Merge branch 'master' into cprice-puppet-feature/master/port-psql-to-ruby

Conflicts: manifests/database.pp manifests/database_grant.pp manifests/psql.pp manifests/role.pp
2012-11-30 15:49:07 -08:00 · 2012-11-30 15:49:07 -08:00 · 76fcf269d8
commit 76fcf269d8
parent 2a922f104a 338ae56b8c
22 changed files with 122 additions and 91 deletions
--- a/2
+++ b/2
@ -7,5 +7,5 @@ summary 'PostgreSQL defined resource types'
 license 'Apache'
 project_page 'https://github.com/puppetlabs/puppet-postgresql/issues'

-dependency 'puppetlabs/stdlib', '2.x'
+dependency 'puppetlabs/stdlib', '3.x'
 dependency 'puppetlabs/firewall', '>= 0.0.4'
--- a/README.md
+++ b/README.md
@ -15,8 +15,8 @@ This module provides the following defined resource types for managing postgres:
 * `postgresql::initdb`
 * `postgresql::db`
 * `postgresql::role`
- * `postgresql::user` (just for clarity; users are roles in postgres)
- * `postgresql::grant`
+ * `postgresql::database_user` (just for clarity; users are roles in postgres)
+ * `postgresql::database_grant`

 And the fallback, analogous to exec resources, only for SQL statements:

@ -39,6 +39,7 @@ class { 'postgresql::server':
        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
        'ip_mask_allow_all_users'    => '0.0.0.0/0',
        'listen_addresses'           => '*',
+        'ipv4acls'                   => ['hostssl all johndoe 192.168.0.0/24 cert'],
        'manage_redhat_firewall'     => true,
        'postgres_password'          => 'TPSrep0rt!',
    },
@ -48,11 +49,11 @@ class { 'postgresql::server':
 Manage users / roles and permissions:

 ```Puppet
-postgresql::user{'marmot':
+postgresql::database_user{'marmot':
    password => 'foo',
 }

-postgresql::grant{'grant select to marmot':
+postgresql::database_grant{'grant select to marmot':
   grantee   => 'marmot',
   on_object => 'my_table',
   perm      => 'select',
--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -9,6 +9,10 @@
 #                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
 #   [*listen_addresses*]             - what IP address(es) to listen on; comma-separated list of addresses; defaults to
 #                                       'localhost', '*' = all
+#   [*ipv4acls*]                     - list of strings for access control for connection method, users, databases, IPv4
+#                                       addresses; see postgresql documentation about pg_hba.conf for information
+#   [*ipv6acls*]                     - list of strings for access control for connection method, users, databases, IPv6
+#                                       addresses; see postgresql documentation about pg_hba.conf for information
 #   [*pg_hba_conf_path*]             - path to pg_hba.conf file
 #   [*postgresql_conf_path*]         - path to postgresql.conf file
 #   [*manage_redhat_firewall*]       - boolean indicating whether or not the module should open a port in the firewall on
@ -33,6 +37,8 @@ class postgresql::config(
  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
  $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
@ -42,16 +48,18 @@ class postgresql::config(
    #  to the "beforeservice" and "afterservice" classes, and ensure
    #  the proper ordering.

-    class { "postgresql::config::beforeservice":
+    class { 'postgresql::config::beforeservice':
      ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
      ip_mask_allow_all_users       => $ip_mask_allow_all_users,
      listen_addresses              => $listen_addresses,
+      ipv4acls                      => $ipv4acls,
+      ipv6acls                      => $ipv6acls,
      pg_hba_conf_path              => $pg_hba_conf_path,
      postgresql_conf_path          => $postgresql_conf_path,
      manage_redhat_firewall        => $manage_redhat_firewall,
    }

-    class { "postgresql::config::afterservice":
+    class { 'postgresql::config::afterservice':
      postgres_password        => $postgres_password,
    }

--- a/manifests/config/afterservice.pp
+++ b/manifests/config/afterservice.pp
@ -28,7 +28,7 @@ class postgresql::config::afterservice(
    #  for pg_hba.conf.
    exec { 'set_postgres_postgrespw':
        # This command works w/no password because we run it as postgres system user
-        command     => "psql -c \"ALTER ROLE postgres PASSWORD '$postgres_password'\"",
+        command     => "psql -c \"ALTER ROLE postgres PASSWORD '${postgres_password}'\"",
