1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
28 lines
983 B
Puppet
28 lines
983 B
Puppet
class { 'postgresql::server':
|
|
config_hash => {
|
|
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
|
|
'ip_mask_allow_all_users' => '0.0.0.0/0',
|
|
'listen_addresses' => '*',
|
|
'manage_redhat_firewall' => true,
|
|
'postgres_password' => 'postgres',
|
|
},
|
|
}
|
|
|
|
# TODO: in mysql module, the username includes, e.g., '@%' or '@localhost', which
|
|
# affects the user's ability to connect from remote hosts. In postgres this is
|
|
# managed via pg_hba.conf; not sure if we want to try to reconcile that difference
|
|
# in the modules or not.
|
|
postgresql::database_user{ 'redmine':
|
|
# TODO: ensure is not yet supported
|
|
#ensure => present,
|
|
password_hash => postgresql_password('redmine', 'redmine'),
|
|
require => Class['postgresql::server'],
|
|
}
|
|
|
|
postgresql::database_user{ 'dan':
|
|
# TODO: ensure is not yet supported
|
|
#ensure => present,
|
|
password_hash => postgresql_password('dan', 'blah'),
|
|
require => Class['postgresql::server'],
|
|
}
|
|
|