feat(acls): allow merging of acls from multiple pillar files

It would be useful to be able to define acls in multiple different pillar files. This is not possible using a list because lists can not be merged. If we use a dict then salt can merge all the acls together. The key name for the lists is only used for sorting the groupings of acls. For backwards compatibility we check to see if postgres:acls is a list and handle it properly.
2025-04-17 10:10:31 +00:00 · 2017-01-27 23:25:33 +11:00 · 2017-01-27 23:25:33 +11:00 · 6f8eb6e527
commit 6f8eb6e527
parent 7529300c28
2 changed files with 32 additions and 23 deletions
--- a/pillar.example
+++ b/pillar.example
@ -68,10 +68,11 @@ postgres:
  # databases they can access. Records take one of these forms:
  #
  # acls:
-  #  - ['local', 'DATABASE',  'USER',  'METHOD']
-  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
-  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
-  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #   group:
+  #     - ['local', 'DATABASE',  'USER',  'METHOD']
+  #     - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #     - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #     - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
  #
  # The uppercase items must be replaced by actual values.
  # METHOD could be omitted, 'md5' will be appended by default.
@ -81,10 +82,13 @@ postgres:
  # If ``acls`` item value is empty ('', [], null), then the contents of
  # ``pg_hba.conf`` file will not be touched at all.
  acls:
-    - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
-    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    db1:
+      - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
+      - ['local', 'db1', 'localUser']
+    db2:
+      - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
+    all:
+      - ['host', 'all', 'all', '127.0.0.1/32', 'md5']

  identity_map:
    - ['users_as_appuser', 'jdoe', 'connuser']
--- a/postgres/templates/pg_hba.conf.j2
+++ b/postgres/templates/pg_hba.conf.j2
@ -20,21 +20,26 @@ local   all             postgres                                peer

 # TYPE  DATABASE        USER            ADDRESS                 METHOD

-{% for acl in acls %}
-  {%- if acl|first() == 'local' %}
+{%- if acls is list -%}
+  {%- set acls = {'_all': acls} %}
+{%- endif %}
+{%- for _, group in acls|dictsort %}
+  {%- for acl in group %}
+    {%- if acl|first() == 'local' %}
+
+      {%- if acl|length() == 3 %}
+        {%- do acl.extend(['', 'md5']) %}
+      {%- elif acl|length() == 4 %}
+        {%- do acl.insert(3, '') %}
+      {%- endif %}
+
+    {%- else %}
+
+      {%- if acl|length() == 4 %}
+        {%- do acl.append('md5') %}
+      {%- endif %}

-    {%- if acl|length() == 3 %}
-      {%- do acl.extend(['', 'md5']) %}
-    {%- elif acl|length() == 4 %}
-      {%- do acl.insert(3, '') %}
    {%- endif %}
-
-  {%- else %}
-
-    {%- if acl|length() == 4 %}
-      {%- do acl.append('md5') %}
-    {%- endif %}
-
-  {%- endif %}
 {{ '{0:<7} {1:<15} {2:<15} {3:<23} {4}'.format(*acl) }}
-{% endfor %}
+  {%- endfor %}
+{%- endfor %}