        user        => $postgresql::params::user,
        group       => $postgresql::params::group,
        logoutput   => true,
@ -37,8 +37,8 @@ class postgresql::config::afterservice(
        #  a password.  We specify the password via the PGPASSWORD environment variable.  If
        #  the password is correct (current), this command will exit with an exit code of 0,
        #  which will prevent the main command from running.
-        unless      => "env PGPASSWORD=\"$postgres_password\" psql -h localhost -c 'select 1' > /dev/null",
-        path        => '/usr/bin:/usr/local/bin',
+        unless      => "env PGPASSWORD=\"${postgres_password}\" psql -h localhost -c 'select 1' > /dev/null",
+        path        => '/usr/bin:/usr/local/bin:/bin',
    }
  }
 }
--- a/manifests/config/beforeservice.pp
+++ b/manifests/config/beforeservice.pp
@ -8,6 +8,10 @@
 #                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
 #   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
 #                                    'localhost', '*' = all
+#   [*ipv4acls*]                - list of strings for access control for connection method, users, databases, IPv4
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
+#   [*ipv6acls*]                - list of strings for access control for connection method, users, databases, IPv6
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
 #   [*pg_hba_conf_path*]        - path to pg_hba.conf file
 #   [*postgresql_conf_path*]    - path to postgresql.conf file
 #   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
@ -33,6 +37,8 @@ class postgresql::config::beforeservice(
  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
  $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
@ -49,8 +55,8 @@ class postgresql::config::beforeservice(
  file { 'pg_hba.conf':
    ensure      => file,
    path        => $pg_hba_conf_path,
-    content     => template("postgresql/pg_hba.conf.erb"),
-    notify      => Service['postgresqld'],
+    content     => template('postgresql/pg_hba.conf.erb'),
+    notify      => Exec['reload_postgresql'],
  }

  # We must set a "listen_addresses" line in the postgresql.conf if we
@ -67,13 +73,13 @@ class postgresql::config::beforeservice(
  #        an out-of-the-box firewall configuration that seems trickier to manage
  # TODO: get rid of hard-coded port
  if ($manage_redhat_firewall and $firewall_supported) {
-      exec { "postgresql-persist-firewall":
+      exec { 'postgresql-persist-firewall':
        command     => $persist_firewall_command,
        refreshonly => true,
      }

      Firewall {
-        notify => Exec["postgresql-persist-firewall"]
+        notify => Exec['postgresql-persist-firewall']
      }

      firewall { '5432 accept - postgres':
--- a/manifests/database.pp
+++ b/manifests/database.pp
@ -25,11 +25,11 @@ define postgresql::database(
 {
  require postgresql::params

-  if ($::postgres_default_version != "8.1") {
-    $locale_option = "--locale=C"
+  if ($::postgres_default_version != '8.1') {
+    $locale_option = '--locale=C'
  }

-  $createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '$charset' $locale_option '$dbname'"
+  $createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '${charset}' ${locale_option} '${dbname}'"

  postgresql_psql { "Check for existence of db '$dbname'":
    command => "SELECT 1",
--- a/manifests/database_user.pp
+++ b/manifests/database_user.pp
@ -38,12 +38,12 @@
 #

 define postgresql::database_user(
-    $user=$title,
    $password_hash,
-    $db = 'postgres',
    $createdb   = false,
+    $createrole = false,
+    $db         = 'postgres',
    $superuser  = false,
-    $createrole=false
+    $user       = $title
 ) {
  postgresql::role { $user:
    db              => $db,
--- a/manifests/db.pp
+++ b/manifests/db.pp
@ -46,20 +46,22 @@ define postgresql::db (
    require     => Class['postgresql::server'],
  }

-  postgresql::database_user { "${user}":
+  if ! defined(Postgresql::Database_user[$user]) {
+    postgresql::database_user { $user:
      # TODO: ensure is not yet supported
      #ensure         => present,
      password_hash   => $password,
      #provider       => 'postgresql',
