Add a parameter to (un)manage pg_hba.conf
This commit is contained in:
parent
3877a01224
commit
6f614b0b37
8 changed files with 139 additions and 83 deletions
|
@ -429,6 +429,9 @@ This will set the default database locale for all databases created with this mo
|
||||||
####`manage_firewall`
|
####`manage_firewall`
|
||||||
This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.
|
This value defaults to `false`. Many distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you'd like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. Check the documentation for `puppetlabs/firewall` to ensure the rest of the global setup is applied, to ensure things like persistence and global rules are set correctly.
|
||||||
|
|
||||||
|
####`manage_pg_hba_conf`
|
||||||
|
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
|
||||||
|
|
||||||
|
|
||||||
###Class: postgresql::client
|
###Class: postgresql::client
|
||||||
|
|
||||||
|
|
|
@ -38,6 +38,7 @@ class postgresql::globals (
|
||||||
$locale = undef,
|
$locale = undef,
|
||||||
|
|
||||||
$manage_firewall = undef,
|
$manage_firewall = undef,
|
||||||
|
$manage_pg_hba_conf = undef,
|
||||||
$firewall_supported = undef,
|
$firewall_supported = undef,
|
||||||
|
|
||||||
$manage_package_repo = undef
|
$manage_package_repo = undef
|
||||||
|
|
|
@ -13,6 +13,7 @@ class postgresql::params inherits postgresql::globals {
|
||||||
$locale = $locale
|
$locale = $locale
|
||||||
$service_provider = $service_provider
|
$service_provider = $service_provider
|
||||||
$manage_firewall = $manage_firewall
|
$manage_firewall = $manage_firewall
|
||||||
|
$manage_pg_hba_conf = pick($manage_pg_hba_conf, true)
|
||||||
|
|
||||||
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
|
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
|
|
|
@ -40,6 +40,7 @@ class postgresql::server (
|
||||||
$locale = $postgresql::params::locale,
|
$locale = $postgresql::params::locale,
|
||||||
|
|
||||||
$manage_firewall = $postgresql::params::manage_firewall,
|
$manage_firewall = $postgresql::params::manage_firewall,
|
||||||
|
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf,
|
||||||
$firewall_supported = $postgresql::params::firewall_supported
|
$firewall_supported = $postgresql::params::firewall_supported
|
||||||
) inherits postgresql::params {
|
) inherits postgresql::params {
|
||||||
$pg = 'postgresql::server'
|
$pg = 'postgresql::server'
|
||||||
|
|
|
@ -12,6 +12,7 @@ class postgresql::server::config {
|
||||||
$user = $postgresql::server::user
|
$user = $postgresql::server::user
|
||||||
$group = $postgresql::server::group
|
$group = $postgresql::server::group
|
||||||
$version = $postgresql::server::version
|
$version = $postgresql::server::version
|
||||||
|
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
|
||||||
|
|
||||||
File {
|
File {
|
||||||
owner => $user,
|
owner => $user,
|
||||||
|
@ -19,72 +20,75 @@ class postgresql::server::config {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($ensure == 'present' or $ensure == true) {
|
if ($ensure == 'present' or $ensure == true) {
|
||||||
# Prepare the main pg_hba file
|
|
||||||
include concat::setup
|
|
||||||
concat { $pg_hba_conf_path:
|
|
||||||
owner => 0,
|
|
||||||
group => $group,
|
|
||||||
mode => '0640',
|
|
||||||
warn => true,
|
|
||||||
notify => Class['postgresql::server::reload'],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $pg_hba_conf_defaults {
|
if ($manage_pg_hba_conf == true) {
|
||||||
Postgresql::Server::Pg_hba_rule {
|
# Prepare the main pg_hba file
|
||||||
database => 'all',
|
include concat::setup
|
||||||
user => 'all',
|
concat { $pg_hba_conf_path:
|
||||||
|
owner => 0,
|
||||||
|
group => $group,
|
||||||
|
mode => '0640',
|
||||||
|
warn => true,
|
||||||
|
notify => Class['postgresql::server::reload'],
|
||||||
}
|
}
|
||||||
|
|
||||||
# Lets setup the base rules
|
if $pg_hba_conf_defaults {
|
||||||
$local_auth_option = $version ? {
|
Postgresql::Server::Pg_hba_rule {
|
||||||
'8.1' => 'sameuser',
|
database => 'all',
|
||||||
default => undef,
|
user => 'all',
|
||||||
}
|
}
|
||||||
postgresql::server::pg_hba_rule { 'local access as postgres user':
|
|
||||||
type => 'local',
|
|
||||||
user => $user,
|
|
||||||
auth_method => 'ident',
|
|
||||||
auth_option => $local_auth_option,
|
|
||||||
order => '001',
|
|
||||||
}
|
|
||||||
postgresql::server::pg_hba_rule { 'local access to database with same name':
|
|
||||||
type => 'local',
|
|
||||||
auth_method => 'ident',
|
|
||||||
auth_option => $local_auth_option,
|
|
||||||
order => '002',
|
|
||||||
}
|
|
||||||
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
|
|
||||||
type => 'host',
|
|
||||||
user => $user,
|
|
||||||
address => $ip_mask_deny_postgres_user,
|
|
||||||
auth_method => 'reject',
|
|
||||||
order => '003',
|
|
||||||
}
|
|
||||||
|
|
||||||
# ipv4acls are passed as an array of rule strings, here we transform them
|
# Lets setup the base rules
|
||||||
# into a resources hash, and pass the result to create_resources
|
$local_auth_option = $version ? {
|
||||||
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
|
'8.1' => 'sameuser',
|
||||||
|
default => undef,
|
||||||
|
}
|
||||||
|
postgresql::server::pg_hba_rule { 'local access as postgres user':
|
||||||
|
type => 'local',
|
||||||
|
user => $user,
|
||||||
|
auth_method => 'ident',
|
||||||
|
auth_option => $local_auth_option,
|
||||||
|
order => '001',
|
||||||
|
}
|
||||||
|
postgresql::server::pg_hba_rule { 'local access to database with same name':
|
||||||
|
type => 'local',
|
||||||
|
auth_method => 'ident',
|
||||||
|
auth_option => $local_auth_option,
|
||||||
|
order => '002',
|
||||||
|
}
|
||||||
|
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
|
||||||
|
type => 'host',
|
||||||
|
user => $user,
|
||||||
|
address => $ip_mask_deny_postgres_user,
|
||||||
|
auth_method => 'reject',
|
||||||
|
order => '003',
|
||||||
|
}
|
||||||
|
|
||||||
|
# ipv4acls are passed as an array of rule strings, here we transform
|
||||||
|
# them into a resources hash, and pass the result to create_resources
|
||||||
|
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
|
||||||
'ipv4acls', 10)
|
'ipv4acls', 10)
|
||||||
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
|
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
|
||||||
|
|
||||||
postgresql::server::pg_hba_rule { 'allow access to all users':
|
postgresql::server::pg_hba_rule { 'allow access to all users':
|
||||||
type => 'host',
|
type => 'host',
|
||||||
address => $ip_mask_allow_all_users,
|
address => $ip_mask_allow_all_users,
|
||||||
auth_method => 'md5',
|
auth_method => 'md5',
|
||||||
order => '100',
|
order => '100',
|
||||||
}
|
}
|
||||||
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
|
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
|
||||||
type => 'host',
|
type => 'host',
|
||||||
address => '::1/128',
|
address => '::1/128',
|
||||||
auth_method => 'md5',
|
auth_method => 'md5',
|
||||||
order => '101',
|
order => '101',
|
||||||
}
|
}
|
||||||
|
|
||||||
# ipv6acls are passed as an array of rule strings, here we transform them
|
# ipv6acls are passed as an array of rule strings, here we transform
|
||||||
# into a resources hash, and pass the result to create_resources
|
# them into a resources hash, and pass the result to create_resources
|
||||||
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
|
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
|
||||||
'ipv6acls', 102)
|
'ipv6acls', 102)
|
||||||
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
|
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# We must set a "listen_addresses" line in the postgresql.conf if we
|
# We must set a "listen_addresses" line in the postgresql.conf if we
|
||||||
|
|
|
@ -15,36 +15,40 @@ define postgresql::server::pg_hba_rule(
|
||||||
$target = $postgresql::server::pg_hba_conf_path
|
$target = $postgresql::server::pg_hba_conf_path
|
||||||
) {
|
) {
|
||||||
|
|
||||||
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
if $postgresql::server::manage_pga_conf == false {
|
||||||
|
fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
|
||||||
|
} else {
|
