1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
64 lines
2.9 KiB
Puppet
64 lines
2.9 KiB
Puppet
# Class: postgresql::config
|
|
#
|
|
# Parameters:
|
|
#
|
|
# [*postgres_password*] - postgres db user password.
|
|
# [*ip_mask_deny_postgres_user*] - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',
|
|
# meaning that all TCP access for postgres user is denied.
|
|
# [*ip_mask_allow_all_users*] - ip mask for allowing remote access for other users (besides postgres);
|
|
# defaults to '127.0.0.1/32', meaning only allow connections from localhost
|
|
# [*listen_addresses*] - what IP address(es) to listen on; comma-separated list of addresses; defaults to
|
|
# 'localhost', '*' = all
|
|
# [*pg_hba_conf_path*] - path to pg_hba.conf file
|
|
# [*postgresql_conf_path*] - path to postgresql.conf file
|
|
# [*manage_redhat_firewall*] - boolean indicating whether or not the module should open a port in the firewall on
|
|
# redhat-based systems; this parameter is likely to change in future versions. Possible
|
|
# changes include support for non-RedHat systems and finer-grained control over the
|
|
# firewall rule (currently, it simply opens up the postgres port to all TCP connections).
|
|
#
|
|
#
|
|
# Actions:
|
|
#
|
|
# Requires:
|
|
#
|
|
# Usage:
|
|
#
|
|
# class { 'postgresql::config':
|
|
# postgres_password => 'postgres',
|
|
# ip_mask_allow_all_users => '0.0.0.0/0',
|
|
# }
|
|
#
|
|
class postgresql::config(
|
|
$postgres_password = undef,
|
|
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_postgres_user,
|
|
$ip_mask_allow_all_users = $postgresql::params::ip_mask_all_users,
|
|
$listen_addresses = $postgresql::params::listen_addresses,
|
|
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
|
|
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
|
|
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall,
|
|
) inherits postgresql::params {
|
|
|
|
# Basically, all this class needs to handle is passing parameters on
|
|
# to the "beforeservice" and "afterservice" classes, and ensure
|
|
# the proper ordering.
|
|
|
|
class { "postgresql::config::beforeservice":
|
|
ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
|
|
ip_mask_allow_all_users => $ip_mask_allow_all_users,
|
|
listen_addresses => $listen_addresses,
|
|
pg_hba_conf_path => $pg_hba_conf_path,
|
|
postgresql_conf_path => $postgresql_conf_path,
|
|
manage_redhat_firewall => $manage_redhat_firewall,
|
|
}
|
|
|
|
class { "postgresql::config::afterservice":
|
|
postgres_password => $postgres_password,
|
|
}
|
|
|
|
Class['postgresql::config'] ->
|
|
Class['postgresql::config::beforeservice'] ->
|
|
Service['postgresqld'] ->
|
|
Class['postgresql::config::afterservice']
|
|
|
|
|
|
}
|