opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-postgresql/manifests/psql.pp
Chris Price 1175ea20d6 Add postgresql::db convenience type, improve security 
This commit adds a postgresql::db type for convenience;
it mirrors the 'db' type from the mysql module, which
allows you to create a database instance and user plus
grant privileges to that user all in one succint
resource.

This commit also improves security in the following ways:

* Revoke "CONNECT" privilege from the 'public' role for
  newly created databases; without this, any database
  created via this module will allow connections from
  any database user, and will allow them to do things
  like create tables.

* Change to a 'reject'-based policy for dealing with
  remote connections by the postgres user in pg_hba.conf.
  Prior to this commit, if you tried to restrict access
  to the postgres user by IP, the rule would simply not
  match for disallowed IPs; then it would fall through
  to the rule for "all" users, which could still match
  and thus allow the postgres user to connect remotely.
2012-06-09 09:23:11 -07:00

45 lines
1.5 KiB
Puppet
Raw Blame History

# puppet-postgresql
# For all details and documentation:
# http://github.com/inkling/puppet-postgresql
#
# Copyright 2012- Inkling Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
define postgresql::psql(
$command = $title,
$unless,
$db,
$user = 'postgres',
$refreshonly = false
) {
require postgresql::params
# TODO: FIXME: shellquote does not work, and this regex works for trivial things but not nested escaping.
# Need a lexer, preferably a ruby SQL parser to catch errors at catalog time
# Possibly https://github.com/omghax/sql ?
$psql = "${postgresql::params::psql_path} --no-password --tuples-only --quiet --dbname $db"
$quoted_command = regsubst($command, '"', '\\"')
$quoted_unless = regsubst($unless, '"', '\\"')
exec {"/bin/echo \"$quoted_command\" | $psql |egrep -v -q '^$'":
cwd => '/tmp',
user => $user,
returns => 1,
unless => "/bin/echo \"$quoted_$unless\" | $psql | egrep -v -q '^$'",
refreshonly => $refreshonly,
}
}
Reference in a new issue View git blame Copy permalink