opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'master' into cprice-puppet-feature/master/port-psql-to-ruby

Browse source 
Conflicts:
	manifests/database.pp
	manifests/database_grant.pp
	manifests/psql.pp
	manifests/role.pp
This commit is contained in:
Chris Price 2012-11-30 15:49:07 -08:00
commit 76fcf269d8
22 changed files with 122 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Modulefile
View file

@ -7,5 +7,5 @@ summary 'PostgreSQL defined resource types'
license 'Apache'
project_page 'https://github.com/puppetlabs/puppet-postgresql/issues'
dependency 'puppetlabs/stdlib', '2.x'
dependency 'puppetlabs/stdlib', '3.x'
dependency 'puppetlabs/firewall', '>= 0.0.4'

9
README.md
View file

@ -15,8 +15,8 @@ This module provides the following defined resource types for managing postgres:
* `postgresql::initdb`
* `postgresql::db`
* `postgresql::role`
* `postgresql::user` (just for clarity; users are roles in postgres)
* `postgresql::grant`
* `postgresql::database_user` (just for clarity; users are roles in postgres)
* `postgresql::database_grant`
And the fallback, analogous to exec resources, only for SQL statements:
@ -39,6 +39,7 @@ class { 'postgresql::server':
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'ipv4acls' => ['hostssl all johndoe 192.168.0.0/24 cert'],
'manage_redhat_firewall' => true,
'postgres_password' => 'TPSrep0rt!',
},
@ -48,11 +49,11 @@ class { 'postgresql::server':
Manage users / roles and permissions:
```Puppet
postgresql::user{'marmot':
postgresql::database_user{'marmot':
password => 'foo',
}
postgresql::grant{'grant select to marmot':
postgresql::database_grant{'grant select to marmot':
grantee => 'marmot',
on_object => 'my_table',
perm => 'select',

12
manifests/config.pp
View file

@ -9,6 +9,10 @@
# defaults to '127.0.0.1/32', meaning only allow connections from localhost
# [*listen_addresses*] - what IP address(es) to listen on; comma-separated list of addresses; defaults to
# 'localhost', '*' = all
# [*ipv4acls*] - list of strings for access control for connection method, users, databases, IPv4
# addresses; see postgresql documentation about pg_hba.conf for information
# [*ipv6acls*] - list of strings for access control for connection method, users, databases, IPv6
# addresses; see postgresql documentation about pg_hba.conf for information
# [*pg_hba_conf_path*] - path to pg_hba.conf file
# [*postgresql_conf_path*] - path to postgresql.conf file
# [*manage_redhat_firewall*] - boolean indicating whether or not the module should open a port in the firewall on
@ -33,6 +37,8 @@ class postgresql::config(
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
@ -42,16 +48,18 @@ class postgresql::config(
# to the "beforeservice" and "afterservice" classes, and ensure
# the proper ordering.
class { "postgresql::config::beforeservice":
class { 'postgresql::config::beforeservice':
ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
ip_mask_allow_all_users => $ip_mask_allow_all_users,
listen_addresses => $listen_addresses,
ipv4acls => $ipv4acls,
ipv6acls => $ipv6acls,
pg_hba_conf_path => $pg_hba_conf_path,
postgresql_conf_path => $postgresql_conf_path,
manage_redhat_firewall => $manage_redhat_firewall,
}
class { "postgresql::config::afterservice":
class { 'postgresql::config::afterservice':
postgres_password => $postgres_password,
}

6
manifests/config/afterservice.pp
View file

@ -28,7 +28,7 @@ class postgresql::config::afterservice(
# for pg_hba.conf.
exec { 'set_postgres_postgrespw':