      require         => Postgresql::Database[$name],
    }
+  }

  postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":
    privilege       => $grant,
    db              => $name,
    role            => $user,
    #provider       => 'postgresql',
-    require         => Postgresql::Database_user["${user}"],
+    require         => Postgresql::Database_user[$user],
  }

 }
--- a/manifests/devel.pp
+++ b/manifests/devel.pp
@ -20,7 +20,7 @@ class postgresql::devel(
  require postgresql

  package { 'postgresql_devel':
-    name   => $package_name,
    ensure => $package_ensure,
+    name   => $package_name,
  }
 }
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -17,8 +17,8 @@ class postgresql (
 ) inherits postgresql::params {

  package { 'postgresql_client':
-    name    => $package_name,
    ensure  => $package_ensure,
+    name    => $package_name,
  }

 }
--- a/manifests/initdb.pp
+++ b/manifests/initdb.pp
@ -18,16 +18,17 @@

 class postgresql::initdb(
  $datadir     = $postgresql::params::datadir,
-  $initdb_path = $postgresql::params::initdb_path,
-  $user = 'postgres',
-  $group = 'postgres',
  $encoding    = 'UTF8',
-  $options=''
+  $group       = 'postgres',
+  $initdb_path = $postgresql::params::initdb_path,
+  $options     = '',
+  $user        = 'postgres'
 ) inherits postgresql::params {

-  exec {"${initdb_path} --encoding '$encoding' --pgdata '$datadir'":
+  exec { "${initdb_path} --encoding '${encoding}' --pgdata '${datadir}'":
    creates => "${datadir}/PG_VERSION",
-    user    => "$user",
-    group   => "$group",
+    user    => $user,
+    group   => $group,
+    require => Package["$postgresql::params::server_package_name"],
  }
 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -16,6 +16,8 @@ class postgresql::params {
  $ip_mask_deny_postgres_user   = '0.0.0.0/0'
  $ip_mask_allow_all_users      = '127.0.0.1/32'
  $listen_addresses             = 'localhost'
+  $ipv4acls                     = []
+  $ipv6acls                     = []
  # TODO: figure out a way to make this not platform-specific
  $manage_redhat_firewall       = false

@ -55,14 +57,14 @@ class postgresql::params {
    'Debian': {
      case $::operatingsystem {
        'Debian': {
-            $service_name       = "postgresql"
+            $service_name       = 'postgresql'
        }

        'Ubuntu': {
            case $::lsbmajdistrelease {
                # thanks, ubuntu
                '10':       { $service_name = "postgresql-${::postgres_default_version}" }
-                default:    { $service_name = "postgresql" }
+                default:    { $service_name = 'postgresql' }
            }
        }
      }
--- a/manifests/psql.pp
+++ b/manifests/psql.pp
@ -17,11 +17,11 @@
 # limitations under the License.

 define postgresql::psql(
-    $command = $title,
-    $unless,
    $db,
-    $user = 'postgres',
-    $refreshonly = false
+    $unless,
+    $command     = $title,
+    $refreshonly = false,
+    $user        = 'postgres'
 ) {

  require postgresql::params
@ -30,13 +30,13 @@ define postgresql::psql(
  # things but not nested escaping.  Need a lexer, preferably a ruby SQL parser
  # to catch errors at catalog time.  Possibly https://github.com/omghax/sql ?

-  if ($::postgres_default_version != "8.1") {
-    $no_password_option = "--no-password"
+  if ($::postgres_default_version != '8.1') {
+    $no_password_option = '--no-password'
  }

-  $psql = "${postgresql::params::psql_path} $no_password_option --tuples-only --quiet --dbname $db"
-  $quoted_command = regsubst($command, '"', '\\"')
-  $quoted_unless  = regsubst($unless,  '"', '\\"')
+  $psql = "${postgresql::params::psql_path} ${no_password_option} --tuples-only --quiet --dbname ${db}"
+  $quoted_command = regsubst($command, '"', '\\"', 'G')
+  $quoted_unless  = regsubst($unless,  '"', '\\"', 'G')

  $final_cmd = "/bin/echo \"$quoted_command\" | $psql |egrep -v -q '^$'"

@ -48,7 +48,7 @@ define postgresql::psql(
    cwd         => '/tmp',
    user        => $user,
    returns     => 1,
-    unless      => "/bin/echo \"$quoted_unless\" | $psql | egrep -v -q '^$'",
+    unless      => "/bin/echo \"${quoted_unless}\" | ${psql} | egrep -v -q '^$'",
