diff --git a/README.md b/README.md index 7fe59cb..ab6adf3 100644 --- a/README.md +++ b/README.md @@ -1,2163 +1,2193 @@ # postgresql #### Table of Contents 1. [Module Description - What does the module do?](#module-description) 2. [Setup - The basics of getting started with postgresql module](#setup) * [What postgresql affects](#what-postgresql-affects) * [Getting started with postgresql](#getting-started-with-postgresql) 3. [Usage - Configuration options and additional functionality](#usage) * [Configure a server](#configure-a-server) * [Create a database](#create-a-database) * [Manage users, roles, and permissions](#manage-users-roles-and-permissions) * [Manage ownership of DB objects](#manage-ownership-of-db-objects) * [Override defaults](#override-defaults) * [Create an access rule for pg_hba.conf](#create-an-access-rule-for-pg_hbaconf) * [Create user name maps for pg_ident.conf](#create-user-name-maps-for-pg_identconf) * [Validate connectivity](#validate-connectivity) 4. [Reference - An under-the-hood peek at what the module is doing and how](#reference) * [Classes](#classes) * [Defined Types](#defined-types) * [Types](#types) * [Functions](#functions) * [Tasks](#tasks) 5. [Limitations - OS compatibility, etc.](#limitations) 6. [Development - Guide for contributing to the module](#development) * [Contributors - List of module contributors](#contributors) 7. [Tests](#tests) 8. [Contributors - List of module contributors](#contributors) ## Module description The postgresql module allows you to manage PostgreSQL databases with Puppet. PostgreSQL is a high-performance, free, open-source relational database server. The postgresql module allows you to manage packages, services, databases, users, and common security settings in PostgreSQL. ## Setup ### What postgresql affects * Package, service, and configuration files for PostgreSQL * Listened-to ports * IP and mask (optional) ### Getting started with postgresql To configure a basic default PostgreSQL server, declare the `postgresql::server` class. ```puppet class { 'postgresql::server': } ``` ## Usage ### Configure a server For default settings, declare the `postgresql::server` class as above. To customize PostgreSQL server settings, specify [the parameters](#postgresqlserver) you want to change: ```puppet class { 'postgresql::server': ip_mask_deny_postgres_user => '0.0.0.0/32', ip_mask_allow_all_users => '0.0.0.0/0', ipv4acls => ['hostssl all johndoe 192.168.0.0/24 cert'], postgres_password => 'TPSrep0rt!', } ``` After configuration, test your settings from the command line: ```shell psql -h localhost -U postgres psql -h my.postgres.server -U ``` If you get an error message from these commands, your permission settings restrict access from the location you're trying to connect from. Depending on whether you want to allow connections from that location, you might need to adjust your permissions. For more details about server configuration parameters, consult [the PostgreSQL Runtime Configuration documentation](http://www.postgresql.org/docs/current/static/runtime-config.html). ### Create a database You can set up a variety of PostgreSQL databases with the `postgresql::server::db` defined type. For instance, to set up a database for PuppetDB: ```puppet class { 'postgresql::server': } postgresql::server::db { 'mydatabasename': user => 'mydatabaseuser', password => postgresql_password('mydatabaseuser', 'mypassword'), } ``` ### Manage users, roles, and permissions To manage users, roles, and permissions: ```puppet class { 'postgresql::server': } postgresql::server::role { 'marmot': password_hash => postgresql_password('marmot', 'mypasswd'), } postgresql::server::database_grant { 'test1': privilege => 'ALL', db => 'test1', role => 'marmot', } postgresql::server::table_grant { 'my_table of test2': privilege => 'ALL', table => 'my_table', db => 'test2', role => 'marmot', } ``` This example grants **all** privileges on the `test1` database and on the `my_table` table of the `test2` database to the specified user or group. After the values are added into the PuppetDB config file, this database would be ready for use. ### Manage ownership of DB objects To change the ownership of all objects within a database using `REASSIGN OWNED`: ```puppet postgresql::server::reassign_owned_by { 'new owner is meerkat': db => 'test_db', old_role => 'marmot', new_role => 'meerkat', } ``` This would run the PostgreSQL statement `REASSIGN OWNED` to update to ownership of all tables, sequences, functions and views currently owned by the role `marmot` to be owned by the role `meerkat` instead. This applies to objects within the nominated database, `test_db` only. For PostgreSQL >= 9.3, the ownership of the database is also updated. ### Override defaults The `postgresql::globals` class allows you to configure the main settings for this module globally, so that other classes and defined resources can use them. By itself, it does nothing. For example, to overwrite the default `locale` and `encoding` for all classes, use the following: ```puppet class { 'postgresql::globals': encoding => 'UTF-8', locale => 'en_US.UTF-8', } class { 'postgresql::server': } ``` To use a specific version of the PostgreSQL package: ```puppet class { 'postgresql::globals': manage_package_repo => true, version => '9.2', } class { 'postgresql::server': } ``` ### Manage remote users, roles, and permissions Remote SQL objects are managed using the same Puppet resources as local SQL objects, along with a [`connect_settings`](#connect_settings) hash. This provides control over how Puppet connects to the remote PostgreSQL instances and which version is used for generating SQL commands. The `connect_settings` hash can contain environment variables to control PostgreSQL client connections, such as `PGHOST`, `PGPORT`, `PGPASSWORD`, and `PGSSLKEY`. See [the PostgreSQL Environment Variables documentation](http://www.postgresql.org/docs/9.4/static/libpq-envars.html) for a complete list of variables. Additionally, you can specify the target database version with the special value of `DBVERSION`. If the `connect_settings` hash is omitted or empty, then Puppet connects to the local PostgreSQL instance. You can provide a `connect_settings` hash for each of the Puppet resources, or you can set a default `connect_settings` hash in `postgresql::globals`. Configuring `connect_settings` per resource allows SQL objects to be created on multiple databases by multiple users. ```puppet $connection_settings_super2 = { 'PGUSER' => 'super2', 'PGPASSWORD' => 'foobar2', 'PGHOST' => '127.0.0.1', 'PGPORT' => '5432', 'PGDATABASE' => 'postgres', } include postgresql::server # Connect with no special settings, i.e domain sockets, user postgres postgresql::server::role { 'super2': password_hash => 'foobar2', superuser => true, connect_settings => {}, } # Now using this new user connect via TCP postgresql::server::database { 'db1': connect_settings => $connection_settings_super2, require => Postgresql::Server::Role['super2'], } ``` ### Create an access rule for pg_hba.conf To create an access rule for `pg_hba.conf`: ```puppet postgresql::server::pg_hba_rule { 'allow application network to access app database': description => 'Open up PostgreSQL for access from 200.1.2.0/24', type => 'host', database => 'app', user => 'app', address => '200.1.2.0/24', auth_method => 'md5', } ``` This would create a ruleset in `pg_hba.conf` similar to: ``` # Rule Name: allow application network to access app database # Description: Open up PostgreSQL for access from 200.1.2.0/24 # Order: 150 host app app 200.1.2.0/24 md5 ``` By default, `pg_hba_rule` requires that you include `postgresql::server`. However, you can override that behavior by setting target and postgresql_version when declaring your rule. That might look like the following: ```puppet postgresql::server::pg_hba_rule { 'allow application network to access app database': description => 'Open up postgresql for access from 200.1.2.0/24', type => 'host', database => 'app', user => 'app', address => '200.1.2.0/24', auth_method => 'md5', target => '/path/to/pg_hba.conf', postgresql_version => '9.4', } ``` ### Create user name maps for pg_ident.conf To create a user name map for the pg_ident.conf: ```puppet postgresql::server::pg_ident_rule { 'Map the SSL certificate of the backup server as a replication user': map_name => 'sslrepli', system_username => 'repli1.example.com', database_username => 'replication', } ``` This would create a user name map in `pg_ident.conf` similar to: ``` #Rule Name: Map the SSL certificate of the backup server as a replication user #Description: none #Order: 150 sslrepli repli1.example.com replication ``` ### Create recovery configuration To create the recovery configuration file (`recovery.conf`): ```puppet postgresql::server::recovery { 'Create a recovery.conf file with the following defined parameters': restore_command => 'cp /mnt/server/archivedir/%f %p', archive_cleanup_command => undef, recovery_end_command => undef, recovery_target_name => 'daily backup 2015-01-26', recovery_target_time => '2015-02-08 22:39:00 EST', recovery_target_xid => undef, recovery_target_inclusive => true, recovery_target => 'immediate', recovery_target_timeline => 'latest', pause_at_recovery_target => true, standby_mode => 'on', primary_conninfo => 'host=localhost port=5432', primary_slot_name => undef, trigger_file => undef, recovery_min_apply_delay => 0, } ``` The above creates this `recovery.conf` config file: ``` restore_command = 'cp /mnt/server/archivedir/%f %p' recovery_target_name = 'daily backup 2015-01-26' recovery_target_time = '2015-02-08 22:39:00 EST' recovery_target_inclusive = true recovery_target = 'immediate' recovery_target_timeline = 'latest' pause_at_recovery_target = true standby_mode = 'on' primary_conninfo = 'host=localhost port=5432' recovery_min_apply_delay = 0 ``` Only the specified parameters are recognized in the template. The `recovery.conf` is only be created if at least one parameter is set **and** [manage_recovery_conf](#manage_recovery_conf) is set to true. ### Validate connectivity To validate client connections to a remote PostgreSQL database before starting dependent tasks, use the `postgresql_conn_validator` resource. You can use this on any node where the PostgreSQL client package is installed. It is often chained to other tasks such as starting an application server or performing a database migration. Example usage: ```puppet postgresql_conn_validator { 'validate my postgres connection': host => 'my.postgres.host', db_username => 'mydbuser', db_password => 'mydbpassword', db_name => 'mydbname', }-> exec { 'rake db:migrate': cwd => '/opt/myrubyapp', } ``` ## Reference The postgresql module comes with many options for configuring