saltstack-formulas/postgres-formula
1
0
Fork 0
mirror of https://github.com/saltstack-formulas/postgres-formula.git synced 2025-04-16 01:30:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #118 from vutny/acls-template

Browse source 
Better ACL handling in the `pg_hba.conf` file
This commit is contained in:
Forrest 2016-09-08 09:12:16 -07:00 committed by GitHub
commit dd0be32810
5 changed files with 83 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
pillar.example
View file

@ -4,7 +4,7 @@ postgres:
# Version to install from upstream repository # Version to install from upstream repository
version: '9.3' version: '9.3'
# This is Debian/Ubuntu specific package names # These are Debian/Ubuntu specific package names
pkg: 'postgresql-9.3' pkg: 'postgresql-9.3'
pkg_client: 'postgresql-client-9.3' pkg_client: 'postgresql-client-9.3'
@ -13,7 +13,28 @@ postgres:
- postgresql-contrib - postgresql-contrib
- postgresql-plpython - postgresql-plpython
pg_hba.conf: salt://postgres/pg_hba.conf # Path to the `pg_hba.conf` file Jinja template on Salt Fileserver
pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
# This section covers ACL management in the `pg_hba.conf` file.
# acls list controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
#acls:
# - ['local', 'DATABASE', 'USER', 'METHOD']
# - ['host', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
# - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
# - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
#
# The uppercase items must be replaced by actual values.
# METHOD could be omitted, 'md5' will be appended by default.
acls:
- ['local', 'db1', 'localUser']
- ['host', 'db2', 'remoteUser', '123.123.0.0/24']
# PostgreSQL service name
service: postgresql
users: users:
localUser: localUser:
@ -43,12 +64,6 @@ postgres:
inherit: True inherit: True
replication: False replication: False
# This section cover this ACL management of the pg_hba.conf file.
# <type>, <database>, <user>, [host], <method>
acls:
- ['local', 'db1', 'localUser']
- ['host', 'db2', 'remoteUser', '123.123.0.0/24']
tablespaces: tablespaces:
my_space: my_space:
directory: /srv/my_tablespace directory: /srv/my_tablespace

20
postgres/defaults.yaml
View file

@ -1,21 +1,29 @@
postgres: postgres:
use_upstream_repo: False
pkg: postgresql pkg: postgresql
pkg_dev: postgresql-devel pkg_dev: postgresql-devel
pkg_libpq_dev: postgresql-libs pkg_libpq_dev: postgresql-libs
pkg_client: postgresql-client pkg_client: postgresql-client
pkgs_extra: []
python: python-psycopg2 python: python-psycopg2
service: postgresql user: postgres
group: postgres
conf_dir: /var/lib/pgsql/data conf_dir: /var/lib/pgsql/data
use_upstream_repo: False pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
acls:
# "local" is for Unix domain socket connections only
- ['local', 'all', 'all', 'peer']
# IPv4 local connections:
- ['host', 'all', 'all', '127.0.0.1/32', 'md5']
# IPv6 local connections:
- ['host', 'all', 'all', '::1/128', 'md5']
service: postgresql
users: {} users: {}
acls: []
databases: {} databases: {}
tablespaces: {} tablespaces: {}
postgresconf_backup: True postgresconf_backup: True
postgresconf: "" postgresconf: ""
pg_hba.conf: salt://postgres/pg_hba.conf
user: postgres
group: postgres
# if prepare_cluster is over-ridden in any of: # if prepare_cluster is over-ridden in any of:
# - osmap.yaml # - osmap.yaml
# - oscodenamemap.yaml # - oscodenamemap.yaml

10
postgres/init.sls
View file

@ -1,6 +1,6 @@
# -*- mode: yaml -*- # -*- mode: yaml -*-
{%- from "postgres/map.jinja" import postgres with context %} {%- from "postgres/map.jinja" import postgres with context -%}
{%- if postgres.use_upstream_repo %} {%- if postgres.use_upstream_repo %}
@ -46,9 +46,7 @@ postgresql-conf:
{{ postgres.postgresconf|indent(8) }} {{ postgres.postgresconf|indent(8) }}
- show_changes: True - show_changes: True
- append_if_not_found: True - append_if_not_found: True
{% if not postgres.postgresconf_backup|default(True) -%} - backup: {{ postgres.postgresconf_backup }}
- backup: False
{% endif -%}
- watch_in: - watch_in:
- service: postgresql-running - service: postgresql-running
- require: - require:
@ -63,7 +61,7 @@ postgresql-pg_hba:
- template: jinja - template: jinja
- user: {{ postgres.user }} - user: {{ postgres.user }}
- group: {{ postgres.group }} - group: {{ postgres.group }}
- mode: 644 - mode: 600
- require: - require:
- file: postgresql-config-dir - file: postgresql-config-dir
@ -77,7 +75,7 @@ postgresql-running:
postgresql-extra-pkgs-installed: postgresql-extra-pkgs-installed:
pkg.installed: pkg.installed:
- pkgs: {{ postgres.pkgs_extra|default([], True) }} - pkgs: {{ postgres.pkgs_extra }}
{% for name, user in postgres.users.items() %} {% for name, user in postgres.users.items() %}
postgresql-user-{{ name }}: postgresql-user-{{ name }}:

31
postgres/pg_hba.conf
View file

@ -1,31 +0,0 @@
# This section is managed by SaltStack, DO NOT EDIT
#
# SALTSTACK
# TYPE DATABASE USER ADDRESS METHOD
{% if 'acls' in pillar.get('postgres', {}) %}
{% for acl in salt['pillar.get']('postgres:acls') %}
{% if acl[0] == 'local' %}
{{ acl[0] }} {{ acl[1] }} {{ acl[2] }} {{ acl[3] if acl|length > 3 else 'md5' }}
{% else %}
{{ acl[0] }} {{ acl[1] }} {{ acl[2] }} {{ acl[3] }} {{ acl[4] if acl|length > 4 else 'md5' }}
{% endif %}
{% endfor %}
{% endif %}
# /SALTSTACK
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5

42
postgres/templates/pg_hba.conf.j2 Normal file
View file

@ -0,0 +1,42 @@
{%- from "postgres/map.jinja" import postgres with context -%}
######################################################################
# ATTENTION! Managed by SaltStack. #
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN! #
######################################################################
#
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
{%- for acl in postgres.acls %}
{%- if acl|first() == 'local' %}
{%- if acl|length() == 3 %}
{%- do acl.extend(['', 'md5']) %}
{%- elif acl|length() == 4 %}
{%- do acl.insert(3, '') %}
{%- endif %}
{%- else %}
{%- if acl|length() == 4 %}
{%- do acl.append('md5') %}
{%- endif %}
{%- endif %}
{{ '{:<8}{:<16}{:<16}{:<24}{}'.format(*acl) -}}
{% endfor %}