# This command works w/no password because we run it as postgres system user
command => "psql -c \"ALTER ROLE postgres PASSWORD '$postgres_password'\"",
command => "psql -c \"ALTER ROLE postgres PASSWORD '${postgres_password}'\"",
user => $postgresql::params::user,
group => $postgresql::params::group,
logoutput => true,
@ -37,8 +37,8 @@ class postgresql::config::afterservice(
# a password. We specify the password via the PGPASSWORD environment variable. If
# the password is correct (current), this command will exit with an exit code of 0,
# which will prevent the main command from running.
unless => "env PGPASSWORD=\"$postgres_password\" psql -h localhost -c 'select 1' > /dev/null",
path => '/usr/bin:/usr/local/bin',
unless => "env PGPASSWORD=\"${postgres_password}\" psql -h localhost -c 'select 1' > /dev/null",
path => '/usr/bin:/usr/local/bin:/bin',
}
}
}

20
manifests/config/beforeservice.pp
View file

@ -8,6 +8,10 @@
# defaults to '127.0.0.1/32', meaning only allow connections from localhost
# [*listen_addresses*] - what IP address(es) to listen on; comma-separated list of addresses; defaults to
# 'localhost', '*' = all
# [*ipv4acls*] - list of strings for access control for connection method, users, databases, IPv4
# addresses; see postgresql documentation about pg_hba.conf for information
# [*ipv6acls*] - list of strings for access control for connection method, users, databases, IPv6
# addresses; see postgresql documentation about pg_hba.conf for information
# [*pg_hba_conf_path*] - path to pg_hba.conf file
# [*postgresql_conf_path*] - path to postgresql.conf file
# [*manage_redhat_firewall*] - boolean indicating whether or not the module should open a port in the firewall on
@ -33,6 +37,8 @@ class postgresql::config::beforeservice(
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$listen_addresses = $postgresql::params::listen_addresses,
$ipv4acls = $postgresql::params::ipv4acls,
$ipv6acls = $postgresql::params::ipv6acls,
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
@ -49,8 +55,8 @@ class postgresql::config::beforeservice(
file { 'pg_hba.conf':
ensure => file,
path => $pg_hba_conf_path,
content => template("postgresql/pg_hba.conf.erb"),
notify => Service['postgresqld'],
content => template('postgresql/pg_hba.conf.erb'),
notify => Exec['reload_postgresql'],
}
# We must set a "listen_addresses" line in the postgresql.conf if we
@ -67,18 +73,18 @@ class postgresql::config::beforeservice(
# an out-of-the-box firewall configuration that seems trickier to manage
# TODO: get rid of hard-coded port
if ($manage_redhat_firewall and $firewall_supported) {
exec { "postgresql-persist-firewall":
command => $persist_firewall_command,
exec { 'postgresql-persist-firewall':
command => $persist_firewall_command,
refreshonly => true,
}
Firewall {
notify => Exec["postgresql-persist-firewall"]
notify => Exec['postgresql-persist-firewall']
}
firewall { '5432 accept - postgres':
port => '5432',
proto => 'tcp',
port => '5432',
proto => 'tcp',
action => 'accept',
}
}

8
manifests/database.pp
View file

@ -20,16 +20,16 @@
# needs to be moved over to ruby, and add support for ensurable.
define postgresql::database(
$dbname = $title,
$dbname = $title,
$charset = 'UTF8')
{
require postgresql::params
if ($::postgres_default_version != "8.1") {
$locale_option = "--locale=C"
if ($::postgres_default_version != '8.1') {
$locale_option = '--locale=C'
}
$createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '$charset' $locale_option '$dbname'"
$createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '${charset}' ${locale_option} '${dbname}'"
postgresql_psql { "Check for existence of db '$dbname'":
command => "SELECT 1",

4
manifests/database_grant.pp
View file

@ -30,8 +30,8 @@ define postgresql::database_grant(
$privilege,
$db,
$role,
$psql_db = 'postgres',
$psql_user='postgres'
$psql_db = 'postgres',
$psql_user ='postgres'
) {
# TODO: FIXME: only works on databases, due to using has_database_privilege

12
manifests/database_user.pp
View file

@ -38,14 +38,14 @@
#
define postgresql::database_user(
$user=$title,
$password_hash,
$db = 'postgres',
$createdb=false,
$superuser=false,
$createrole=false
$createdb = false,
$createrole = false,
$db = 'postgres',
$superuser = false,
$user = $title
) {
postgresql::role {$user:
postgresql::role { $user:
db => $db,
password_hash => $password_hash,
login => true,

16
manifests/db.pp
View file

@ -46,12 +46,14 @@ define postgresql::db (
require => Class['postgresql::server'],
}
postgresql::database_user { "${user}":
# TODO: ensure is not yet supported
#ensure => present,
password_hash => $password,
#provider => 'postgresql',
require => Postgresql::Database[$name],
if ! defined(Postgresql::Database_user[$user]) {
postgresql::database_user { $user:
# TODO: ensure is not yet supported
#ensure => present,
password_hash => $password,
#provider => 'postgresql',
require => Postgresql::Database[$name],
}
}
postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":
@ -59,7 +61,7 @@ define postgresql::db (
db => $name,
role => $user,
#provider => 'postgresql',
require => Postgresql::Database_user["${user}"],
require => Postgresql::Database_user[$user],
}
}

2
manifests/devel.pp
View file

@ -20,7 +20,7 @@ class postgresql::devel(
require postgresql
package { 'postgresql_devel':
name => $package_name,
ensure => $package_ensure,
name => $package_name,
}
}

2
manifests/init.pp
View file

@ -17,8 +17,8 @@ class postgresql (
) inherits postgresql::params {
package { 'postgresql_client':
name => $package_name,
ensure => $package_ensure,
name => $package_name,
}
}

17
manifests/initdb.pp
View file

