1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
65 lines
1.8 KiB
Puppet
65 lines
1.8 KiB
Puppet
# Define: postgresql::db
|
|
#
|
|
# This module creates database instances, a user, and grants that user
|
|
# privileges to the database.
|
|
#
|
|
# Since it requires class postgresql::server, we assume to run all commands as the
|
|
# postgresql user against the local postgresql server.
|
|
#
|
|
# TODO: support an array of privileges for "grant"; currently only supports a single
|
|
# privilege, which is pretty useless unless that privilege is "ALL"
|
|
#
|
|
# Parameters:
|
|
# [*title*] - postgresql database name.
|
|
# [*user*] - username to create and grant access.
|
|
# [*password*] - user's password. may be md5-encoded, in the format returned by the "postgresql_password"
|
|
# function in this module
|
|
# [*charset*] - database charset.
|
|
# [*grant*] - privilege to grant user.
|
|
#
|
|
# Actions:
|
|
#
|
|
# Requires:
|
|
#
|
|
# class postgresql::server
|
|
#
|
|
# Sample Usage:
|
|
#
|
|
# postgresql::db { 'mydb':
|
|
# user => 'my_user',
|
|
# password => 'password',
|
|
# grant => 'all'
|
|
# }
|
|
#
|
|
define postgresql::db (
|
|
$user,
|
|
$password,
|
|
$charset = 'utf8',
|
|
$grant = 'ALL'
|
|
) {
|
|
|
|
postgresql::database { $name:
|
|
# TODO: ensure is not yet supported
|
|
#ensure => present,
|
|
charset => $charset,
|
|
#provider => 'postgresql',
|
|
require => Class['postgresql::server'],
|
|
}
|
|
|
|
postgresql::database_user { "${user}":
|
|
# TODO: ensure is not yet supported
|
|
#ensure => present,
|
|
password_hash => $password,
|
|
#provider => 'postgresql',
|
|
require => Postgresql::Database[$name],
|
|
}
|
|
|
|
postgresql::database_grant { "GRANT ${user} - ${grant} - ${name}":
|
|
privilege => $grant,
|
|
db => $name,
|
|
role => $user,
|
|
#provider => 'postgresql',
|
|
require => Postgresql::Database_user["${user}"],
|
|
}
|
|
|
|
}
|