1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
56 lines
1.5 KiB
Puppet
56 lines
1.5 KiB
Puppet
# puppet-postgresql
|
|
# For all details and documentation:
|
|
# http://github.com/inkling/puppet-postgresql
|
|
#
|
|
# Copyright 2012- Inkling Systems, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Define: mysql::db
|
|
#
|
|
# This type creates a postgres database user.
|
|
#
|
|
# Parameters:
|
|
# [*user*] - username to create.
|
|
# [*password_hash*] - user's password; this may be clear text, or an md5 hash as returned by the
|
|
# "postgresql_password" function in this module.
|
|
#
|
|
# Actions:
|
|
#
|
|
# Requires:
|
|
#
|
|
#
|
|
# Sample Usage:
|
|
#
|
|
# postgresql::database_user { 'frank':
|
|
# password_hash => postgresql_passowrd('password'),
|
|
# }
|
|
#
|
|
|
|
define postgresql::database_user(
|
|
$user=$title,
|
|
$password_hash,
|
|
$db = 'postgres',
|
|
$createdb=false,
|
|
$superuser=false,
|
|
$createrole=false
|
|
) {
|
|
postgresql::role {$user:
|
|
db => $db,
|
|
password_hash => $password_hash,
|
|
login => true,
|
|
createdb => $createdb,
|
|
superuser => $superuser,
|
|
createrole => $createrole,
|
|
}
|
|
}
|