@ -17,17 +17,18 @@
# limitations under the License.
class postgresql::initdb(
$datadir = $postgresql::params::datadir,
$datadir = $postgresql::params::datadir,
$encoding = 'UTF8',
$group = 'postgres',
$initdb_path = $postgresql::params::initdb_path,
$user = 'postgres',
$group = 'postgres',
$encoding = 'UTF8',
$options=''
$options = '',
$user = 'postgres'
) inherits postgresql::params {
exec {"${initdb_path} --encoding '$encoding' --pgdata '$datadir'":
exec { "${initdb_path} --encoding '${encoding}' --pgdata '${datadir}'":
creates => "${datadir}/PG_VERSION",
user => "$user",
group => "$group",
user => $user,
group => $group,
require => Package["$postgresql::params::server_package_name"],
}
}

6
manifests/params.pp
View file

@ -16,6 +16,8 @@ class postgresql::params {
$ip_mask_deny_postgres_user = '0.0.0.0/0'
$ip_mask_allow_all_users = '127.0.0.1/32'
$listen_addresses = 'localhost'
$ipv4acls = []
$ipv6acls = []
# TODO: figure out a way to make this not platform-specific
$manage_redhat_firewall = false
@ -55,14 +57,14 @@ class postgresql::params {
'Debian': {
case $::operatingsystem {
'Debian': {
$service_name = "postgresql"
$service_name = 'postgresql'
}
'Ubuntu': {
case $::lsbmajdistrelease {
# thanks, ubuntu
'10': { $service_name = "postgresql-${::postgres_default_version}" }
default: { $service_name = "postgresql" }
default: { $service_name = 'postgresql' }
}
}
}

20
manifests/psql.pp
View file

@ -17,11 +17,11 @@
# limitations under the License.
define postgresql::psql(
$command = $title,
$unless,
$db,
$user = 'postgres',
$refreshonly = false
$unless,
$command = $title,
$refreshonly = false,
$user = 'postgres'
) {
require postgresql::params
@ -30,13 +30,13 @@ define postgresql::psql(
# things but not nested escaping. Need a lexer, preferably a ruby SQL parser
# to catch errors at catalog time. Possibly https://github.com/omghax/sql ?
if ($::postgres_default_version != "8.1") {
$no_password_option = "--no-password"
if ($::postgres_default_version != '8.1') {
$no_password_option = '--no-password'
}
$psql = "${postgresql::params::psql_path} $no_password_option --tuples-only --quiet --dbname $db"
$quoted_command = regsubst($command, '"', '\\"')
$quoted_unless = regsubst($unless, '"', '\\"')
$psql = "${postgresql::params::psql_path} ${no_password_option} --tuples-only --quiet --dbname ${db}"
$quoted_command = regsubst($command, '"', '\\"', 'G')
$quoted_unless = regsubst($unless, '"', '\\"', 'G')
$final_cmd = "/bin/echo \"$quoted_command\" | $psql |egrep -v -q '^$'"
@ -48,7 +48,7 @@ define postgresql::psql(
cwd => '/tmp',
user => $user,
returns => 1,
unless => "/bin/echo \"$quoted_unless\" | $psql | egrep -v -q '^$'",
unless => "/bin/echo \"${quoted_unless}\" | ${psql} | egrep -v -q '^$'",
refreshonly => $refreshonly,
}
}

12
manifests/role.pp
View file

@ -17,13 +17,13 @@
# limitations under the License.
define postgresql::role(
$username=$title,
$password_hash,
$db='postgres',
$login=false,
$createrole=false,
$createdb=false,
$superuser=false
$createdb = false,
$createrole = false,
$db = 'postgres',
$login = false,
$superuser = false,
$username = $title
) {
$login_sql = $login ? { true => 'LOGIN' , default => 'NOLOGIN' }

10
manifests/server.pp
View file

@ -22,8 +22,8 @@ class postgresql::server (
) inherits postgresql::params {
package { 'postgresql-server':
name => $package_name,
ensure => $package_ensure,
name => $package_name,
}
$config_class = {}
@ -41,13 +41,17 @@ class postgresql::server (
}
service { 'postgresqld':
name => $service_name,
ensure => running,
name => $service_name,
enable => true,
require => Package['postgresql-server'],
provider => $service_provider,
status => $service_status,
}
exec { 'reload_postgresql':
path => '/usr/bin:/usr/sbin:/bin:/sbin',
command => "service ${postgresql::params::service_name} reload",
refreshonly => true,
}
}

20
manifests/validate_db_connection.pp
View file

@ -46,11 +46,11 @@
define postgresql::validate_db_connection(
$database_host,
$database_port = 5432,
$database_username,
$database_password,
$database_name,
$client_package_name = ""
$database_password,
$database_username,
$client_package_name = '',
$database_port = 5432
) {
include postgresql::params
@ -65,18 +65,18 @@ define postgresql::validate_db_connection(
# Make sure the postgres client package is installed; we need it for
# `psql`.
package { 'postgresql-client':
name => $package_name,
ensure => present,
name => $package_name,
}
# TODO: port to ruby
$psql = "${postgresql::params::psql_path} --tuples-only --quiet -h $database_host -U $database_username -p $database_port --dbname $database_name"
$psql = "${postgresql::params::psql_path} --tuples-only --quiet -h ${database_host} -U ${database_username} -p ${database_port} --dbname ${database_name}"
$exec_name = "validate postgres connection for $database_host/$database_name"
exec {$exec_name:
command => "/bin/echo \"SELECT 1\" | $psql",
$exec_name = "validate postgres connection for ${database_host}/${database_name}"
exec { $exec_name:
command => "/bin/echo \"SELECT 1\" | ${psql}",
cwd => '/tmp',
environment => "PGPASSWORD=$database_password",
environment => "PGPASSWORD=${database_password}",
logoutput => 'on_failure',
require => Package['postgresql-client'],
}

6
templates/pg_hba.conf.erb
View file

@ -83,6 +83,12 @@ local all all ident <%= "sameuser" if @p
# IPv4 local connections:
host all postgres <%= @ip_mask_deny_postgres_user + "\t" %> reject
host all all <%= @ip_mask_allow_all_users + "\t" %> md5
<% @ipv4acls.each do |acl|; parts = acl.split -%>
<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
<% end -%>
# IPv6 local connections:
host all all ::1/128 md5
<% @ipv6acls.each do |acl|; parts = acl.split -%>
<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
<% end -%>

8
tests/postgresql_database.pp
View file

@ -1,10 +1,10 @@
class { 'postgresql::server':
config_hash => {
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
},
}

4
tests/postgresql_db.pp
View file

@ -1,8 +1,8 @@
class { 'postgresql::server':
config_hash => {
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
#'ip_mask_deny_postgres_user' => '0.0.0.0/32',
#'postgres_password' => 'puppet',

8
tests/postgresql_user.pp
View file

@ -1,10 +1,10 @@
class { 'postgresql::server':
config_hash => {
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
},
}

9
tests/server.pp
View file

@ -1,9 +1,10 @@
class { 'postgresql::server':
config_hash => {
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
'ip_mask_allow_all_users' => '0.0.0.0/0',
'listen_addresses' => '*',
'ipv4acls' => ['hostssl all johndoe 192.168.0.0/24 cert'],
'manage_redhat_firewall' => true,
'postgres_password' => 'postgres',
},
}