opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-postgresql/manifests/database.pp
Chris Price 1175ea20d6 Add postgresql::db convenience type, improve security 
This commit adds a postgresql::db type for convenience;
it mirrors the 'db' type from the mysql module, which
allows you to create a database instance and user plus
grant privileges to that user all in one succint
resource.

This commit also improves security in the following ways:

* Revoke "CONNECT" privilege from the 'public' role for
  newly created databases; without this, any database
  created via this module will allow connections from
  any database user, and will allow them to do things
  like create tables.

* Change to a 'reject'-based policy for dealing with
  remote connections by the postgres user in pg_hba.conf.
  Prior to this commit, if you tried to restrict access
  to the postgres user by IP, the rule would simply not
  match for disallowed IPs; then it would fall through
  to the rule for "all" users, which could still match
  and thus allow the postgres user to connect remotely.
2012-06-09 09:23:11 -07:00

45 lines
1.6 KiB
Puppet
Raw Blame History

# puppet-postgresql
# For all details and documentation:
# http://github.com/inkling/puppet-postgresql
#
# Copyright 2012- Inkling Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# TODO: in order to match up more closely with the mysql module, this probably
# needs to be moved over to ruby, and add support for ensurable.
define postgresql::database(
$dbname = $title,
$charset = 'UTF8')
{
require postgresql::params
$createdb_command = "${postgresql::params::createdb_path} --template=template0 --encoding '$charset' --locale=C '$dbname'"
exec { $createdb_command :
unless => "${postgresql::params::psql_path} --command=\"SELECT datname FROM pg_database WHERE datname=\'$dbname\' \" --pset=tuples_only | grep -q $dbname",
user => 'postgres',
}
# This will prevent users from connecting to the database unless they've been
# granted privileges.
postgresql::psql {"REVOKE CONNECT ON DATABASE $dbname FROM public":
db => 'postgres',
user => 'postgres',
unless => 'SELECT 1 where 1 = 0',
refreshonly => true,
subscribe => Exec[$createdb_command],
}
}
Reference in a new issue View git blame Copy permalink