the server. While you are unlikely to use all of the settings below, they provide a decent amount of control over your security settings. **Classes:** * [postgresql::client](#postgresqlclient) * [postgresql::globals](#postgresqlglobals) * [postgresql::lib::devel](#postgresqllibdevel) * [postgresql::lib::java](#postgresqllibjava) * [postgresql::lib::perl](#postgresqllibperl) * [postgresql::lib::python](#postgresqllibpython) * [postgresql::server](#postgresqlserver) * [postgresql::server::plperl](#postgresqlserverplperl) * [postgresql::server::contrib](#postgresqlservercontrib) * [postgresql::server::postgis](#postgresqlserverpostgis) **Defined Types:** * [postgresql::server::config_entry](#postgresqlserverconfig_entry) * [postgresql::server::database](#postgresqlserverdatabase) * [postgresql::server::database_grant](#postgresqlserverdatabase_grant) * [postgresql::server::db](#postgresqlserverdb) * [postgresql::server::extension](#postgresqlserverextension) * [postgresql::server::grant](#postgresqlservergrant) * [postgresql::server::grant_role](#postgresqlservergrant_role) * [postgresql::server::pg_hba_rule](#postgresqlserverpg_hba_rule) * [postgresql::server::pg_ident_rule](#postgresqlserverpg_ident_rule) * [postgresql::server::reassign_owned_by](#postgresqlserverreassign_owned_by) * [postgresql::server::recovery](#postgresqlserverrecovery) * [postgresql::server::role](#postgresqlserverrole) * [postgresql::server::schema](#postgresqlserverschema) * [postgresql::server::table_grant](#postgresqlservertable_grant) * [postgresql::server::tablespace](#postgresqlservertablespace) **Types:** * [postgresql_psql](#custom-resource-postgresql_psql) * [postgresql_replication_slot](#custom-resource-postgresql_replication_slot) * [postgresql_conf](#custom-resource-postgresql_conf) * [postgresql_conn_validator](#custom-resource-postgresql_conn_validator) **Functions:** * [postgresql_password](#function-postgresql_password) * [postgresql_acls_to_resources_hash](#function-postgresql_acls_to_resources_hashacl_array-id-order_offset) **Tasks:** * [`sql`](#tasks) ### Classes #### postgresql::client Installs PostgreSQL client package. Set the following parameters if you have a custom version you would like to install. **Note:** Make sure to add any necessary yum or apt repositories if specifying a custom version. ##### `package_ensure` Whether the PostgreSQL client package resource should be present. Valid values: `present`, `absent`. Default value: `present`. ##### `package_name` Sets the name of the PostgreSQL client package. Default value: `file`. #### postgresql::lib::docs Installs PostgreSQL documentation package. Set the following parameters if you have a custom version you would like to install. **Note:** Make sure to add any necessary yum or apt repositories if specifying a custom version. ##### `package_name` Specifies the name of the PostgreSQL docs package. ##### `package_ensure` Whether the PostgreSQL docs package resource should be present. Valid values: `present`, `absent`. Default value: `present`. #### postgresql::globals **Note:** Most server-specific defaults should be overridden in the `postgresql::server` class. This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such as `version` or `manage_package_repo`. ##### `bindir` Overrides the default PostgreSQL binaries directory for the target platform. Default value: OS dependent. ##### `client_package_name` Overrides the default PostgreSQL client package name. Default value: OS dependent. ##### `confdir` Overrides the default PostgreSQL configuration directory for the target platform. Default value: OS dependent. ##### `contrib_package_name` Overrides the default PostgreSQL contrib package name. Default value: OS dependent. ##### `createdb_path` **Deprecated.** Path to the `createdb` command. Default value: `${bindir}/createdb`. ##### `datadir` Overrides the default PostgreSQL data directory for the target platform. Default value: OS dependent. **Note:** Changing the `datadir` after installation causes the server to come to a full stop before making the change. For Red Hat systems, the data directory must be labeled appropriately for SELinux. On Ubuntu, you must explicitly set `needs_initdb = true` to allow Puppet to initialize the database in the new `datadir` (`needs_initdb` defaults to true on other systems). **Warning:** If `datadir` is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail if the data directory is changed back to the original. ##### `data_checksums` Optional. Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. Valid values: `true` or `false`. Default: `initdb`'s default (`false`). **Warning:** This option is used during initialization by `initdb`, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. ##### `default_database` Specifies the name of the default database to connect with. Default value: `postgres` (for most systems). ##### `devel_package_name` Overrides the default PostgreSQL devel package name. Default value: OS dependent. ##### `docs_package_name` Optional. Overrides the default PostgreSQL docs package name. Default value: OS dependent. ##### `encoding` Sets the default encoding for all databases created with this module. On certain operating systems, this is also used during the `template1` initialization, so it becomes a default outside of the module as well. Default value: dependent on the operating system's default encoding. ##### `group` Overrides the default postgres user group to be used for related files in the file system. Default value: `postgres`. ##### `initdb_path` Path to the `initdb` command. ##### `java_package_name` Overrides the default PostgreSQL Java package name. Default value: OS dependent. ##### `locale` Sets the default database locale for all databases created with this module. On certain operating systems, this is also used during the `template1` initialization, so it becomes a default outside of the module as well. Default value: `undef`, which is effectively `"C"`. **Warning:** On Debian, you'll need to ensure that the `locales-all` package is installed for full functionality of PostgreSQL. ##### `timezone` Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information. ##### `logdir` Overrides the default PostgreSQL log directory. Default value: `initdb`'s default path. ##### `manage_package_repo` Sets up official PostgreSQL repositories on your host if set to `true`. Default value: `false`. ##### `module_workdir` Specifies working directory under which the `psql` command should be executed. May need to specify if `/tmp` is on volume mounted with `noexec` option. Default value: `/tmp`. ##### `needs_initdb` Explicitly calls the `initdb` operation after the server package is installed and before the PostgreSQL service is started. Default value: OS dependent. ##### `perl_package_name` Overrides the default PostgreSQL Perl package name. Default value: OS dependent. ##### `pg_hba_conf_defaults` Disables the defaults supplied with the module for `pg_hba.conf` if set to `false`. This is useful if you want to override the defaults. Be sure that your changes align with the rest of the module, as some access is required to perform some operations, such as basic `psql` operations. Default value: the globals value set in `postgresql::globals::manage_pg_hba_conf` which defaults to `true`. ##### `pg_hba_conf_path` Specifies the path to your `pg_hba.conf` file. Default value: `${confdir}/pg_hba.conf`. ##### `pg_ident_conf_path` Specifies the path to your `pg_ident.conf` file. Default value: `${confdir}/pg_ident.conf`. ##### `plperl_package_name` Overrides the default PostgreSQL PL/Perl package name. Default value: OS dependent. ##### `plpython_package_name` Overrides the default PostgreSQL PL/Python package name. Default value: OS dependent. ##### `postgis_version` Defines the version of PostGIS to install, if you install PostGIS. Default value: the lowest available with the version of PostgreSQL to be installed. ##### `postgresql_conf_path` Sets the path to your `postgresql.conf` file. Default value: `${confdir}/postgresql.conf`. ##### `psql_path` Sets the path to the `psql` command. ##### `python_package_name` Overrides the default PostgreSQL Python package name. Default value: OS dependent. ##### `recovery_conf_path` Path to your `recovery.conf` file. ##### `repo_proxy` Sets the proxy option for the official PostgreSQL yum-repositories only. This is useful if your server is behind a corporate firewall and needs to use proxy servers for outside connectivity. Debian is currently not supported. ##### `repo_baseurl` Sets the baseurl for the PostgreSQL repository. Useful if you host your own mirror of the repository. Default value: the official PostgreSQL repository. ##### `server_package_name` Overrides the default PostgreSQL server package name. Default value: OS dependent. ##### `service_name` Overrides the default PostgreSQL service name. Default value: OS dependent. ##### `service_provider` Overrides the default PostgreSQL service provider. Default value: OS dependent. ##### `service_status` Overrides the default status check command for your PostgreSQL service. Default value: OS dependent. ##### `user` Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. Default value: `postgres`. ##### `version` The version of PostgreSQL to install and manage. Default value: OS system default. ##### `xlogdir` Overrides the default PostgreSQL xlog directory. Default value: initdb's default path. #### postgresql::lib::devel Installs the packages containing the development libraries for PostgreSQL and symlinks `pg_config` into `/usr/bin` (if not in `/usr/bin` or `/usr/local/bin`). ##### `link_pg_config` If the bin directory used by the PostgreSQL page is not `/usr/bin` or `/usr/local/bin`, symlinks `pg_config` from the package's bin directory into `usr/bin` (not applicable to Debian systems). Set to `false` to disable this behavior. Valid values: `true`, `false`. Default value: `true`. ##### `package_ensure` Overrides the `ensure` parameter during package installation. Default value: `present`. ##### `package_name` Overrides the default package name for the distribution you are installing to. Default value: `postgresql-devel` or `postgresql-devel` depending on your OS. #### postgresql::lib::java Installs PostgreSQL bindings for Java (JDBC). Set the following parameters if you have a custom version you would like to install. **Note:** Make sure to add any necessary yum or apt repositories if specifying a custom version. ##### `package_ensure` Specifies whether the package is present. Valid values: `present`, `absent`. Default value: `present`. ##### `package_name` Specifies the name of the PostgreSQL java package. #### postgresql::lib::perl Installs the PostgreSQL Perl libraries. ##### `package_ensure` Specifies whether the package is present. Valid values: `present`, `absent`. Default value: `present`. ##### `package_name` Specifies the name of the PostgreSQL perl package to install. #### postgresql::server::plpython Installs the PL/Python procedural language for PostgreSQL. ##### `package_name` Specifies the name of the postgresql PL/Python package. ##### `package_ensure` Specifies whether the package is present. Valid values: `present`, `absent`. Default value: `present`. #### postgresql::lib::python Installs PostgreSQL Python libraries. ##### `package_ensure` Specifies whether the package is present. Valid values: `present`, `absent`. Default value: `present`. ##### `package_name` The name of the PostgreSQL Python package. #### postgresql::server ##### `createdb_path` **Deprecated.