opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Create the pg_ident_rule defined type

Browse source 
This allows us to declare user map as easilly as pg_hba entries.
This commit is contained in:
txaj 2014-07-24 15:04:02 -05:00 committed by txaj
parent 3ed43705cf
commit e2b0bdd26f
8 changed files with 141 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
README.md
View file

@ -240,6 +240,7 @@ Resources:
* [postgresql::server::database](#resource-postgresqlserverdatabase) * [postgresql::server::database](#resource-postgresqlserverdatabase)
* [postgresql::server::database_grant](#resource-postgresqlserverdatabasegrant) * [postgresql::server::database_grant](#resource-postgresqlserverdatabasegrant)
* [postgresql::server::pg_hba_rule](#resource-postgresqlserverpghbarule) * [postgresql::server::pg_hba_rule](#resource-postgresqlserverpghbarule)
* [postgresql::server::pg_ident_rule](#resource-postgresqlserverpgidentrule)
* [postgresql::server::role](#resource-postgresqlserverrole) * [postgresql::server::role](#resource-postgresqlserverrole)
* [postgresql::server::table_grant](#resource-postgresqlservertablegrant) * [postgresql::server::table_grant](#resource-postgresqlservertablegrant)
* [postgresql::server::tablespace](#resource-postgresqlservertablespace) * [postgresql::server::tablespace](#resource-postgresqlservertablespace)
@ -326,6 +327,9 @@ Path to the `psql` command.
####`pg_hba_conf_path` ####`pg_hba_conf_path`
Path to your `pg\_hba.conf` file. Path to your `pg\_hba.conf` file.
####`pg_ident_conf_path`
Path to your `pg\_ident.conf` file.
####`postgresql_conf_path` ####`postgresql_conf_path`
Path to your `postgresql.conf` file. Path to your `postgresql.conf` file.
@ -434,6 +438,9 @@ Path to the `psql` command.
####`pg_hba_conf_path` ####`pg_hba_conf_path`
Path to your `pg\_hba.conf` file. Path to your `pg\_hba.conf` file.
####`pg_ident_conf_path`
Path to your `pg\_ident.conf` file.
####`postgresql_conf_path` ####`postgresql_conf_path`
Path to your `postgresql.conf` file. Path to your `postgresql.conf` file.
@ -468,6 +475,8 @@ This value defaults to `false`. Many distros ship with a fairly restrictive fire
####`manage_pg_hba_conf` ####`manage_pg_hba_conf`
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file. This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
####`manage_pg_ident_conf`
This value defaults to `true`. Whether or not manage the pg_ident.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
###Class: postgresql::client ###Class: postgresql::client
@ -667,6 +676,24 @@ This would create a ruleset in `pg_hba.conf` similar to:
# Order: 150 # Order: 150
host app app 200.1.2.0/24 md5 host app app 200.1.2.0/24 md5
###Resource: postgresql::server::pg\_ident\_rule
This defined type allows you to create user name maps for `pg_ident.conf`. For more details see the [PostgreSQL documentation](http://www.postgresql.org/docs/9.4/static/auth-username-maps.html).
For example:
postgresql::server::pg_ident_rule{ 'Map the SSL certificate of the backup server as a replication user':
map_name => 'sslrepli',
system_username => 'repli1.example.com',
database_username => 'replication',
}
This would create a user name map in `pg_ident.conf` similar to:
# Rule Name: Map the SSL certificate of the backup server as a replication user
# Description: none
# Order: 150
sslrepli repli1.example.com replication
####`namevar` ####`namevar`
A unique identifier or short description for this rule. The namevar doesn't provide any functional usage, but it is stored in the comments of the produced `pg_hba.conf` so the originating resource can be identified. A unique identifier or short description for this rule. The namevar doesn't provide any functional usage, but it is stored in the comments of the produced `pg_hba.conf` so the originating resource can be identified.

2
manifests/globals.pp
View file

@ -20,6 +20,7 @@ class postgresql::globals (
$createdb_path = undef, $createdb_path = undef,
$psql_path = undef, $psql_path = undef,
$pg_hba_conf_path = undef, $pg_hba_conf_path = undef,
$pg_ident_conf_path = undef,
$postgresql_conf_path = undef, $postgresql_conf_path = undef,
$pg_hba_conf_defaults = undef, $pg_hba_conf_defaults = undef,
@ -42,6 +43,7 @@ class postgresql::globals (
$manage_firewall = undef, $manage_firewall = undef,
$manage_pg_hba_conf = undef, $manage_pg_hba_conf = undef,
$manage_pg_ident_conf = undef,
$firewall_supported = undef, $firewall_supported = undef,
$manage_package_repo = undef $manage_package_repo = undef

2
manifests/params.pp
View file

@ -15,6 +15,7 @@ class postgresql::params inherits postgresql::globals {
$service_provider = $service_provider $service_provider = $service_provider
$manage_firewall = $manage_firewall $manage_firewall = $manage_firewall
$manage_pg_hba_conf = pick($manage_pg_hba_conf, true) $manage_pg_hba_conf = pick($manage_pg_hba_conf, true)
$manage_pg_ident_conf = pick($manage_pg_ident_conf, true)
$package_ensure = 'present' $package_ensure = 'present'
# Amazon Linux's OS Family is 'Linux', operating system 'Amazon'. # Amazon Linux's OS Family is 'Linux', operating system 'Amazon'.
@ -198,6 +199,7 @@ class postgresql::params inherits postgresql::globals {
$createdb_path = pick($createdb_path, "${bindir}/createdb") $createdb_path = pick($createdb_path, "${bindir}/createdb")
$pg_hba_conf_path = pick($pg_hba_conf_path, "${confdir}/pg_hba.conf") $pg_hba_conf_path = pick($pg_hba_conf_path, "${confdir}/pg_hba.conf")
$pg_hba_conf_defaults = pick($pg_hba_conf_defaults, true) $pg_hba_conf_defaults = pick($pg_hba_conf_defaults, true)
$pg_ident_conf_path = pick($pg_ident_conf_path, "${confdir}/pg_ident.conf")
$postgresql_conf_path = pick($postgresql_conf_path, "${confdir}/postgresql.conf") $postgresql_conf_path = pick($postgresql_conf_path, "${confdir}/postgresql.conf")
$default_database = pick($default_database, 'postgres') $default_database = pick($default_database, 'postgres')
} }

