ba802475ff
This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow *any* connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall.
88 lines
3.8 KiB
Text
88 lines
3.8 KiB
Text
# PostgreSQL Client Authentication Configuration File
|
|
# ===================================================
|
|
#
|
|
# Refer to the "Client Authentication" section in the
|
|
# PostgreSQL documentation for a complete description
|
|
# of this file. A short synopsis follows.
|
|
#
|
|
# This file controls: which hosts are allowed to connect, how clients
|
|
# are authenticated, which PostgreSQL user names they can use, which
|
|
# databases they can access. Records take one of these forms:
|
|
#
|
|
# local DATABASE USER METHOD [OPTIONS]
|
|
# host DATABASE USER CIDR-ADDRESS METHOD [OPTIONS]
|
|
# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTIONS]
|
|
# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTIONS]
|
|
#
|
|
# (The uppercase items must be replaced by actual values.)
|
|
#
|
|
# The first field is the connection type: "local" is a Unix-domain socket,
|
|
# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
|
|
# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
|
|
#
|
|
# DATABASE can be "all", "sameuser", "samerole", a database name, or
|
|
# a comma-separated list thereof.
|
|
#
|
|
# USER can be "all", a user name, a group name prefixed with "+", or
|
|
# a comma-separated list thereof. In both the DATABASE and USER fields
|
|
# you can also write a file name prefixed with "@" to include names from
|
|
# a separate file.
|
|
#
|
|
# CIDR-ADDRESS specifies the set of hosts the record matches.
|
|
# It is made up of an IP address and a CIDR mask that is an integer
|
|
# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
|
|
# the number of significant bits in the mask. Alternatively, you can write
|
|
# an IP address and netmask in separate columns to specify the set of hosts.
|
|
#
|
|
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", "krb5",
|
|
# "ident", "pam", "ldap" or "cert". Note that "password" sends passwords
|
|
# in clear text; "md5" is preferred since it sends encrypted passwords.
|
|
#
|
|
# OPTIONS are a set of options for the authentication in the format
|
|
# NAME=VALUE. The available options depend on the different authentication
|
|
# methods - refer to the "Client Authentication" section in the documentation
|
|
# for a list of which options are available for which authentication methods.
|
|
#
|
|
# Database and user names containing spaces, commas, quotes and other special
|
|
# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
|
|
# "samerole" makes the name lose its special character, and just match a
|
|
# database or username with that name.
|
|
#
|
|
# This file is read on server startup and when the postmaster receives
|
|
# a SIGHUP signal. If you edit the file on a running system, you have
|
|
# to SIGHUP the postmaster for the changes to take effect. You can use
|
|
# "pg_ctl reload" to do that.
|
|
|
|
# Put your actual configuration here
|
|
# ----------------------------------
|
|
#
|
|
# If you want to allow non-local connections, you need to add more
|
|
# "host" records. In that case you will also need to make PostgreSQL listen
|
|
# on a non-local interface via the listen_addresses configuration parameter,
|
|
# or via the -i or -h command line switches.
|
|
#
|
|
|
|
|
|
|
|
|
|
# DO NOT DISABLE!
|
|
# If you change this first entry you will need to make sure that the
|
|
# database
|
|
# super user can access the database using some other method.
|
|
# Noninteractive
|
|
# access to all databases is required during automatic maintenance
|
|
# (custom daily cronjobs, replication, and similar tasks).
|
|
#
|
|
# Database administrative login by UNIX sockets
|
|
local all postgres ident
|
|
|
|
# TYPE DATABASE USER CIDR-ADDRESS METHOD
|
|
|
|
# "local" is for Unix domain socket connections only
|
|
local all all ident
|
|
# IPv4 local connections:
|
|
host all postgres <%= @ip_mask_postgres_user + "\t" %> md5
|
|
host all all <%= @ip_mask_all_users + "\t" %> md5
|
|
# IPv6 local connections:
|
|
host all all ::1/128 md5
|
|
|