** Specifies the path to the `createdb` command. Default value: `${bindir}/createdb`. ##### `data_checksums` Optional. Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. Valid values: `true` or `false`. Default value: `initdb`'s default (`false`). **Warning:** This option is used during initialization by `initdb`, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. ##### `default_database` Specifies the name of the default database to connect with. On most systems this is `postgres`. ##### `default_connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as `postgresql::server::role`. ##### `encoding` Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the `template1` initialization, so it becomes a default outside of the module as well. Default value: `undef`. ##### `group` Overrides the default postgres user group to be used for related files in the file system. Default value: OS dependent. ##### `initdb_path` Specifies the path to the `initdb` command. Default value: `${bindir}/initdb`. ##### `ipv4acls` Lists strings for access control for connection method, users, databases, IPv4 addresses. See [the PostgreSQL HBA documentation](http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) for information. ##### `ipv6acls` Lists strings for access control for connection method, users, databases, IPv6 addresses. See [the PostgreSQL HBA documentation](http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) for information. ##### `ip_mask_allow_all_users` Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP from remote machines. If you'd like to allow this, you can override this setting. Set to `0.0.0.0/0` to allow database users to connect from any remote machine, or `192.168.0.0/1` to allow connections from any machine on your local `192.168` subnet. Default value: `127.0.0.1/32`. ##### `ip_mask_deny_postgres_user` Specifies the IP mask from which remote connections should be denied for the postgres superuser. Default value: `0.0.0.0/0`, which denies any remote connection. ##### `locale` Sets the default database locale for all databases created with this module. On certain operating systems this is used during the `template1` initialization as well, so it becomes a default outside of the module. Default value: `undef`, which is effectively `"C"`. **Warning:** On Debian, you'll need to ensure that the `locales-all` package is installed for full functionality of PostgreSQL. ##### `manage_pg_hba_conf` Whether to manage the `pg_hba.conf`. If set to `true`, Puppet overwrites this file. If set to `false`, Puppet does not modify the file. Valid values: `true`, `false`. Default value: `true` ##### `manage_pg_ident_conf` Overwrites the pg_ident.conf file. If set to `true`, Puppet overwrites the file. If set to `false`, Puppet does not modify the file. Valid values: `true`, `false`. Default value: `true`. ##### `manage_recovery_conf` Specifies whether or not manage the `recovery.conf`. If set to `true`, Puppet overwrites this file. Valid values: `true`, `false`. Default value: `false`. ##### `needs_initdb` Explicitly calls the `initdb` operation after server package is installed, and before the PostgreSQL service is started. Default value: OS dependent. ##### `package_ensure` Passes a value through to the `package` resource when creating the server instance. Default value: `undef`. ##### `package_name` Specifies the name of the package to use for installing the PostgreSQL server. Default value: OS dependent. ##### `pg_hba_conf_defaults` If `false`, disables the defaults supplied with the module for `pg_hba.conf`. This is useful if you disagree with the defaults and wish to override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform basic `psql` operations for example. ##### `pg_hba_conf_path` Specifies the path to your `pg_hba.conf` file. ##### `pg_ident_conf_path` Specifies the path to your `pg_ident.conf` file. Default value: `${confdir}/pg_ident.conf`. ##### `plperl_package_name` Sets the default package name for the PL/Perl extension. Default value: OS dependent. ##### `plpython_package_name` Sets the default package name for the PL/Python extension. Default value: OS dependent. ##### `port` Specifies the port for the PostgreSQL server to listen on. **Note:** The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. Default value: 5432 ##### `postgres_password` Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account. Default value: `undef`. ##### `postgresql_conf_path` Specifies the path to your `postgresql.conf` file. Default value: `${confdir}/postgresql.conf`. ##### `psql_path` Specifies the path to the `psql` command. Default value: OS dependent. ##### `service_manage` Defines whether or not Puppet should manage the service. Default value: `true`. ##### `service_name` Overrides the default PostgreSQL service name. Default value: OS dependent. ##### `service_provider` Overrides the default PostgreSQL service provider. Default value: `undef`. ##### `service_reload` Overrides the default reload command for your PostgreSQL service. Default value: OS dependent. ##### `service_restart_on_change` Overrides the default behavior to restart your PostgreSQL service when a config entry has been changed that requires a service restart to become active. Default value: `true`. ##### `service_status` Overrides the default status check command for your PostgreSQL service. Default value: OS dependent. ##### `user` Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. Default value: `postgres`. #### postgresql::server::contrib Installs the PostgreSQL contrib package. ##### `package_ensure` Sets the ensure parameter passed on to PostgreSQL contrib package resource. ##### `package_name` The name of the PostgreSQL contrib package. #### postgresql::server::plperl Installs the PL/Perl procedural language for postgresql. ##### `package_ensure` The ensure parameter passed on to PostgreSQL PL/Perl package resource. ##### `package_name` The name of the PostgreSQL PL/Perl package. #### postgresql::server::postgis Installs the PostgreSQL postgis packages. ### Defined Types #### postgresql::server::config_entry Modifies your `postgresql.conf` configuration file. Each resource maps to a line inside the file, for example: ```puppet postgresql::server::config_entry { 'check_function_bodies': value => 'off', } ``` ##### `ensure` Removes an entry when set to `absent`. Valid values: `present`, `absent`. Default value: `present`. ##### `value` Defines the value for the setting. #### postgresql::server::db Creates a local database, user, and assigns necessary permissions. ##### `comment` Defines a comment to be stored about the database using the PostgreSQL COMMENT command. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `dbname` Sets the name of the database to be created. Default value: the namevar. ##### `encoding` Overrides the character set during creation of the database. Default value: the default defined during installation. ##### `grant` Specifies the permissions to grant during creation. Default value: `ALL`. ##### `istemplate` Specifies that the database is a template, if set to `true`. Default value: `false`. ##### `locale` Overrides the locale during creation of the database. Default value: the default defined during installation. ##### `owner` Sets a user as the owner of the database. Default value: `$user` variable set in `postgresql::server` or `postgresql::globals`. ##### `password` Required. Sets the password for the created user. ##### `tablespace` Defines the name of the tablespace to allocate the created database to. Default value: PostgreSQL default. ##### `template` Specifies the name of the template database from which to build this database. Default value: `template0`. ##### `user` Required. User to create and assign access to the database upon creation. #### postgresql::server::database Creates a database with no users and no permissions. ##### `dbname` Sets the name of the database. Default value: the namevar. ##### `encoding` Overrides the character set during creation of the database. Default value: the default defined during installation. ##### `istemplate` Defines the database as a template if set to `true`. Default value: `false`. ##### `locale` Overrides the locale during creation of the database. Default value: the default defined during installation. ##### `owner` Sets name of the database owner. Default value: the `$user` variable set in `postgresql::server` or `postgresql::globals`. ##### `tablespace` Sets tablespace for where to create this database. Default value: the default defined during installation. ##### `template` Specifies the name of the template database from which to build this database. Default value: `template0`. #### postgresql::server::database_grant Manages grant-based access privileges for users, wrapping the `postgresql::server::database_grant` for database specific permissions. Consult [the PostgreSQL documentation for `GRANT`](http://www.postgresql.org/docs/current/static/sql-grant.html) for more information. +##### `ensure` + +Specifies whether to grant or revoke the privilege. Default is to grant the privilege. + +Valid values: 'present', 'absent'. +* 'present' to grant the privilege +* 'absent' to revoke the privilege + +Default value: 'present'. + #### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `db` Specifies the database to which you are granting access. ##### `privilege` Specifies comma-separated list of privileges to grant. Valid values: `ALL`, `CREATE`, `CONNECT`, `TEMPORARY`, `TEMP`. ##### `psql_db` Defines the database to execute the grant against. **Warning:** This should not ordinarily be changed from the default. Default value: `postgres`. ##### `psql_user` Specifies the OS user for running `psql`. Default value: the default user for the module, usually `postgres`. ##### `role` Specifies the role or user whom you are granting access to. #### postgresql::server::extension Manages a PostgreSQL extension. ##### `database` Specifies the database on which to activate the extension. ##### `schema` Specifies the schema on which to activate the extension. ##### `ensure` Specifies whether to activate or deactivate the extension. Valid values: `present` or `absent`. ##### `extension` Specifies the extension to activate. If left blank, uses the name of the resource. ##### `version` Specifies the version of the extension which the database uses. When an extension package is updated, this does not automatically change the effective version in each database. This needs be updated using the PostgreSQL-specific SQL `ALTER EXTENSION...` `version` may be set to `latest`, in which case the SQL `ALTER EXTENSION "extension" UPDATE` is applied to this database (only). `version` may be set to a specific version, in which case the extension is updated using `ALTER EXTENSION "extension" UPDATE TO 'version'` For example, if extension is set to `postgis` and version is set to `2.3.3`, this will only apply the SQL `ALTER EXTENSION "postgis" UPDATE TO '2.3.3'` to the database. `version` may be omitted, in which case no `ALTER EXTENSION...` SQL is applied, and the version will be left unchanged. ##### `package_name` Specifies a package to install prior to activating the extension. ##### `package_ensure` Overrides default package deletion behavior. By default, the package specified with `package_name` is installed when the extension is activated and removed when the extension is deactivated. To override this behavior, set the `ensure` value for the package. #### postgresql::server::grant Manages grant-based access privileges for roles. See [PostgreSQL documentation for `grant`](http://www.postgresql.org/docs/current/static/sql-grant.html) for more information. +##### `ensure` + +Specifies whether to grant or revoke the privilege. Default is to grant the privilege. + +Valid values: 'present', 'absent'. +* 'present' to grant the privilege +* 'absent' to revoke the privilege + +Default value: 'present'. + ##### `db` Specifies the database to which you are granting access. ##### `object_type` Specifies the type of object to which you are granting privileges. Valid values: 'DATABASE', 'SCHEMA', 'SEQUENCE', 'ALL SEQUENCES IN SCHEMA', 'TABLE' or 'ALL TABLES IN SCHEMA'. ##### `object_name` Specifies name of `object_type` to which to grant access, can be either a string or a two element array. When it is an array then the first element must be the `object_type` and the second actual `object_name`. ##### `port` Port to use when connecting. Default value: `undef`, which generally defaults to port 5432 depending on your PostgreSQL packaging. ##### `privilege` Specifies the privilege to grant. Valid values: `ALL`, `ALL PRIVILEGES` or `object_type` dependent string. ##### `psql_db` Specifies the database to execute the grant against. **Warning:** This should not ordinarily be changed from the default. Default value: `postgres`. ##### `psql_user` Sets the OS user to run `psql`. Default value: the default user for the module, usually `postgres`. ##### `role` Specifies the role or user whom you are granting access to. #### postgresql::server::grant_role Allows you to assign a role to a (group) role. See [PostgreSQL documentation for `Role Membership`](http://www.postgresql.org/docs/current/static/role-membership.html) for more information. ##### `group` Specifies the group role to which you are assigning a role. ##### `role` Specifies the role you want to assign to a group. If left blank, uses the name of the resource. ##### `ensure` Specifies whether to grant or revoke the membership. Valid values: `present` or `absent`. Default value: `present`. ##### `port` Port to use when connecting. Default value: `undef`, which generally defaults to port 5432 depending on your PostgreSQL packaging. ##### `psql_db` Specifies the database to execute the grant against. **Warning:** This should not ordinarily be changed from the default. Default value: `postgres`. ##### `psql_user` Sets the OS user to run `psql`. Default value: the default user for the module, usually `postgres`. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. #### postgresql::server::pg_hba_rule Allows you to create an access rule for `pg_hba.conf`. For more details see [the usage example](#create-an-access-rule-for-pghba.conf) and [the PostgreSQL HBA documentation](http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html). ##### `address` Sets a CIDR based address for this rule matching when the type is not `local`. ##### `auth_method` Provides the method that is used for authentication for the connection that this rule matches. ##### `auth_option` For certain `auth_method` settings there are extra options that can be passed. ##### `database` Sets a comma-separated list of databases that this rule matches. ##### `description` Defines a longer description for this rule, if required. This description is placed in the comments above the rule in `pg_hba.conf`. Default value: `none`. Specifies a way to uniquely identify this resource, but functionally does nothing. ##### `order` Sets an order for placing the rule in `pg_hba.conf`. Default value: 150. #### `postgresql_version` Manages `pg_hba.conf` without managing the entire PostgreSQL instance. Default value: the version set in `postgresql::server`. ##### `target` Provides the target for the rule, and is generally an internal only property. **Warning:** Use with caution. ##### `type` Sets the type of rule. Valid values: `local`, `host`, `hostssl` or `hostnossl`. ##### `user` Sets a comma-separated list of users that this rule matches. #### postgresql::server::pg_ident_rule Allows you to create user name maps for `pg_ident.conf`. For more details see [the usage example](#create-user-name-maps-for-pgidentconf) above and [the PostgreSQL User Name Maps documentation](http://www.postgresql.org/docs/current/static/auth-username-maps.html). ##### `database_username` Specifies the user name of the database user. The `system_username` is mapped to this user name. ##### `description` Sets a longer description for this rule if required. This description is placed in the comments above the rule in `pg_ident.conf`. Default value: `none`. ##### `map_name` Sets the name of the user map that is used to refer to this mapping in `pg_hba.conf`. ##### `order` Defines an order for placing the mapping in `pg_ident.conf`. Default value: 150. ##### `system_username` Specifies the operating system user name (the user name used to connect to the database). ##### `target` Provides the target for the rule and is generally an internal only property. **Warning:** Use with caution. #### postgresql::server::reassign_owned_by Runs the PostgreSQL command `REASSIGN OWNED` on a database, to transfer the ownership of existing objects between database roles ##### `db` Specifies the database to which the `REASSIGN OWNED` will be applied. ##### `old_role` Specifies the role or user who is the current owner of the objects in the specified db. ##### `new_role` Specifies the role or user who will be the new owner of these objects. ##### `psql_user` Specifies the OS user for running `psql`. Default value: the default user for the module, usually `postgres`. ##### `port` Port to use when connecting. Default value: `undef`, which generally defaults to port 5432 depending on your PostgreSQL packaging. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. #### postgresql::server::recovery Allows you to create the content for `recovery.conf`. For more details see [the usage example](#create-recovery-configuration) and [the PostgreSQL Recovery Configuration documentation](http://www.postgresql.org/docs/current/static/recovery-config.html). Every parameter value is a string set in the template except `recovery_target_inclusive`, `pause_at_recovery_target`, `standby_mode` and `recovery_min_apply_delay`. A detailed description of all listed parameters can be found in [the PostgreSQL documentation](http://www.postgresql.org/docs/current/static/recovery-config.html). The parameters are grouped into these three sections: ##### [Archive Recovery Parameters](http://www.postgresql.org/docs/current/static/archive-recovery-settings.html) * `restore_command` * `archive_cleanup_command` * `recovery_end_command` ##### [Recovery Target Settings](http://www.postgresql.org/docs/current/static/recovery-target-settings.html) * `recovery_target_name` * `recovery_target_time` * `recovery_target_xid` * `recovery_target_inclusive` * `recovery_target` * `recovery_target_timeline` * `pause_at_recovery_target` ##### [Standby Server Settings](http://www.postgresql.org/docs/current/static/standby-settings.html) * `standby_mode`: Can be specified with the string (`on`/`off`), or by using a `Boolean` value (`true`/`false`). * `primary_conninfo` * `primary_slot_name` * `trigger_file` * `recovery_min_apply_delay` ##### `target` Provides the target for the rule, and is generally an internal only property. **Warning:** Use with caution. #### postgresql::server::role Creates or drops a role or user in PostgreSQL. ##### `ensure` Specify whether to create or drop the role. Specifying 'present' creates the role. Specifying 'absent' drops the role. Default value: 'present'. ##### `connection_limit` Specifies how many concurrent connections the role can make. Default value: `-1`, meaning no limit. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `createdb` Specifies whether to grant the ability to create new databases with this role. Default value: `false`. ##### `createrole` Specifies whether to grant the ability to create new roles with this role. Default value: `false`. ##### `inherit` Specifies whether to grant inherit capability for the new role. Default value: `true`. ##### `login` Specifies whether to grant login capability for the new role. Default value: `true`. ##### `password_hash` Sets the hash to use during password creation. If the password is not already pre-encrypted in a format that PostgreSQL supports, use the `postgresql_password` function to provide an MD5 hash here, for example: ##### `update_password` If set to true, updates the password on changes. Set this to false to not modify the role's password after creation. ```puppet postgresql::server::role { 'myusername': password_hash => postgresql_password('myusername', 'mypassword'), } ``` ##### `replication` Provides provides replication capabilities for this role if set to `true`. Default value: `false`. ##### `superuser` Specifies whether to grant super user capability for the new role. Default value: `false`. ##### `username` Defines the username of the role to create. Default value: the namevar. #### postgresql::server::schema Creates a schema. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `db` Required. Sets the name of the database in which to create this schema. ##### `owner` Sets the default owner of the schema. ##### `schema` Sets the name of the schema. Default value: the namevar. #### postgresql::server::table_grant Manages grant-based access privileges for users. Consult [the PostgreSQL documentation for `GRANT`](http://www.postgresql.org/docs/current/static/sql-grant.html) for more information. +##### `ensure` + +Specifies whether to grant or revoke the privilege. Default is to grant the privilege. + +Valid values: 'present', 'absent'. +* 'present' to grant the privilege +* 'absent' to revoke the privilege + +Default value: 'present'. + ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `db` Specifies which database the table is in. ##### `privilege` Specifies comma-separated list of privileges to grant. Valid values: `ALL`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, `REFERENCES`, `TRIGGER`. ##### `psql_db` Specifies the database to execute the grant against. **Warning:** This should not ordinarily be changed from the default. Default value: `postgres`. ##### `psql_user` Specifies the OS user for running `psql`. Default value: the default user for the module, usually `postgres`. ##### `role` Specifies the role or user to whom you are granting access. ##### `table` Specifies the table to which you are granting access. #### postgresql::server::tablespace Creates a tablespace. If necessary, also creates the location and assigns the same permissions as the PostgreSQL server. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. Default value: local PostgreSQL instance. ##### `location` Specifies the path to locate this tablespace. ##### `owner` Specifies the default owner of the tablespace. ##### `spcname` Specifies the name of the tablespace. Default value: the namevar. ### Types #### postgresql_psql Enables Puppet to run `psql` statements. ##### `command` Required. Specifies the SQL command to execute via `psql`. ##### `cwd` Specifies the working directory under which the `psql` command should be executed. Default value: `/tmp`. ##### `db` Specifies the name of the database to execute the SQL command against. ##### `environment` Specifies any additional environment variables you want to set for a SQL command. Multiple environment variables should be specified as an array. ##### `name` Sets an arbitrary tag for your own reference; the name of the message. This is the namevar. ##### `onlyif` Sets an optional SQL command to execute prior to the main command. This is generally intended to be used for idempotency, to check for the existence of an object in the database to determine whether or not the main SQL command needs to be executed at all. ##### `port` Specifies the port of the database server to execute the SQL command against. ##### `psql_group` Specifies the system user group account under which the `psql` command should be executed. Default value: `postgres`. ##### `psql_path` Specifies the path to `psql` executable. Default value: `psql`. ##### `psql_user` Specifies the system user account under which the `psql` command should be executed. Default value: `postgres`. ##### `refreshonly` Specifies whether to execute the SQL only if there is a notify or subscribe event. Valid values: `true`, `false`. Default value: `false`. ##### `search_path` Defines the schema search path to use when executing the SQL command. ##### `unless` The inverse of `onlyif`. #### postgresql_conf Allows Puppet to manage `postgresql.conf` parameters. ##### `name` Specifies the PostgreSQL parameter name to manage. This is the namevar. ##### `target` Specifies the path to `postgresql.conf`. Default value: `/etc/postgresql.conf`. ##### `value` Specifies the value to set for this parameter. #### postgresql_replication_slot Allows you to create and destroy replication slots to register warm standby replication on a PostgreSQL master server. ##### `name` Specifies the name of the slot to create. Must be a valid replication slot name. This is the namevar. ##### `ensure` Required. Specifies the action to create or destroy named slot. Valid values: `present`, `absent`. Default value: `present`. #### postgresql_conn_validator Validate the connection to a local or remote PostgreSQL database using this type. ##### `connect_settings` Specifies a hash of environment variables used when connecting to a remote server. This is an alternative to providing individual parameters (`host`, etc). If provided, the individual parameters take precedence. Default value: `{}` ##### `db_name` Specifies the name of the database you wish to test. Default value: `''` ##### `db_password` Specifies the password to connect with. Can be left blank if `.pgpass` is being used, otherwise not recommended. Default value: `''` ##### `db_username` Specifies the username to connect with. Default value: `''` When using a Unix socket and ident auth, this is the user you are running as. ##### `command` This is the command run against the target database to verify connectivity. Default value: `SELECT 1` ##### `host` Sets the hostname of the database you wish to test. Default value: `''`, which generally uses the designated local Unix socket. **Warning:** If the host is remote you must provide a username. ##### `port` Defines the port to use when connecting. Default value: `''` ##### `run_as` Specifies the user to run the `psql` command as. This is important when trying to connect to a database locally using Unix sockets and `ident` authentication. Not needed for remote testing. ##### `sleep` Sets the number of seconds to sleep for before trying again after a failure. ##### `tries` Sets the number of attempts after failure before giving up and failing the resource. ### Functions #### postgresql_password Generates a PostgreSQL encrypted password, use `postgresql_password`. Call it from the command line and then copy and paste the encrypted password into your manifest: ```shell puppet apply --execute 'notify { 'test': message => postgresql_password('username', 'password') }' ``` Alternatively, you can call this from your production manifests, but the manifests will then contain a clear text version of your passwords. #### postgresql_acls_to_resources_hash(acl_array, id, order_offset) This internal function converts a list of `pg_hba.conf` based ACLs (passed in as an array of strings) to a format compatible with the `postgresql::pg_hba_rule` resource. **Warning:** This function should only be used internally by the module. ### Tasks The postgresql module has an example task that allows a user to execute arbitrary SQL against a database. Please refer to to [the PE documentation](https://puppet.com/docs/pe/2017.3/orchestrator/running_tasks.html) or [the Bolt documentation](https://puppet.com/docs/bolt/latest/bolt.html) on how to execute a task. ## Limitations Works with versions of PostgreSQL from 8.1 through 9.5. Currently, the postgresql module is tested on the following operating systems: * Debian 6.x, 7.x, 8.x. * CentOS 5.x, 6.x, and 7.x. * Ubuntu 10.04 and 12.04, 14.04. Other systems might be compatible, but are not being actively tested. ### Apt module support While this module supports both 1.x and 2.x versions of the puppetlabs-apt module, it does not support puppetlabs-apt 2.0.0 or 2.0.1. ### PostGIS support PostGIS is currently considered an unsupported feature, as it doesn't work on all platforms correctly. ### All versions of RHEL/CentOS If you have SELinux enabled you must add any custom ports you use to the `postgresql_port_t` context. You can do this as follows: ```shell semanage port -a -t postgresql_port_t -p tcp $customport ``` ## Development Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can't access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. For more information, see our [module contribution guide](https://docs.puppetlabs.com/forge/contributing.html). ### Tests There are two types of tests distributed with this module. Unit tests with `rspec-puppet` and system tests using `rspec-system`. For unit testing, make sure you have: * rake * bundler Install the necessary gems: ```shell bundle install --path=vendor ``` And then run the unit tests: ```shell bundle exec rake spec ``` The unit tests are run in Travis-CI as well. If you want to see the results of your own tests, register the service hook through Travis-CI via the accounts section for your GitHub clone of this project. To run the system tests, make sure you also have: * Vagrant > 1.2.x * VirtualBox > 4.2.10 Then run the tests using: ```shell bundle exec rspec spec/acceptance ``` To run the tests on different operating systems, see the sets available in `.nodeset.yml` and run the specific set with the following syntax: ```shell RSPEC_SET=debian-607-x64 bundle exec rspec spec/acceptance ``` ### Contributors View the full list of contributors on [GitHub](https://github.com/puppetlabs/puppetlabs-postgresql/graphs/contributors). diff --git a/manifests/server/database_grant.pp b/manifests/server/database_grant.pp index 6c29b57..34a6953 100644 --- a/manifests/server/database_grant.pp +++ b/manifests/server/database_grant.pp @@ -1,20 +1,22 @@ # Manage a database grant. See README.md for more details. define postgresql::server::database_grant( $privilege, $db, $role, + $ensure = undef, $psql_db = undef, $psql_user = undef, $connect_settings = undef, ) { postgresql::server::grant { "database:${name}": + ensure => $ensure, role => $role, db => $db, privilege => $privilege, object_type => 'DATABASE', object_name => $db, psql_db => $psql_db, psql_user => $psql_user, connect_settings => $connect_settings, } } diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp index 5f9c081..4817326 100644 --- a/manifests/server/grant.pp +++ b/manifests/server/grant.pp @@ -1,347 +1,426 @@ # Define for granting permissions to roles. See README.md for more details. define postgresql::server::grant ( String $role, String $db, Optional[String] $privilege = undef, Pattern[#/(?i:^COLUMN$)/, /(?i:^ALL SEQUENCES IN SCHEMA$)/, /(?i:^ALL TABLES IN SCHEMA$)/, /(?i:^DATABASE$)/, #/(?i:^FOREIGN DATA WRAPPER$)/, #/(?i:^FOREIGN SERVER$)/, #/(?i:^FUNCTION$)/, /(?i:^LANGUAGE$)/, #/(?i:^PROCEDURAL LANGUAGE$)/, /(?i:^TABLE$)/, #/(?i:^TABLESPACE$)/, /(?i:^SCHEMA$)/, /(?i:^SEQUENCE$)/ #/(?i:^VIEW$)/ ] $object_type = 'database', Optional[Variant[ Array[String,2,2], String[1]] ] $object_name = undef, String $psql_db = $postgresql::server::default_database, String $psql_user = $postgresql::server::user, Integer $port = $postgresql::server::port, Boolean $onlyif_exists = false, Hash $connect_settings = $postgresql::server::default_connect_settings, + Enum['present', + 'absent' + ] $ensure = 'present', ) { + case $ensure { + default: { + # default is 'present' + $sql_command = 'GRANT %s ON %s "%s" TO "%s"' + $unless_is = true + } + 'absent': { + $sql_command = 'REVOKE %s ON %s "%s" FROM "%s"' + $unless_is = false + } + } + $group = $postgresql::server::group $psql_path = $postgresql::server::psql_path if ! $object_name { $_object_name = $db } else { $_object_name = $object_name } # # Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port # if $port != undef { $port_override = $port } elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') { $port_override = undef } else { $port_override = $postgresql::server::port } ## Munge the input values $_object_type = upcase($object_type) $_privilege = upcase($privilege) # You can use ALL TABLES IN SCHEMA by passing schema_name to object_name # You can use ALL SEQUENCES IN SCHEMA by passing schema_name to object_name ## Validate that the object type's privilege is acceptable # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege, # we need a way to test for it--and has_database_privilege does not # recognize 'ALL' as a valid privilege name. So we probably need to # hard-code a mapping between 'ALL' and the list of actual privileges that # it entails, and loop over them to check them. That sort of thing will # probably need to wait until we port this over to ruby, so, for now, we're # just going to assume that if they have "CREATE" privileges on a database, # then they have "ALL". (I told you that it was terrible!) case $_object_type { 'DATABASE': { $unless_privilege = $_privilege ? { 'ALL' => 'CREATE', 'ALL PRIVILEGES' => 'CREATE', Pattern[ /^$/, /^CONNECT$/, /^CREATE$/, /^TEMP$/, /^TEMPORARY$/ ] => $_privilege, default => fail('Illegal value for $privilege parameter'), } $unless_function = 'has_database_privilege' $on_db = $psql_db - $onlyif_function = undef + $onlyif_function = $ensure ? { + default => undef, + 'absent' => 'role_exists', + } } 'SCHEMA': { $unless_privilege = $_privilege ? { 'ALL' => 'CREATE', 'ALL PRIVILEGES' => 'CREATE', Pattern[ /^$/, /^CREATE$/, /^USAGE$/ ] => $_privilege, default => fail('Illegal value for $privilege parameter'), } $unless_function = 'has_schema_privilege' $on_db = $db $onlyif_function = undef } 'SEQUENCE': { $unless_privilege = $_privilege ? { 'ALL' => 'USAGE', Pattern[ /^$/, /^ALL PRIVILEGES$/, /^SELECT$/, /^UPDATE$/, /^USAGE$/ ] => $_privilege, default => fail('Illegal value for $privilege parameter'), } $unless_function = 'has_sequence_privilege' $on_db = $db $onlyif_function = undef } 'ALL SEQUENCES IN SCHEMA': { case $_privilege { Pattern[ /^$/, /^ALL$/, /^ALL PRIVILEGES$/, /^SELECT$/, /^UPDATE$/, /^USAGE$/ ]: { } default: { fail('Illegal value for $privilege parameter') } } $unless_function = 'custom' $on_db = $db $onlyif_function = undef $schema = $object_name $custom_privilege = $_privilege ? { 'ALL' => 'USAGE', 'ALL PRIVILEGES' => 'USAGE', default => $_privilege, } # This checks if there is a difference between the sequences in the # specified schema and the sequences for which the role has the specified # privilege. It uses the EXCEPT clause which computes the set of rows # that are in the result of the first SELECT statement but not in the # result of the second one. It then counts the number of rows from this # operation. If this number is zero then the role has the specified # privilege for all sequences in the schema and the whole query returns a # single row, which satisfies the `unless` parameter of Postgresql_psql. # If this number is not zero then there is at least one sequence for which # the role does not have the specified privilege, making it necessary to # execute the GRANT statement. - $custom_unless = "SELECT 1 FROM ( - SELECT sequence_name - FROM information_schema.sequences - WHERE sequence_schema='${schema}' - EXCEPT DISTINCT - SELECT object_name as sequence_name - FROM ( - SELECT object_schema, - object_name, - grantee, - CASE privs_split - WHEN 'r' THEN 'SELECT' - WHEN 'w' THEN 'UPDATE' - WHEN 'U' THEN 'USAGE' - END AS privilege_type - FROM ( - SELECT DISTINCT - object_schema, - object_name, - (regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee, - regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split - FROM ( - SELECT n.nspname as object_schema, - c.relname as object_name, - regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs - FROM pg_catalog.pg_class c - LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid - WHERE c.relkind = 'S' - AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' ) - ) P1 - ) P2 - ) P3 - WHERE grantee='${role}' - AND object_schema='${schema}' - AND privilege_type='${custom_privilege}' - ) P - HAVING count(P.sequence_name) = 0" + if $ensure == 'present' { + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( + SELECT sequence_name + FROM information_schema.sequences + WHERE sequence_schema='${schema}' + EXCEPT DISTINCT + SELECT object_name as sequence_name + FROM ( + SELECT object_schema, + object_name, + grantee, + CASE privs_split + WHEN 'r' THEN 'SELECT' + WHEN 'w' THEN 'UPDATE' + WHEN 'U' THEN 'USAGE' + END AS privilege_type + FROM ( + SELECT DISTINCT + object_schema, + object_name, + (regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee, + regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split + FROM ( + SELECT n.nspname as object_schema, + c.relname as object_name, + regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs + FROM pg_catalog.pg_class c + LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid + WHERE c.relkind = 'S' + AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' ) + ) P1 + ) P2 + ) P3 + WHERE grantee='${role}' + AND object_schema='${schema}' + AND privilege_type='${custom_privilege}' + )" + } else { + # ensure == absent + $custom_unless = "SELECT 1 WHERE NOT EXISTS ( + SELECT object_name as sequence_name + FROM ( + SELECT object_schema, + object_name, + grantee, + CASE privs_split + WHEN 'r' THEN 'SELECT' + WHEN 'w' THEN 'UPDATE' + WHEN 'U' THEN 'USAGE' + END AS privilege_type + FROM ( + SELECT DISTINCT + object_schema, + object_name, + (regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee, + regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split + FROM ( + SELECT n.nspname as object_schema, + c.relname as object_name, + regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs + FROM pg_catalog.pg_class c + LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid + WHERE c.relkind = 'S' + AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' ) + ) P1 + ) P2 + ) P3 + WHERE grantee='${role}' + AND object_schema='${schema}' + AND privilege_type='${custom_privilege}' + )" + } } 'TABLE': { $unless_privilege = $_privilege ? { 'ALL' => 'INSERT', Pattern[ /^$/, /^ALL$/, /^ALL PRIVILEGES$/, /^DELETE$/, /^REFERENCES$/, /^SELECT$/, /^TRIGGER$/, /^TRUNCATE$/, /^UPDATE$/ ] => $_privilege, default => fail('Illegal value for $privilege parameter'), } $unless_function = 'has_table_privilege' $on_db = $db $onlyif_function = $onlyif_exists ? { true => 'table_exists', default => undef, } } 'ALL TABLES IN SCHEMA': { case $_privilege { Pattern[ /^$/, /^ALL$/, /^ALL PRIVILEGES$/, /^DELETE$/, /^INSERT$/, /^REFERENCES$/, /^SELECT$/, /^TRIGGER$/, /^TRUNCATE$/, /^UPDATE$/ ]: { } default: { fail('Illegal value for $privilege parameter') } } $unless_function = 'custom' $on_db = $db $onlyif_function = undef $schema = $object_name # Again there seems to be no easy way in plain SQL to check if ALL - # PRIVILEGES are granted on a table. By convention we use INSERT - # here to represent ALL PRIVILEGES (truly terrible). - $custom_privilege = $_privilege ? { - 'ALL' => 'INSERT', - 'ALL PRIVILEGES' => 'INSERT', - default => $_privilege, + # PRIVILEGES are granted on a table. + # There are currently 7 possible priviliges: + # ('SELECT','UPDATE','INSERT','DELETE','TRIGGER','REFERENCES','TRUNCATE') + # This list is consistant from Postgresql 8.0 + # + # There are 4 cases to cover, each with it's own distinct unless clause: + # grant ALL + # grant SELECT (or INSERT or DELETE ...) + # revoke ALL + # revoke SELECT (or INSERT or DELETE ...) + + if $ensure == 'present' { + if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { + # GRANT ALL + $custom_unless = "SELECT 1 WHERE NOT EXISTS + ( SELECT 1 FROM pg_catalog.pg_tables AS t, + (VALUES ('SELECT'), ('UPDATE'), ('INSERT'), ('DELETE'), ('TRIGGER'), ('REFERENCES'), ('TRUNCATE')) AS p(privilege_type) + WHERE t.schemaname = '${schema}' + AND NOT EXISTS ( + SELECT 1 FROM information_schema.role_table_grants AS g + WHERE g.grantee = '${role}' + AND g.table_schema = '${schema}' + AND g.privilege_type = p.privilege_type + ) + )" + + } else { + # GRANT $_privilege + $custom_unless = "SELECT 1 WHERE NOT EXISTS + ( SELECT 1 FROM pg_catalog.pg_tables AS t + WHERE t.schemaname = '${schema}' + AND NOT EXISTS ( + SELECT 1 FROM information_schema.role_table_grants AS g + WHERE g.grantee = '${role}' + AND g.table_schema = '${schema}' + AND g.privilege_type = '${_privilege}' + ) + )" + } + } else { + if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { + # REVOKE ALL + $custom_unless = "SELECT 1 WHERE NOT EXISTS + ( SELECT table_name FROM information_schema.role_table_grants + WHERE grantee = '${role}' AND table_schema ='${schema}' + )" + } else { + # REVOKE $_privilege + $custom_unless = "SELECT 1 WHERE NOT EXISTS + ( SELECT table_name FROM information_schema.role_table_grants + WHERE grantee = '${role}' AND table_schema ='${schema}' + AND privilege_type = '${_privilege}' + )" + } } - # This checks if there is a difference between the tables in the - # specified schema and the tables for which the role has the specified - # privilege. It uses the EXCEPT clause which computes the set of rows - # that are in the result of the first SELECT statement but not in the - # result of the second one. It then counts the number of rows from this - # operation. If this number is zero then the role has the specified - # privilege for all tables in the schema and the whole query returns a - # single row, which satisfies the `unless` parameter of Postgresql_psql. - # If this number is not zero then there is at least one table for which - # the role does not have the specified privilege, making it necessary to - # execute the GRANT statement. - $custom_unless = "SELECT 1 FROM ( - SELECT table_name - FROM information_schema.tables - WHERE table_schema='${schema}' - EXCEPT DISTINCT - SELECT table_name - FROM information_schema.role_table_grants - WHERE grantee='${role}' - AND table_schema='${schema}' - AND privilege_type='${custom_privilege}' - ) P - HAVING count(P.table_name) = 0" } 'LANGUAGE': { $unless_privilege = $_privilege ? { 'ALL' => 'USAGE', 'ALL PRIVILEGES' => 'USAGE', Pattern[ /^$/, /^CREATE$/, /^USAGE$/ ] => $_privilege, default => fail('Illegal value for $privilege parameter'), } $unless_function = 'has_language_privilege' $on_db = $db $onlyif_function = $onlyif_exists ? { true => 'language_exists', default => undef, } } default: { fail("Missing privilege validation for object type ${_object_type}") } } # This is used to give grant to "schemaname"."tablename" # If you need such grant, use: # postgresql::grant { 'table:foo': # role => 'joe', # ... # object_type => 'TABLE', # object_name => [$schema, $table], # } case $_object_name { Array: { $_togrant_object = join($_object_name, '"."') # Never put double quotes into has_*_privilege function $_granted_object = join($_object_name, '.') } default: { $_granted_object = $_object_name $_togrant_object = $_object_name } } $_unless = $unless_function ? { false => undef, 'custom' => $custom_unless, default => "SELECT 1 WHERE ${unless_function}('${role}', - '${_granted_object}', '${unless_privilege}')", + '${_granted_object}', '${unless_privilege}') = ${unless_is}", } $_onlyif = $onlyif_function ? { 'table_exists' => "SELECT true FROM pg_tables WHERE tablename = '${_togrant_object}'", 'language_exists' => "SELECT true from pg_language WHERE lanname = '${_togrant_object}'", + 'role_exists' => "SELECT 1 FROM pg_roles WHERE rolname = '${role}'", default => undef, } - $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO - \"${role}\"" + $grant_cmd = sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $role) + postgresql_psql { "grant:${name}": command => $grant_cmd, db => $on_db, port => $port_override, connect_settings => $connect_settings, psql_user => $psql_user, psql_group => $group, psql_path => $psql_path, unless => $_unless, onlyif => $_onlyif, require => Class['postgresql::server'] } if($role != undef and defined(Postgresql::Server::Role[$role])) { Postgresql::Server::Role[$role]->Postgresql_psql["grant:${name}"] } if($db != undef and defined(Postgresql::Server::Database[$db])) { Postgresql::Server::Database[$db]->Postgresql_psql["grant:${name}"] } } diff --git a/manifests/server/table_grant.pp b/manifests/server/table_grant.pp index 452f13d..dd70aeb 100644 --- a/manifests/server/table_grant.pp +++ b/manifests/server/table_grant.pp @@ -1,26 +1,28 @@ # This resource wraps the grant resource to manage table grants specifically. # See README.md for more details. define postgresql::server::table_grant( $privilege, $table, $db, $role, + $ensure = undef, $port = undef, $psql_db = undef, $psql_user = undef, $connect_settings = undef, $onlyif_exists = false, ) { postgresql::server::grant { "table:${name}": + ensure => $ensure, role => $role, db => $db, port => $port, privilege => $privilege, object_type => 'TABLE', object_name => $table, psql_db => $psql_db, psql_user => $psql_user, onlyif_exists => $onlyif_exists, connect_settings => $connect_settings, } -} \ No newline at end of file +} diff --git a/spec/acceptance/server/grant_spec.rb b/spec/acceptance/server/grant_spec.rb index 0046b0f..e4a3231 100644 --- a/spec/acceptance/server/grant_spec.rb +++ b/spec/acceptance/server/grant_spec.rb @@ -1,305 +1,520 @@ require 'spec_helper_acceptance' describe 'postgresql::server::grant:', unless: UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do let(:db) { 'grant_priv_test' } let(:owner) { 'psql_grant_priv_owner' } let(:user) { 'psql_grant_priv_tester' } let(:password) { 'psql_grant_role_pw' } let(:pp_install) { "class {'postgresql::server': }" } let(:pp_setup) do <<-MANIFEST.unindent $db = #{db} $owner = #{owner} $user = #{user} $password = #{password} class { 'postgresql::server': } postgresql::server::role { $owner: password_hash => postgresql_password($owner, $password), } # Since we are not testing pg_hba or any of that, make a local user for ident auth user { $owner: ensure => present, } postgresql::server::database { $db: owner => $owner, require => Postgresql::Server::Role[$owner], } # Create a user to grant privileges to postgresql::server::role { $user: db => $db, require => Postgresql::Server::Database[$db], } # Make a local user for ident auth user { $user: ensure => present, } # Grant them connect to the database postgresql::server::database_grant { "allow connect for ${user}": privilege => 'CONNECT', db => $db, role => $user, } MANIFEST end context 'LANGUAGE' do describe 'GRANT * ON LANGUAGE' do # testing grants on language requires a superuser let(:superuser) { 'postgres' } let(:pp_lang) do pp_setup + <<-MANIFEST.unindent postgresql_psql { 'make sure plpgsql exists': command => 'CREATE LANGUAGE plpgsql', db => $db, psql_user => '#{superuser}', unless => "SELECT 1 from pg_language where lanname = 'plpgsql'", require => Postgresql::Server::Database[$db], } postgresql::server::grant { 'grant usage on plpgsql': psql_user => '#{superuser}', privilege => 'USAGE', object_type => 'LANGUAGE', object_name => 'plpgsql', role => $user, db => $db, require => [ Postgresql_psql['make sure plpgsql exists'], Postgresql::Server::Role[$user], ] } MANIFEST end let(:pp_onlyif) do pp_setup + <<-MANIFEST.unindent postgresql::server::grant { 'grant usage on BSql': psql_user => '#{superuser}', privilege => 'USAGE', object_type => 'LANGUAGE', object_name => 'bsql', role => $user, db => $db, onlyif_exists => true, } MANIFEST end it 'is expected to run idempotently' do apply_manifest(pp_install) # postgres version result = shell('psql --version') version = result.stdout.match(%r{\s(\d\.\d)})[1] if version >= '8.4.0' apply_manifest(pp_lang, catch_failures: true) apply_manifest(pp_lang, catch_changes: true) end end it 'is expected to GRANT USAGE ON LANGUAGE plpgsql to ROLE' do result = shell('psql --version') version = result.stdout.match(%r{\s(\d\.\d)})[1] if version >= '8.4.0' ## Check that the privilege was granted to the user psql("-d #{db} --command=\"SELECT 1 WHERE has_language_privilege('#{user}', 'plpgsql', 'USAGE')\"", superuser) do |r| expect(r.stdout).to match(%r{\(1 row\)}) expect(r.stderr).to eq('') end end end # test onlyif_exists function it 'is expected to not GRANT USAGE ON (dummy)LANGUAGE BSql to ROLE' do apply_manifest(pp_install) # postgres version result = shell('psql --version') version = result.stdout.match(%r{\s(\d\.\d)})[1] if version >= '8.4.0' apply_manifest(pp_onlyif, catch_failures: true) apply_manifest(pp_onlyif, catch_changes: true) end end end end + ### SEQUENCE grants context 'sequence' do let(:pp_one) do pp_setup + <<-MANIFEST.unindent postgresql_psql { 'create test sequence': command => 'CREATE SEQUENCE test_seq', db => $db, psql_user => $owner, unless => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq'", require => Postgresql::Server::Database[$db], } postgresql::server::grant { 'grant usage on test_seq': privilege => 'USAGE', object_type => 'SEQUENCE', object_name => 'test_seq', db => $db, role => $user, require => [ Postgresql_psql['create test sequence'], Postgresql::Server::Role[$user], ] } MANIFEST end let(:pp_two) do pp_setup + <<-MANIFEST.unindent postgresql_psql { 'create test sequence': command => 'CREATE SEQUENCE test_seq', db => $db, psql_user => $owner, unless => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq'", require => Postgresql::Server::Database[$db], } postgresql::server::grant { 'grant update on test_seq': privilege => 'UPDATE', object_type => 'SEQUENCE', object_name => 'test_seq', db => $db, role => $user, require => [ Postgresql_psql['create test sequence'], Postgresql::Server::Role[$user], ] } MANIFEST end let(:result) do shell('psql --version') end let(:version) do result.stdout.match(%r{\s(\d\.\d)})[1] end before(:each) do apply_manifest(pp_install, catch_failures: true) end it 'grants usage on a sequence to a user' do begin if version >= '9.0' apply_manifest(pp_one, catch_failures: true) apply_manifest(pp_one, catch_changes: true) ## Check that the privilege was granted to the user psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq', 'USAGE')\"", user) do |r| expect(r.stdout).to match(%r{\(1 row\)}) expect(r.stderr).to eq('') end end end end it 'grants update on a sequence to a user' do begin if version >= '9.0' apply_manifest(pp_two, catch_failures: true) apply_manifest(pp_two, catch_changes: true) ## Check that the privilege was granted to the user psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq', 'UPDATE')\"", user) do |r| expect(r.stdout).to match(%r{\(1 row\)}) expect(r.stderr).to eq('') end end end end end context 'all sequences' do let(:pp_one) do pp_setup + <<-MANIFEST.unindent postgresql_psql { 'create test sequences': command => 'CREATE SEQUENCE test_seq2; CREATE SEQUENCE test_seq3;', db => $db, psql_user => $owner, unless => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq2'", require => Postgresql::Server::Database[$db], } postgresql::server::grant { 'grant usage on all sequences': privilege => 'USAGE', object_type => 'ALL SEQUENCES IN SCHEMA', object_name => 'public', db => $db, role => $user, require => [ Postgresql_psql['create test sequences'], Postgresql::Server::Role[$user], ] } MANIFEST end let(:pp_two) do pp_setup + <<-MANIFEST.unindent postgresql_psql { 'create test sequences': command => 'CREATE SEQUENCE test_seq2; CREATE SEQUENCE test_seq3;', db => $db, psql_user => $owner, unless => "SELECT 1 FROM information_schema.sequences WHERE sequence_name = 'test_seq2'", require => Postgresql::Server::Database[$db], } postgresql::server::grant { 'grant usage on all sequences': privilege => 'UPDATE', object_type => 'ALL SEQUENCES IN SCHEMA', object_name => 'public', db => $db, role => $user, require => [ Postgresql_psql['create test sequences'], Postgresql::Server::Role[$user], ] } MANIFEST end let(:result) do shell('psql --version') end let(:version) do result.stdout.match(%r{\s(\d\.\d)})[1] end before(:each) do apply_manifest(pp_install, catch_failures: true) end it 'grants usage on all sequences to a user' do begin if version >= '9.0' apply_manifest(pp_one, catch_failures: true) apply_manifest(pp_one, catch_changes: true) ## Check that the privileges were granted to the user, this check is not available on version < 9.0 psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq2', 'USAGE') AND has_sequence_privilege('#{user}', 'test_seq3', 'USAGE')\"", user) do |r| expect(r.stdout).to match(%r{\(1 row\)}) expect(r.stderr).to eq('') end end end end it 'grants update on all sequences to a user' do begin if version >= '9.0' apply_manifest(pp_two, catch_failures: true) apply_manifest(pp_two, catch_changes: true) ## Check that the privileges were granted to the user psql("-d #{db} --command=\"SELECT 1 WHERE has_sequence_privilege('#{user}', 'test_seq2', 'UPDATE') AND has_sequence_privilege('#{user}', 'test_seq3', 'UPDATE')\"", user) do |r| expect(r.stdout).to match(%r{\(1 row\)}) expect(r.stderr).to eq('') end end end end end + ### TABLE grants + context 'table' do + describe 'GRANT ... ON TABLE' do + let(:pp_create_table) do + pp_setup + <<-EOS.unindent + postgresql_psql { 'create test table': + command => 'CREATE TABLE test_tbl (col1 integer)', + db => $db, + psql_user => $owner, + unless => "SELECT table_name FROM information_schema.tables WHERE table_name = 'test_tbl'", + require => Postgresql::Server::Database[$db], + } + EOS + end + + it 'grant select on a table to a user' do + begin + pp = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'grant select on test_tbl': + privilege => 'SELECT', + object_type => 'TABLE', + object_name => 'test_tbl', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + pp_revoke = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'revoke select on test_tbl': + ensure => absent, + privilege => 'SELECT', + object_type => 'TABLE', + object_name => 'test_tbl', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + apply_manifest(pp_install, catch_failures: true) + + # postgres version + result = shell('psql --version') + version = result.stdout.match(%r{\s(\d\.