1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
30 lines
806 B
Puppet
30 lines
806 B
Puppet
class { 'postgresql::server':
|
|
config_hash => {
|
|
'ip_mask_allow_all_users' => '0.0.0.0/0',
|
|
'listen_addresses' => '*',
|
|
'manage_redhat_firewall' => true,
|
|
|
|
#'ip_mask_deny_postgres_user' => '0.0.0.0/32',
|
|
#'postgres_password' => 'puppet',
|
|
},
|
|
}
|
|
|
|
postgresql::db{ 'test1':
|
|
user => 'test1',
|
|
password => 'test1',
|
|
grant => 'all',
|
|
}
|
|
|
|
postgresql::db{ 'test2':
|
|
user => 'test2',
|
|
password => postgresql_password('test2', 'test2'),
|
|
grant => 'all',
|
|
}
|
|
|
|
postgresql::db{ 'test3':
|
|
user => 'test3',
|
|
# The password here is a copy/paste of the output of the 'postgresql_password'
|
|
# function from this module, with a u/p of 'test3', 'test3'.
|
|
password => 'md5e12234d4575a12bfd61d61294f32b086',
|
|
grant => 'all',
|
|
}
|