16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# File 'manifests/server/instance/passwd.pp', line 16
define postgresql::server::instance::passwd (
String[1] $user = $postgresql::server::user,
String[1] $group = $postgresql::server::group,
Variant[String[1], Stdlib::Absolutepath] $psql_path = $postgresql::server::psql_path,
Variant[String[1], Stdlib::Port] $port = $postgresql::server::port,
String[1] $database = $postgresql::server::default_database,
String[1] $module_workdir = $postgresql::server::module_workdir,
Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = $postgresql::server::postgres_password,
) {
if $port =~ String {
deprecation('postgres_port', 'Passing a string to the port parameter is deprecated. Stdlib::Port will be the enforced datatype in the next major release')
}
$real_postgres_password = if $postgres_password =~ Sensitive {
$postgres_password.unwrap
} else {
$postgres_password
}
# psql will default to connecting as $user if you don't specify name
$_datbase_user_same = $database == $user
$_dboption = $_datbase_user_same ? {
false => " --dbname ${shell_escape($database)}",
default => ''
}
if $real_postgres_password {
# NOTE: this password-setting logic relies on the pg_hba.conf being
# configured to allow the postgres system user to connect via psql
# without specifying a password ('ident' or 'trust' security). This is
# the default for pg_hba.conf.
$escaped = postgresql::postgresql_escape($real_postgres_password)
$exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"" # lint:ignore:140chars
exec { 'set_postgres_postgrespw':
# This command works w/no password because we run it as postgres system
# user
command => $exec_command,
user => $user,
group => $group,
logoutput => true,
cwd => $module_workdir,
environment => [
"PGPASSWORD=${real_postgres_password}",
"PGPORT=${port}",
"NEWPASSWD_ESCAPED=${escaped}",
],
# With this command we're passing -h to force TCP authentication, which
# does require a password. We specify the password via the PGPASSWORD
# environment variable. If the password is correct (current), this
# command will exit with an exit code of 0, which will prevent the main
# command from running.
unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
path => '/usr/bin:/usr/local/bin:/bin',
}
}
}
|