2
manifests/server.pp
View file

@ -26,6 +26,7 @@ class postgresql::server (
$createdb_path = $postgresql::params::createdb_path, $createdb_path = $postgresql::params::createdb_path,
$psql_path = $postgresql::params::psql_path, $psql_path = $postgresql::params::psql_path,
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path, $pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
$pg_ident_conf_path = $postgresql::params::pg_ident_conf_path,
$postgresql_conf_path = $postgresql::params::postgresql_conf_path, $postgresql_conf_path = $postgresql::params::postgresql_conf_path,
$datadir = $postgresql::params::datadir, $datadir = $postgresql::params::datadir,
@ -43,6 +44,7 @@ class postgresql::server (
$manage_firewall = $postgresql::params::manage_firewall, $manage_firewall = $postgresql::params::manage_firewall,
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf, $manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf,
$manage_pg_ident_conf = $postgresql::params::manage_pg_ident_conf,
$firewall_supported = $postgresql::params::firewall_supported, $firewall_supported = $postgresql::params::firewall_supported,
#Deprecated #Deprecated

13
manifests/server/config.pp
View file

@ -7,12 +7,14 @@ class postgresql::server::config {
$ipv4acls = $postgresql::server::ipv4acls $ipv4acls = $postgresql::server::ipv4acls
$ipv6acls = $postgresql::server::ipv6acls $ipv6acls = $postgresql::server::ipv6acls
$pg_hba_conf_path = $postgresql::server::pg_hba_conf_path $pg_hba_conf_path = $postgresql::server::pg_hba_conf_path
$pg_ident_conf_path = $postgresql::server::pg_ident_conf_path
$postgresql_conf_path = $postgresql::server::postgresql_conf_path $postgresql_conf_path = $postgresql::server::postgresql_conf_path
$pg_hba_conf_defaults = $postgresql::server::pg_hba_conf_defaults $pg_hba_conf_defaults = $postgresql::server::pg_hba_conf_defaults
$user = $postgresql::server::user $user = $postgresql::server::user
$group = $postgresql::server::group $group = $postgresql::server::group
$version = $postgresql::server::version $version = $postgresql::server::version
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
$manage_pg_ident_conf = $postgresql::server::manage_pg_hba_conf
if ($manage_pg_hba_conf == true) { if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file # Prepare the main pg_hba file
@ -107,4 +109,15 @@ class postgresql::server::config {
replace => false, replace => false,
} }
} }
if ($manage_pg_ident_conf == true) {
concat { $pg_ident_conf_path:
owner => $user,
group => $group,
force => true, # do not crash if there is no pg_ident_rules
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
}
} }

27
manifests/server/pg_ident_rule.pp Normal file
View file

@ -0,0 +1,27 @@
# This resource manages an individual rule that applies to the file defined in
# $target. See README.md for more details.
define postgresql::server::pg_ident_rule(
$map_name,
$system_username,
$database_username,
$description = 'none',
$order = '150',
# Needed for testing primarily, support for multiple files is not really
# working.
$target = $postgresql::server::pg_ident_conf_path
) {
if $postgresql::server::manage_pg_ident_conf == false {
fail('postgresql::server::manage_pg_ident_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
} else {
# Create a rule fragment
$fragname = "pg_ident_rule_${name}"
concat::fragment { $fragname:
target => $target,
content => template('postgresql/pg_ident_rule.conf'),
order => $order,
}
}
}

63
spec/unit/defines/server/pg_ident_rule_spec.rb Normal file
View file

@ -0,0 +1,63 @@
require 'spec_helper'
describe 'postgresql::server::pg_ident_rule', :type => :define do
let :facts do
{
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:operatingsystemrelease => '6.0',
:kernel => 'Linux',
:concat_basedir => tmpfilename('pg_ident'),
:id => 'root',
:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
let :title do
'test'
end
let :target do
tmpfilename('pg_ident_rule')
end
context 'test template 1' do
let :pre_condition do
<<-EOS
class { 'postgresql::server': }
EOS
end
let :params do
{
:map_name => 'thatsmymap',
:system_username => 'systemuser',
:database_username => 'dbuser',
}
end
it do
is_expected.to contain_concat__fragment('pg_ident_rule_test').with({
:content => /thatsmymap\s+systemuser\s+dbuser/
})
end
end
context 'not managing pg_ident' do
let :pre_condition do
<<-EOS
class { 'postgresql::globals':
manage_pg_ident_conf => false,
}
class { 'postgresql::server': }
EOS
end
let :params do
{
:map_name => 'thatsmymap',
:system_username => 'systemuser',
:database_username => 'dbuser',
}
end
it 'should fail because $manage_pg_ident_conf is false' do
expect {subject}.to raise_error(Puppet::Error,
/postgresql::server::manage_pg_ident_conf has been disabled/)
end
end
end

5
templates/pg_ident_rule.conf Normal file
View file

@ -0,0 +1,5 @@
# Rule Name: <%=@name%>
# Description: <%=@description%>
# Order: <%=@order%>
<%=@map_name%> <%=@system_username%> <%=@database_username%>