg_hba.conf management on' do
it 'perform installation and make sure it is idempotent' do
pp = <<-EOS.unindent
class { "postgresql::server":
manage_pg_hba_conf => false,
}
EOS
puppet_apply(pp) do |r|
r.exit_code.should == 2
r.refresh
r.exit_code.should == 0
end
end
end
end