Better ACL handling in the pg_hba.conf file

2025-04-16 01:30:25 +00:00 · 2016-09-06 12:34:17 +03:00 · 2016-09-06 12:34:17 +03:00 · 1ec55e0b96
commit 1ec55e0b96
parent 6d150e60db
5 changed files with 83 additions and 51 deletions
--- a/pillar.example
+++ b/pillar.example
@ -4,7 +4,7 @@ postgres:
  # Version to install from upstream repository
  version: '9.3'

-  # This is Debian/Ubuntu specific package names
+  # These are Debian/Ubuntu specific package names
  pkg: 'postgresql-9.3'
  pkg_client: 'postgresql-client-9.3'

@ -13,7 +13,28 @@ postgres:
    - postgresql-contrib
    - postgresql-plpython

-  pg_hba.conf: salt://postgres/pg_hba.conf
+  # Path to the `pg_hba.conf` file Jinja template on Salt Fileserver
+  pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
+
+  # This section covers ACL management in the `pg_hba.conf` file.
+  # acls list controls: which hosts are allowed to connect, how clients
+  # are authenticated, which PostgreSQL user names they can use, which
+  # databases they can access. Records take one of these forms:
+  #
+  #acls:
+  #  - ['local', 'DATABASE',  'USER',  'METHOD']
+  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #
+  # The uppercase items must be replaced by actual values.
+  # METHOD could be omitted, 'md5' will be appended by default.
+  acls:
+    - ['local', 'db1', 'localUser']
+    - ['host', 'db2', 'remoteUser', '123.123.0.0/24']
+
+  # PostgreSQL service name
+  service: postgresql

  users:
    localUser:
@ -43,12 +64,6 @@ postgres:
      inherit: True
      replication: False

-  # This section cover this ACL management of the pg_hba.conf file.
-  # <type>, <database>, <user>, [host], <method>
-  acls:
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '123.123.0.0/24']
-
  tablespaces:
    my_space:
      directory: /srv/my_tablespace
--- a/postgres/defaults.yaml
+++ b/postgres/defaults.yaml
@ -1,21 +1,29 @@
 postgres:
+  use_upstream_repo: False
  pkg: postgresql
  pkg_dev: postgresql-devel
  pkg_libpq_dev: postgresql-libs
  pkg_client: postgresql-client
+  pkgs_extra: []
  python: python-psycopg2
-  service: postgresql
+  user: postgres
+  group: postgres
  conf_dir: /var/lib/pgsql/data
-  use_upstream_repo: False
+  pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
+  acls:
+    # "local" is for Unix domain socket connections only
+    - ['local', 'all', 'all', 'peer']
+    # IPv4 local connections:
+    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    # IPv6 local connections:
+    - ['host', 'all', 'all', '::1/128', 'md5']
+  service: postgresql
  users: {}
-  acls: []
  databases: {}
  tablespaces: {}
  postgresconf_backup: True
  postgresconf: ""
-  pg_hba.conf: salt://postgres/pg_hba.conf
-  user: postgres
-  group: postgres
+
  # if prepare_cluster is over-ridden in any of:
  # - osmap.yaml
  # - oscodenamemap.yaml
--- a/postgres/init.sls
+++ b/postgres/init.sls
@ -1,6 +1,6 @@
 # -*- mode: yaml -*-

-{%- from "postgres/map.jinja" import postgres with context %}
+{%- from "postgres/map.jinja" import postgres with context -%}

 {%- if postgres.use_upstream_repo %}

@ -46,9 +46,7 @@ postgresql-conf:
        {{ postgres.postgresconf|indent(8) }}
    - show_changes: True
    - append_if_not_found: True
-    {% if not postgres.postgresconf_backup|default(True) -%}
-    - backup: False
-    {% endif -%}
+    - backup: {{ postgres.postgresconf_backup }}
    - watch_in:
       - service: postgresql-running
    - require:
@ -63,7 +61,7 @@ postgresql-pg_hba:
    - template: jinja
    - user: {{ postgres.user }}
    - group: {{ postgres.group }}
-    - mode: 644
+    - mode: 600
    - require:
      - file: postgresql-config-dir

@ -77,7 +75,7 @@ postgresql-running:

 postgresql-extra-pkgs-installed:
  pkg.installed:
-    - pkgs: {{ postgres.pkgs_extra|default([], True) }}
+    - pkgs: {{ postgres.pkgs_extra }}

 {% for name, user in postgres.users.items()  %}
 postgresql-user-{{ name }}:
--- a/postgres/pg_hba.conf
+++ b/postgres/pg_hba.conf
@ -1,31 +0,0 @@
-# This section is managed by SaltStack, DO NOT EDIT
-#
-# SALTSTACK
-# TYPE		DATABASE	USER		ADDRESS		METHOD
-{% if 'acls' in pillar.get('postgres', {}) %}
-{% for acl in salt['pillar.get']('postgres:acls') %}
-{% if acl[0] == 'local' %}
-{{ acl[0] }}	{{ acl[1] }}	{{ acl[2] }}	{{ acl[3] if acl|length > 3 else 'md5' }}
-{% else %}
-{{ acl[0] }}	{{ acl[1] }}	{{ acl[2] }}	{{ acl[3] }}	{{ acl[4] if acl|length > 4 else 'md5' }}
-{% endif %}
-{% endfor %}
-{% endif %}
-# /SALTSTACK
-
-# DO NOT DISABLE!
-# If you change this first entry you will need to make sure that the
-# database superuser can access the database using some other method.
-# Noninteractive access to all databases is required during automatic
-# maintenance (custom daily cronjobs, replication, and similar tasks).
-#
-# Database administrative login by Unix domain socket
-local   all             postgres                                peer
-
-
-# "local" is for Unix domain socket connections only
-local   all             all                                     peer
-# IPv4 local connections:
-host    all             all             127.0.0.1/32            md5
-# IPv6 local connections:
-host    all             all             ::1/128                 md5
--- a/postgres/templates/pg_hba.conf.j2
+++ b/postgres/templates/pg_hba.conf.j2
@ -0,0 +1,42 @@
+{%- from "postgres/map.jinja" import postgres with context -%}
+
+######################################################################
+# ATTENTION! Managed by SaltStack.                                   #
+# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN! #
+######################################################################
+#
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+{%- for acl in postgres.acls %}
+  {%- if acl|first() == 'local' %}
+
+    {%- if acl|length() == 3 %}
+      {%- do acl.extend(['', 'md5']) %}
+    {%- elif acl|length() == 4 %}
+      {%- do acl.insert(3, '') %}
+    {%- endif %}
+
+  {%- else %}
+
+    {%- if acl|length() == 4 %}
+      {%- do acl.append('md5') %}
+    {%- endif %}
+
+  {%- endif %}
+{{ '{:<8}{:<16}{:<16}{:<24}{}'.format(*acl) -}}
+{% endfor %}