123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 |
- # puppet-postgresql
- # For all details and documentation:
- # http://github.com/inkling/puppet-postgresql
- #
- # Copyright 2012- Inkling Systems, Inc.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
- # TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';
- # I think that the API for the resource type should split these up, because it's
- # easier / safer to recombine them for mysql than it is to parse them for other
- # databases. Also, in the mysql module, the hostname portion of that string
- # affects the user's ability to connect from remote hosts. In postgres this is
- # managed via pg_hba.conf; not sure if we want to try to reconcile that difference
- # in the modules or not.
- define postgresql::database_grant(
- # TODO: mysql supports an array of privileges here. We should do that if we
- # port this to ruby.
- $privilege,
- $db,
- $role,
- $psql_db = 'postgres',
- $psql_user ='postgres'
- ) {
- include postgresql::params
- # TODO: FIXME: only works on databases, due to using has_database_privilege
- # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
- # we need a way to test for it--and has_database_privilege does not recognize
- # 'ALL' as a valid privilege name. So we probably need to hard-code a mapping
- # between 'ALL' and the list of actual privileges that it entails, and loop
- # over them to check them. That sort of thing will probably need to wait until
- # we port this over to ruby, so, for now, we're just going to assume that if
- # they have "CREATE" privileges on a database, then they have "ALL". (I told
- # you that it was terrible!)
- $unless_privilege = $privilege ? {
- 'ALL' => 'CREATE',
- default => $privilege,
- }
- postgresql_psql {"GRANT ${privilege} ON database ${db} TO ${role}":
- db => $psql_db,
- psql_user => $psql_user,
- unless => "SELECT 1 WHERE has_database_privilege('${role}', '${db}', '${unless_privilege}')",
- cwd => $postgresql::params::datadir,
- }
- }
|