Add a parameter to (un)manage pg_hba.conf
This commit is contained in:
parent
3877a01224
commit
6f614b0b37
8 changed files with 139 additions and 83 deletions
|
@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo
|
|||
####`manage_firewall`
|
||||
This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.
|
||||
|
||||
####`manage_pg_hba_conf`
|
||||
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
|
||||
|
||||
|
||||
###Class: postgresql::client
|
||||
|
||||
|
|
|
@ -38,6 +38,7 @@ class postgresql::globals (
|
|||
$locale = undef,
|
||||
|
||||
$manage_firewall = undef,
|
||||
$manage_pg_hba_conf = undef,
|
||||
$firewall_supported = undef,
|
||||
|
||||
$manage_package_repo = undef
|
||||
|
|
|
@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals {
|
|||
$locale = $locale
|
||||
$service_provider = $service_provider
|
||||
$manage_firewall = $manage_firewall
|
||||
$manage_pg_hba_conf = pick($manage_pg_hba_conf, true)
|
||||
|
||||
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
|
||||
case $::osfamily {
|
||||
|
|
|
@ -40,6 +40,7 @@ class postgresql::server (
|
|||
$locale = $postgresql::params::locale,
|
||||
|
||||
$manage_firewall = $postgresql::params::manage_firewall,
|
||||
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf,
|
||||
$firewall_supported = $postgresql::params::firewall_supported
|
||||
) inherits postgresql::params {
|
||||
$pg = 'postgresql::server'
|
||||
|
|
|
@ -12,6 +12,7 @@ class postgresql::server::config {
|
|||
$user = $postgresql::server::user
|
||||
$group = $postgresql::server::group
|
||||
$version = $postgresql::server::version
|
||||
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
|
||||
|
||||
File {
|
||||
owner => $user,
|
||||
|
@ -19,72 +20,75 @@ class postgresql::server::config {
|
|||
}
|
||||
|
||||
if ($ensure == 'present' or $ensure == true) {
|
||||
# Prepare the main pg_hba file
|
||||
include concat::setup
|
||||
concat { $pg_hba_conf_path:
|
||||
owner => 0,
|
||||
group => $group,
|
||||
mode => '0640',
|
||||
warn => true,
|
||||
notify => Class['postgresql::server::reload'],
|
||||
}
|
||||
|
||||
if $pg_hba_conf_defaults {
|
||||
Postgresql::Server::Pg_hba_rule {
|
||||
database => 'all',
|
||||
user => 'all',
|
||||
if ($manage_pg_hba_conf == true) {
|
||||
# Prepare the main pg_hba file
|
||||
include concat::setup
|
||||
concat { $pg_hba_conf_path:
|
||||
owner => 0,
|
||||
group => $group,
|
||||
mode => '0640',
|
||||
warn => true,
|
||||
notify => Class['postgresql::server::reload'],
|
||||
}
|
||||
|
||||
# Lets setup the base rules
|
||||
$local_auth_option = $version ? {
|
||||
'8.1' => 'sameuser',
|
||||
default => undef,
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'local access as postgres user':
|
||||
type => 'local',
|
||||
user => $user,
|
||||
auth_method => 'ident',
|
||||
auth_option => $local_auth_option,
|
||||
order => '001',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'local access to database with same name':
|
||||
type => 'local',
|
||||
auth_method => 'ident',
|
||||
auth_option => $local_auth_option,
|
||||
order => '002',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
|
||||
type => 'host',
|
||||
user => $user,
|
||||
address => $ip_mask_deny_postgres_user,
|
||||
auth_method => 'reject',
|
||||
order => '003',
|
||||
}
|
||||
if $pg_hba_conf_defaults {
|
||||
Postgresql::Server::Pg_hba_rule {
|
||||
database => 'all',
|
||||
user => 'all',
|
||||
}
|
||||
|
||||
# ipv4acls are passed as an array of rule strings, here we transform them
|
||||
# into a resources hash, and pass the result to create_resources
|
||||
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
|
||||
# Lets setup the base rules
|
||||
$local_auth_option = $version ? {
|
||||
'8.1' => 'sameuser',
|
||||
default => undef,
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'local access as postgres user':
|
||||
type => 'local',
|
||||
user => $user,
|
||||
auth_method => 'ident',
|
||||
auth_option => $local_auth_option,
|
||||
order => '001',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'local access to database with same name':
|
||||
type => 'local',
|
||||
auth_method => 'ident',
|
||||
auth_option => $local_auth_option,
|
||||
order => '002',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
|
||||
type => 'host',
|
||||
user => $user,
|
||||
address => $ip_mask_deny_postgres_user,
|
||||
auth_method => 'reject',
|
||||
order => '003',
|
||||
}
|
||||
|
||||
# ipv4acls are passed as an array of rule strings, here we transform
|
||||
# them into a resources hash, and pass the result to create_resources
|
||||
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
|
||||
'ipv4acls', 10)
|
||||
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
|
||||
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
|
||||
|
||||
postgresql::server::pg_hba_rule { 'allow access to all users':
