opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add a parameter to (un)manage pg_hba.conf

Browse source
This commit is contained in:
Mickaël Canévet 2013-10-02 14:43:21 +02:00
parent 3877a01224
commit 6f614b0b37
8 changed files with 139 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo
####`manage_firewall` ####`manage_firewall`
This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly. This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.
####`manage_pg_hba_conf`
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
###Class: postgresql::client ###Class: postgresql::client

1
manifests/globals.pp
View file

@ -38,6 +38,7 @@ class postgresql::globals (
$locale = undef, $locale = undef,
$manage_firewall = undef, $manage_firewall = undef,
$manage_pg_hba_conf = undef,
$firewall_supported = undef, $firewall_supported = undef,
$manage_package_repo = undef $manage_package_repo = undef

1
manifests/params.pp
View file

@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals {
$locale = $locale $locale = $locale
$service_provider = $service_provider $service_provider = $service_provider
$manage_firewall = $manage_firewall $manage_firewall = $manage_firewall
$manage_pg_hba_conf = pick($manage_pg_hba_conf, true)
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'. # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
case $::osfamily { case $::osfamily {

1
manifests/server.pp
View file

@ -40,6 +40,7 @@ class postgresql::server (
$locale = $postgresql::params::locale, $locale = $postgresql::params::locale,
$manage_firewall = $postgresql::params::manage_firewall, $manage_firewall = $postgresql::params::manage_firewall,
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf,
$firewall_supported = $postgresql::params::firewall_supported $firewall_supported = $postgresql::params::firewall_supported
) inherits postgresql::params { ) inherits postgresql::params {
$pg = 'postgresql::server' $pg = 'postgresql::server'

12
manifests/server/config.pp
View file

@ -12,6 +12,7 @@ class postgresql::server::config {
$user = $postgresql::server::user $user = $postgresql::server::user
$group = $postgresql::server::group $group = $postgresql::server::group
$version = $postgresql::server::version $version = $postgresql::server::version
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
File { File {
owner => $user, owner => $user,
@ -19,6 +20,8 @@ class postgresql::server::config {
} }
if ($ensure == 'present' or $ensure == true) { if ($ensure == 'present' or $ensure == true) {
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file # Prepare the main pg_hba file
include concat::setup include concat::setup
concat { $pg_hba_conf_path: concat { $pg_hba_conf_path:
@ -61,8 +64,8 @@ class postgresql::server::config {
order => '003', order => '003',
} }
# ipv4acls are passed as an array of rule strings, here we transform them # ipv4acls are passed as an array of rule strings, here we transform
# into a resources hash, and pass the result to create_resources # them into a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
'ipv4acls', 10) 'ipv4acls', 10)
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources) create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
@ -80,12 +83,13 @@ class postgresql::server::config {
order => '101', order => '101',
} }
# ipv6acls are passed as an array of rule strings, here we transform them # ipv6acls are passed as an array of rule strings, here we transform
# into a resources hash, and pass the result to create_resources # them into a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
'ipv6acls', 102) 'ipv6acls', 102)
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources) create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
} }
}
# We must set a "listen_addresses" line in the postgresql.conf if we # We must set a "listen_addresses" line in the postgresql.conf if we
# want to allow any connections from remote hosts. # want to allow any connections from remote hosts.

4
manifests/server/pg_hba_rule.pp
View file

@ -15,6 +15,9 @@ define postgresql::server::pg_hba_rule(
$target = $postgresql::server::pg_hba_conf_path $target = $postgresql::server::pg_hba_conf_path
) { ) {
if $postgresql::server::manage_pga_conf == false {
fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
} else {
validate_re($type, '^(local|host|hostssl|hostnossl)$', validate_re($type, '^(local|host|hostssl|hostnossl)$',
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl") "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
@ -48,3 +51,4 @@ define postgresql::server::pg_hba_rule(
mode => '0600', mode => '0600',
} }
} }
}

18
spec/system/server/pg_hba_rule_spec.rb
View file

@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do
r.exit_code.should == 2 r.exit_code.should == 2
end end
end end
it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do
pp = <<-EOS.unindent
class { 'postgresql::server':
manage_pg_hba_conf => false,
}
postgresql::server::pg_hba_rule { 'foo':
type => "local",
database => "test1",
user => "test1",
auth_method => reject,
order => '001',
}
EOS
puppet_apply(pp) do |r|
r.exit_code.should == 1
end
end
end end

24
spec/system/server_spec.rb
View file

@ -191,3 +191,27 @@ describe 'server with firewall:' do
end end
end end
end end
describe 'server without pg_hba.conf:' do
after :all do
puppet_apply("class { 'postgresql::server': ensure => absent }") do |r|
r.exit_code.should_not == 1
end
end
context 'test installing postgresql without pg_hba.conf management on' do
it 'perform installation and make sure it is idempotent' do
pp = <<-EOS.unindent
class { "postgresql::server":
manage_pg_hba_conf => false,
}
EOS
puppet_apply(pp) do |r|
r.exit_code.should == 2
r.refresh
r.exit_code.should == 0
end
end
end
end