Defined Type: postgresql::server::role
- Defined in:
- manifests/server/role.pp
Overview
Define for creating a database role. See README.md for more information
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'manifests/server/role.pp', line 2
define postgresql::server::role(
$update_password = true,
$password_hash = false,
$createdb = false,
$createrole = false,
$db = $postgresql::server::default_database,
$port = undef,
$login = true,
$inherit = true,
$superuser = false,
$replication = false,
$connection_limit = '-1',
$username = $title,
$connect_settings = $postgresql::server::default_connect_settings,
Enum['present', 'absent'] $ensure = 'present',
) {
$psql_user = $postgresql::server::user
$psql_group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path
$module_workdir = $postgresql::server::module_workdir
#
# Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port
#
if $port != undef {
$port_override = $port
} elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') {
$port_override = undef
} else {
$port_override = $postgresql::server::port
}
# If possible use the version of the remote database, otherwise
# fallback to our local DB version
if $connect_settings != undef and has_key( $connect_settings, 'DBVERSION') {
$version = $connect_settings['DBVERSION']
} else {
$version = $postgresql::server::_version
}
Postgresql_psql {
db => $db,
port => $port_override,
psql_user => $psql_user,
psql_group => $psql_group,
psql_path => $psql_path,
connect_settings => $connect_settings,
cwd => $module_workdir,
require => Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"],
}
if $ensure == 'present' {
$login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' }
$inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' }
$createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
$createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' }
$superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' }
$replication_sql = $replication ? { true => 'REPLICATION', default => '' }
if ($password_hash != false) {
$environment = "NEWPGPASSWD=${password_hash}"
$password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
} else {
$password_sql = ''
$environment = []
}
postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
environment => $environment,
require => undef,
}
postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
}
postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
}
if(versioncmp($version, '9.1') >= 0) {
if $replication_sql == '' {
postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
}
} else {
postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
}
}
}
postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
}
if $password_hash and $update_password {
if($password_hash =~ /^md5.+/) {
$pwd_hash_sql = $password_hash
} else {
$pwd_md5 = md5("${password_hash}${username}")
$pwd_hash_sql = "md5${pwd_md5}"
}
postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
command => "ALTER ROLE \"${username}\" ${password_sql}",
unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
environment => $environment,
}
}
} else {
# ensure == absent
postgresql_psql { "DROP ROLE \"${username}\"":
onlyif => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
require => undef,
}
}
}
|