|
||||
type => 'host',
|
||||
address => $ip_mask_allow_all_users,
|
||||
auth_method => 'md5',
|
||||
order => '100',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
|
||||
type => 'host',
|
||||
address => '::1/128',
|
||||
auth_method => 'md5',
|
||||
order => '101',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'allow access to all users':
|
||||
type => 'host',
|
||||
address => $ip_mask_allow_all_users,
|
||||
auth_method => 'md5',
|
||||
order => '100',
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
|
||||
type => 'host',
|
||||
address => '::1/128',
|
||||
auth_method => 'md5',
|
||||
order => '101',
|
||||
}
|
||||
|
||||
# ipv6acls are passed as an array of rule strings, here we transform them
|
||||
# into a resources hash, and pass the result to create_resources
|
||||
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
|
||||
# ipv6acls are passed as an array of rule strings, here we transform
|
||||
# them into a resources hash, and pass the result to create_resources
|
||||
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
|
||||
'ipv6acls', 102)
|
||||
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
|
||||
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
|
||||
}
|
||||
}
|
||||
|
||||
# We must set a "listen_addresses" line in the postgresql.conf if we
|
||||
|
|
|
@ -15,36 +15,40 @@ define postgresql::server::pg_hba_rule(
|
|||
$target = $postgresql::server::pg_hba_conf_path
|
||||
) {
|
||||
|
||||
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
||||
if $postgresql::server::manage_pga_conf == false {
|
||||
fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
|
||||
} else {
|
||||
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
||||
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
|
||||
|
||||
if($type =~ /^host/ and $address == undef) {
|
||||
fail('You must specify an address property when type is host based')
|
||||
}
|
||||
if($type =~ /^host/ and $address == undef) {
|
||||
fail('You must specify an address property when type is host based')
|
||||
}
|
||||
|
||||
$allowed_auth_methods = $postgresql::server::version ? {
|
||||
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
||||
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
||||
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
||||
}
|
||||
$allowed_auth_methods = $postgresql::server::version ? {
|
||||
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
||||
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
||||
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
||||
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
||||
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
||||
}
|
||||
|
||||
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
||||
validate_re($auth_method, $auth_method_regex,
|
||||
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
||||
validate_re($auth_method, $auth_method_regex,
|
||||
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
|
||||
|
||||
# Create a rule fragment
|
||||
$fragname = "pg_hba_rule_${name}"
|
||||
concat::fragment { $fragname:
|
||||
target => $target,
|
||||
content => template('postgresql/pg_hba_rule.conf'),
|
||||
order => $order,
|
||||
owner => $::id,
|
||||
mode => '0600',
|
||||
# Create a rule fragment
|
||||
$fragname = "pg_hba_rule_${name}"
|
||||
concat::fragment { $fragname:
|
||||
target => $target,
|
||||
content => template('postgresql/pg_hba_rule.conf'),
|
||||
order => $order,
|
||||
owner => $::id,
|
||||
mode => '0600',
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do
|
|||
r.exit_code.should == 2
|
||||
end
|
||||
end
|
||||
|
||||
it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do
|
||||
pp = <<-EOS.unindent
|
||||
class { 'postgresql::server':
|
||||
manage_pg_hba_conf => false,
|
||||
}
|
||||
postgresql::server::pg_hba_rule { 'foo':
|
||||
type => "local",
|
||||
database => "test1",
|
||||
user => "test1",
|
||||
auth_method => reject,
|
||||
order => '001',
|
||||
}
|
||||
EOS
|
||||
puppet_apply(pp) do |r|
|
||||
r.exit_code.should == 1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -191,3 +191,27 @@ describe 'server with firewall:' do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'server without pg_hba.conf:' do
|
||||
after :all do
|
||||
puppet_apply("class { 'postgresql::server': ensure => absent }") do |r|
|
||||
r.exit_code.should_not == 1
|
||||
end
|
||||
end
|
||||
|
||||
context 'test installing postgresql without pg_hba.conf management on' do
|
||||
it 'perform installation and make sure it is idempotent' do
|
||||
pp = <<-EOS.unindent
|
||||
class { "postgresql::server":
|
||||
manage_pg_hba_conf => false,
|
||||
}
|
||||
EOS
|
||||
|
||||
puppet_apply(pp) do |r|
|
||||
r.exit_code.should == 2
|
||||
r.refresh
|
||||
r.exit_code.should == 0
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue