The change introduced in b781849882 added
a complex operation that was not handled correctly for all operating
systems. This fix includes the following corrections:
- Change the systemd config and reload systemd for datadir changes in
RHEL 7, and move configuration for this into
postgresql::server::config since it is managing both the PGDATA and
PGPORT variables
- Make sure Debian systems stop the service before changing the datadir
- Recreate cert links after running initdb in Debian and early ubuntu
- Change the port in the port spec to avoid selinux issues
- Turn off selinux in pgdata spec to avoid selinux issues
- Correct syntax for describing presence of a directory in pgdata spec
- Move the pgdata spec to the end of the tests so that puppet doesn't
have to manager purging and recreating the original datadir
- Update README to describe all caveats of using this parameter
This patch provides a more advanced way of managing pg_hba rules, by providing a
defined resource to manage a pg_hba file, and a defined resource for managing
rules within such a file (pg_hba_rule).
These new resources are wrappers around ripinaar-concat, and utilise file
assemblies instead of a template to compose the pg_hba.conf file.
I've provided a function that interprets the old ip4|6acl arrays and converts
them to this new format for backwards compatibility as well.
I slightly reformatted our documentation to allow for better documentation of
defined resources in 'Usage' as well, and provided examples of how to use this
new resource.
This hopefully should go a long way to solving the PR's related to lack of full
functionality for pg_hba.conf.
Signed-off-by: Ken Barber <ken@bob.sh>
Moved the ip mask for allowing remote access for other users to the end of the IPv4 section
so that it doesn't block access to the DB via local loopback for other forms of authentication (such as LDAP).
This commit fixes up the `postgres_default_version` fact so that
it doesn't use apt/yum (slow), and instead just has a hard-coded
list of default postgres versions for various OS versions. We
will need to add new OS versions to this fact over time, but that
seems preferable to the previous implementation which was causing
slower puppet runs on all nodes (regardless of whether they were
actually using postgres or not).
This commit adds a postgresql::db type for convenience;
it mirrors the 'db' type from the mysql module, which
allows you to create a database instance and user plus
grant privileges to that user all in one succint
resource.
This commit also improves security in the following ways:
* Revoke "CONNECT" privilege from the 'public' role for
newly created databases; without this, any database
created via this module will allow connections from
any database user, and will allow them to do things
like create tables.
* Change to a 'reject'-based policy for dealing with
remote connections by the postgres user in pg_hba.conf.
Prior to this commit, if you tried to restrict access
to the postgres user by IP, the rule would simply not
match for disallowed IPs; then it would fall through
to the rule for "all" users, which could still match
and thus allow the postgres user to connect remotely.
This commit adds some configuration management for
postgres, to allow users to get a more complete
setup from their initial install. Prior to this
commit, we were basically only ensuring that the
package was installed and the service was running.
Now, we support limited configuration for the
pg_hba.conf file to enable md5 authentication for
remote hosts, and for the postgresql.conf file
to specify the listener addresses where TCP
connections should be accepted. Without these
two changes the initial postgres configuration
doesn't allow *any* connections from outside of the
local host.
This commit also adds an option for opening up the
postgres port in the firewall on redhat-based systems,
and an option to allow setting the password for the
'postgres' database user.
As of this commit, this module now has dependencies
on puppetlabs-stdlib (version > 2.3.4, which includes
the new 'match' parameter for the 'file_line' resource
type), and on puppetlabs-firewall.