\d)})[1] + + if version >= '9.0' + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + + ## Check that the privilege was granted to the user + psql("-d #{db} --tuples-only --command=\"SELECT * FROM has_table_privilege('#{user}', 'test_tbl', 'SELECT')\"", user) do |r| + expect(r.stdout).to match(%r{t}) + expect(r.stderr).to eq('') + end + + apply_manifest(pp_revoke, catch_failures: true) + apply_manifest(pp_revoke, catch_changes: true) + + ## Check that the privilege was revoked from the user + psql("-d #{db} --tuples-only --command=\"SELECT * FROM has_table_privilege('#{user}', 'test_tbl', 'SELECT')\"", user) do |r| + expect(r.stdout).to match(%r{f}) + expect(r.stderr).to eq('') + end + end + end + end + + it 'grant update on all tables to a user' do + begin + pp = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'grant update on all tables': + privilege => 'UPDATE', + object_type => 'ALL TABLES IN SCHEMA', + object_name => 'public', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + pp_revoke = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'revoke update on all tables': + ensure => absent, + privilege => 'UPDATE', + object_type => 'ALL TABLES IN SCHEMA', + object_name => 'public', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + apply_manifest(pp_install, catch_failures: true) + + # postgres version + result = shell('psql --version') + version = result.stdout.match(%r{\s(\d\.\d)})[1] + + if version >= '9.0' + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + + ## Check that all privileges were granted to the user + psql("-d #{db} --command=\"SELECT table_name,privilege_type FROM information_schema.role_table_grants + WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r| + expect(r.stdout).to match(%r{test_tbl[ |]*UPDATE\s*\(1 row\)}) + expect(r.stderr).to eq('') + end + + apply_manifest(pp_revoke, catch_failures: true) + apply_manifest(pp_revoke, catch_changes: true) + + ## Check that all privileges were revoked from the user + psql("-d #{db} --command=\"SELECT table_name,privilege_type FROM information_schema.role_table_grants + WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r| + expect(r.stdout).to match(%r{\(0 rows\)}) + expect(r.stderr).to eq('') + end + end + end + end + + it 'grant all on all tables to a user' do + begin + pp = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'grant all on all tables': + privilege => 'ALL', + object_type => 'ALL TABLES IN SCHEMA', + object_name => 'public', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + pp_revoke = pp_create_table + <<-EOS.unindent + + postgresql::server::grant { 'revoke all on all tables': + ensure => absent, + privilege => 'ALL', + object_type => 'ALL TABLES IN SCHEMA', + object_name => 'public', + db => $db, + role => $user, + require => [ Postgresql_psql['create test table'], + Postgresql::Server::Role[$user], ] + } + EOS + + apply_manifest(pp_install, catch_failures: true) + + # postgres version + result = shell('psql --version') + version = result.stdout.match(%r{\s(\d\.\d)})[1] + + if version >= '9.0' + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_changes: true) + + ## Check that all privileges were granted to the user + psql("-d #{db} --tuples-only --command=\"SELECT table_name,count(privilege_type) FROM information_schema.role_table_grants + WHERE grantee = '#{user}' AND table_schema = 'public' + AND privilege_type IN ('SELECT','UPDATE','INSERT','DELETE','TRIGGER','REFERENCES','TRUNCATE') + GROUP BY table_name\"", user) do |r| + expect(r.stdout).to match(%r{test_tbl[ |]*7$}) + expect(r.stderr).to eq('') + end + + apply_manifest(pp_revoke, catch_failures: true) + apply_manifest(pp_revoke, catch_changes: true) + + ## Check that all privileges were revoked from the user + psql("-d #{db} --command=\"SELECT table_name FROM information_schema.role_table_grants + WHERE grantee = '#{user}' AND table_schema = 'public'\"", user) do |r| + expect(r.stdout).to match(%r{\(0 rows\)}) + expect(r.stderr).to eq('') + end + end + end + end + end + end + context 'database' do + describe 'REVOKE ... ON DATABASE...' do + it 'do not fail on revoke connect from non-existant user' do + begin + apply_manifest(pp_setup, catch_failures: true) + pp = pp_setup + <<-EOS.unindent + postgresql::server::grant { 'revoke connect on db from norole': + ensure => absent, + privilege => 'CONNECT', + object_type => 'DATABASE', + db => '#{db}', + role => '#{user}_does_not_exist', + } + EOS + apply_manifest(pp, catch_changes: true) + apply_manifest(pp, catch_failures: true) + end + end + end + end + ##################### end diff --git a/spec/unit/defines/server/grant_spec.rb b/spec/unit/defines/server/grant_spec.rb index c221dc8..6b38458 100644 --- a/spec/unit/defines/server/grant_spec.rb +++ b/spec/unit/defines/server/grant_spec.rb @@ -1,264 +1,264 @@ require 'spec_helper' describe 'postgresql::server::grant', type: :define do let :facts do { osfamily: 'Debian', operatingsystem: 'Debian', operatingsystemrelease: '6.0', kernel: 'Linux', concat_basedir: tmpfilename('contrib'), id: 'root', path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', } end let :title do 'test' end context 'plain' do let :params do { db: 'test', role: 'test', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } end context 'sequence' do let :params do { db: 'test', role: 'test', privilege: 'usage', object_type: 'sequence', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with( 'command' => %r{GRANT USAGE ON SEQUENCE "test" TO\s* "test"}m, 'unless' => %r{SELECT 1 WHERE has_sequence_privilege\('test',\s* 'test', 'USAGE'\)}m, ) } end context 'SeQuEnCe case insensitive object_type match' do let :params do { db: 'test', role: 'test', privilege: 'usage', object_type: 'SeQuEnCe', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with( 'command' => %r{GRANT USAGE ON SEQUENCE "test" TO\s* "test"}m, 'unless' => %r{SELECT 1 WHERE has_sequence_privilege\('test',\s* 'test', 'USAGE'\)}m, ) } end context 'all sequences' do let :params do { db: 'test', role: 'test', privilege: 'usage', object_type: 'all sequences in schema', object_name: 'public', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with( 'command' => %r{GRANT USAGE ON ALL SEQUENCES IN SCHEMA "public" TO\s* "test"}m, - 'unless' => %r{SELECT 1 FROM \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\) P\s* HAVING count\(P\.sequence_name\) = 0}m, # rubocop:disable Metrics/LineLength + 'unless' => %r{SELECT 1 WHERE NOT EXISTS \(\s*SELECT sequence_name\s* FROM information_schema\.sequences\s* WHERE sequence_schema='public'\s* EXCEPT DISTINCT\s* SELECT object_name as sequence_name\s* FROM .* WHERE .*grantee='test'\s* AND object_schema='public'\s* AND privilege_type='USAGE'\s*\)}m, # rubocop:disable Metrics/LineLength ) } end context 'with specific db connection settings - default port' do let :params do { db: 'test', role: 'test', connect_settings: { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1' }, } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1').with_port(5432) } end context 'with specific db connection settings - including port' do let :params do { db: 'test', role: 'test', connect_settings: { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234' }, } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234') } end context 'with specific db connection settings - port overriden by explicit parameter' do let :params do { db: 'test', role: 'test', connect_settings: { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234' }, port: 5678, } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234').with_port('5678') } end context 'with specific schema name' do let :params do { db: 'test', role: 'test', privilege: 'all', object_name: %w[myschema mytable], object_type: 'table', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to contain_postgresql__server__grant('test') } it { is_expected.to contain_postgresql_psql('grant:test').with( 'command' => %r{GRANT ALL ON TABLE "myschema"."mytable" TO\s* "test"}m, 'unless' => %r{SELECT 1 WHERE has_table_privilege\('test',\s*'myschema.mytable', 'INSERT'\)}m, ) } end context 'invalid object_type' do let :params do { db: 'test', role: 'test', privilege: 'usage', object_type: 'invalid', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to compile.and_raise_error(%r{parameter 'object_type' expects a match for Pattern}) } end context 'invalid object_name - wrong type' do let :params do { db: 'test', role: 'test', privilege: 'all', object_name: 1, object_type: 'table', } end let :pre_condition do "class {'postgresql::server':}" end it { is_expected.to compile.and_raise_error(%r{parameter 'object_name' expects a value of type (Array|Undef, Array,) or String, got Integer}) } end context 'invalid object_name - insufficent array elements' do let :params do { db: 'test', role: 'test', privilege: 'all', object_name: ['oops'], object_type: 'table', } end let :pre_condition do "class {'postgresql::server':}" end if Puppet::Util::Package.versioncmp(Puppet.version, '5.2.0') >= 0 it { is_expected.to compile.and_raise_error(%r{parameter 'object_name' variant 1 expects size to be 2, got 1}) } else it { is_expected.to compile.and_raise_error(%r{parameter 'object_name' variant 0 expects size to be 2, got 1}) } end end context 'invalid object_name - too many array elements' do let :params do { db: 'test', role: 'test', privilege: 'all', object_name: %w[myschema mytable oops], object_type: 'table', } end let :pre_condition do "class {'postgresql::server':}" end if Puppet::Util::Package.versioncmp(Puppet.version, '5.2.0') >= 0 it { is_expected.to compile.and_raise_error(%r{parameter 'object_name' variant 1 expects size to be 2, got 3}) } else it { is_expected.to compile.and_raise_error(%r{parameter 'object_name' variant 0 expects size to be 2, got 3}) } end end end