Commit graph

2 commits

Author SHA1 Message Date
Chris Price
1175ea20d6 Add postgresql::db convenience type, improve security
This commit adds a postgresql::db type for convenience;
it mirrors the 'db' type from the mysql module, which
allows you to create a database instance and user plus
grant privileges to that user all in one succint
resource.

This commit also improves security in the following ways:

* Revoke "CONNECT" privilege from the 'public' role for
  newly created databases; without this, any database
  created via this module will allow connections from
  any database user, and will allow them to do things
  like create tables.

* Change to a 'reject'-based policy for dealing with
  remote connections by the postgres user in pg_hba.conf.
  Prior to this commit, if you tried to restrict access
  to the postgres user by IP, the rule would simply not
  match for disallowed IPs; then it would fall through
  to the rule for "all" users, which could still match
  and thus allow the postgres user to connect remotely.
2012-06-09 09:23:11 -07:00
Chris Price
ba802475ff Improve configuration for initial postgres install
This commit adds some configuration management for
postgres, to allow users to get a more complete
setup from their initial install.  Prior to this
commit, we were basically only ensuring that the
package was installed and the service was running.

Now, we support limited configuration for the
pg_hba.conf file to enable md5 authentication for
remote hosts, and for the postgresql.conf file
to specify the listener addresses where TCP
connections should be accepted.  Without these
two changes the initial postgres configuration
doesn't allow *any* connections from outside of the
local host.

This commit also adds an option for opening up the
postgres port in the firewall on redhat-based systems,
and an option to allow setting the password for the
'postgres' database user.

As of this commit, this module now has dependencies
on puppetlabs-stdlib (version > 2.3.4, which includes
the new 'match' parameter for the 'file_line' resource
type), and on puppetlabs-firewall.
2012-06-08 14:00:24 -07:00