    refreshonly => $refreshonly,
  }
 }
--- a/manifests/role.pp
+++ b/manifests/role.pp
@ -17,13 +17,13 @@
 # limitations under the License.

 define postgresql::role(
-    $username=$title,
    $password_hash,
+    $createdb   = false,
+    $createrole = false,
    $db         = 'postgres',
    $login      = false,
-    $createrole=false,
-    $createdb=false,
-    $superuser=false
+    $superuser  = false,
+    $username   = $title
 ) {

  $login_sql      = $login      ? { true => 'LOGIN'     , default => 'NOLOGIN' }
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -22,8 +22,8 @@ class postgresql::server (
 ) inherits postgresql::params {

  package { 'postgresql-server':
-    name   => $package_name,
    ensure => $package_ensure,
+    name   => $package_name,
  }

  $config_class = {}
@ -41,13 +41,17 @@ class postgresql::server (
  }

  service { 'postgresqld':
-    name     => $service_name,
    ensure   => running,
+    name     => $service_name,
    enable   => true,
    require  => Package['postgresql-server'],
    provider => $service_provider,
    status   => $service_status,
  }

-
+  exec { 'reload_postgresql':
+    path        => '/usr/bin:/usr/sbin:/bin:/sbin',
+    command     => "service ${postgresql::params::service_name} reload",
+    refreshonly => true,
+  }
 }
--- a/manifests/validate_db_connection.pp
+++ b/manifests/validate_db_connection.pp
@ -46,11 +46,11 @@

 define postgresql::validate_db_connection(
    $database_host,
-    $database_port = 5432,
-    $database_username,
-    $database_password,
    $database_name,
-    $client_package_name = ""
+    $database_password,
+    $database_username,
+    $client_package_name = '',
+    $database_port       = 5432
 ) {
    include postgresql::params

@ -65,18 +65,18 @@ define postgresql::validate_db_connection(
    # Make sure the postgres client package is installed; we need it for
    # `psql`.
    package { 'postgresql-client':
-        name   => $package_name,
        ensure => present,
+        name   => $package_name,
    }

    # TODO: port to ruby
-    $psql = "${postgresql::params::psql_path} --tuples-only --quiet -h $database_host -U $database_username -p $database_port --dbname $database_name"
+    $psql = "${postgresql::params::psql_path} --tuples-only --quiet -h ${database_host} -U ${database_username} -p ${database_port} --dbname ${database_name}"

-    $exec_name = "validate postgres connection for $database_host/$database_name"
+    $exec_name = "validate postgres connection for ${database_host}/${database_name}"
    exec { $exec_name:
-      command     => "/bin/echo \"SELECT 1\" | $psql",
+      command     => "/bin/echo \"SELECT 1\" | ${psql}",
      cwd         => '/tmp',
-      environment => "PGPASSWORD=$database_password",
+      environment => "PGPASSWORD=${database_password}",
      logoutput   => 'on_failure',
      require     => Package['postgresql-client'],
    }
--- a/templates/pg_hba.conf.erb
+++ b/templates/pg_hba.conf.erb
@ -83,6 +83,12 @@ local   all         all                               ident <%= "sameuser" if @p
 # IPv4 local connections:
 host    all         postgres    <%= @ip_mask_deny_postgres_user + "\t" %>      reject
 host    all         all         <%= @ip_mask_allow_all_users + "\t" %>      md5
+<% @ipv4acls.each do |acl|; parts = acl.split -%>
+<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
+<% end -%>
 # IPv6 local connections:
 host    all         all         ::1/128               md5
+<% @ipv6acls.each do |acl|; parts = acl.split -%>
+<%= parts[0] + "\t" + parts[1] + "\t" + parts[2] + "\t\t" + parts[3] + "\t\t" + parts[4] + "\t" + parts.last(parts.length - 5).join(" ") %>
+<% end -%>

--- a/tests/server.pp
+++ b/tests/server.pp
@ -3,6 +3,7 @@ class { 'postgresql::server':
        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
        'ip_mask_allow_all_users'    => '0.0.0.0/0',
        'listen_addresses'           => '*',
+        'ipv4acls'                   => ['hostssl all johndoe 192.168.0.0/24 cert'],
        'manage_redhat_firewall'     => true,
        'postgres_password'          => 'postgres',
    },