||||||
|
validate_re($type, '^(local|host|hostssl|hostnossl)$',
|
||||||
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
|
"The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
|
||||||
|
|
||||||
if($type =~ /^host/ and $address == undef) {
|
if($type =~ /^host/ and $address == undef) {
|
||||||
fail('You must specify an address property when type is host based')
|
fail('You must specify an address property when type is host based')
|
||||||
}
|
}
|
||||||
|
|
||||||
$allowed_auth_methods = $postgresql::server::version ? {
|
$allowed_auth_methods = $postgresql::server::version ? {
|
||||||
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
'9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||||
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
'9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||||
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
'9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
|
||||||
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
'9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
|
||||||
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
'8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
|
||||||
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
'8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
|
||||||
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
'8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
|
||||||
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
'8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
|
||||||
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
|
||||||
}
|
}
|
||||||
|
|
||||||
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
$auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'])
|
||||||
validate_re($auth_method, $auth_method_regex,
|
validate_re($auth_method, $auth_method_regex,
|
||||||
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
|
join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')]))
|
||||||
|
|
||||||
# Create a rule fragment
|
# Create a rule fragment
|
||||||
$fragname = "pg_hba_rule_${name}"
|
$fragname = "pg_hba_rule_${name}"
|
||||||
concat::fragment { $fragname:
|
concat::fragment { $fragname:
|
||||||
target => $target,
|
target => $target,
|
||||||
content => template('postgresql/pg_hba_rule.conf'),
|
content => template('postgresql/pg_hba_rule.conf'),
|
||||||
order => $order,
|
order => $order,
|
||||||
owner => $::id,
|
owner => $::id,
|
||||||
mode => '0600',
|
mode => '0600',
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,4 +64,22 @@ describe 'postgresql::server::pg_hba_rule:' do
|
||||||
r.exit_code.should == 2
|
r.exit_code.should == 2
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'should fail catalogue if postgresql::server::manage_pga_conf is disabled' do
|
||||||
|
pp = <<-EOS.unindent
|
||||||
|
class { 'postgresql::server':
|
||||||
|
manage_pg_hba_conf => false,
|
||||||
|
}
|
||||||
|
postgresql::server::pg_hba_rule { 'foo':
|
||||||
|
type => "local",
|
||||||
|
database => "test1",
|
||||||
|
user => "test1",
|
||||||
|
auth_method => reject,
|
||||||
|
order => '001',
|
||||||
|
}
|
||||||
|
EOS
|
||||||
|
puppet_apply(pp) do |r|
|
||||||
|
r.exit_code.should == 1
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -191,3 +191,27 @@ describe 'server with firewall:' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'server without pg_hba.conf:' do
|
||||||
|
after :all do
|
||||||
|
puppet_apply("class { 'postgresql::server': ensure => absent }") do |r|
|
||||||
|
r.exit_code.should_not == 1
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'test installing postgresql without pg_hba.conf management on' do
|
||||||
|
it 'perform installation and make sure it is idempotent' do
|
||||||
|
pp = <<-EOS.unindent
|
||||||
|
class { "postgresql::server":
|
||||||
|
manage_pg_hba_conf => false,
|
||||||
|
}
|
||||||
|
EOS
|
||||||
|
|
||||||
|
puppet_apply(pp) do |r|
|
||||||
|
r.exit_code.should == 2
|
||||||
|
r.refresh
|
||||||
|
r.exit_code.should == 0
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in a new issue