a37eaa053b
The code to grant permissions databases and their objects has been abstracted to `postgresql::grant` and is used by both `postgresql::database_grant` and `postgresql::table_grant`
77 lines
2.8 KiB
Puppet
77 lines
2.8 KiB
Puppet
# Resource postgresql::grant
|
|
#
|
|
# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';
|
|
# I think that the API for the resource type should split these up, because it's
|
|
# easier / safer to recombine them for mysql than it is to parse them for other
|
|
# databases. Also, in the mysql module, the hostname portion of that string
|
|
# affects the user's ability to connect from remote hosts. In postgres this is
|
|
# managed via pg_hba.conf; not sure if we want to try to reconcile that difference
|
|
# in the modules or not.
|
|
define postgresql::grant (
|
|
$role,
|
|
$db,
|
|
# TODO: mysql supports an array of privileges here. We should do that if we
|
|
# port this to ruby.
|
|
$privilege = undef,
|
|
$object_type = 'database',
|
|
$object_name = $db,
|
|
$psql_db = $postgresql::params::user,
|
|
$psql_user = $postgresql::params::user
|
|
) {
|
|
|
|
## Munge the input values
|
|
$_object_type = upcase($object_type)
|
|
$_privilege = upcase($privilege)
|
|
|
|
## Validate that the object type is known
|
|
validate_string($_object_type,
|
|
#'COLUMN',
|
|
'DATABASE',
|
|
#'FOREIGN SERVER',
|
|
#'FOREIGN DATA WRAPPER',
|
|
#'FUNCTION',
|
|
#'PROCEDURAL LANGUAGE',
|
|
#'SCHEMA',
|
|
#'SEQUENCE',
|
|
'TABLE',
|
|
#'TABLESPACE',
|
|
#'VIEW',
|
|
)
|
|
|
|
## Validate that the object type's privilege is acceptable
|
|
case $_object_type {
|
|
'DATABASE': {
|
|
validate_string($_privilege,'CREATE','CONNECT','TEMPORARY','TEMP','ALL','ALL PRIVILEGES')
|
|
$unless_function = 'has_database_privilege'
|
|
$on_db = $psql_db
|
|
}
|
|
'TABLE': {
|
|
validate_string($_privilege,'SELECT','INSERT','UPDATE','REFERENCES','ALL','ALL PRIVILEGES')
|
|
$unless_function = 'has_table_privilege'
|
|
$on_db = $db
|
|
}
|
|
default: {
|
|
fail("Missing privilege validation for object type ${_object_type}")
|
|
}
|
|
}
|
|
|
|
# TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
|
|
# we need a way to test for it--and has_database_privilege does not recognize
|
|
# 'ALL' as a valid privilege name. So we probably need to hard-code a mapping
|
|
# between 'ALL' and the list of actual privileges that it entails, and loop
|
|
# over them to check them. That sort of thing will probably need to wait until
|
|
# we port this over to ruby, so, for now, we're just going to assume that if
|
|
# they have "CREATE" privileges on a database, then they have "ALL". (I told
|
|
# you that it was terrible!)
|
|
$unless_privilege = $_privilege ? {
|
|
'ALL' => 'CREATE',
|
|
default => $_privilege,
|
|
}
|
|
postgresql_psql { "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"":
|
|
db => $on_db,
|
|
psql_user => $psql_user,
|
|
psql_group => $postgresql::params::group,
|
|
psql_path => $postgresql::params::psql_path,
|
|
unless => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')",
|
|
}
|
|
}
|