Defined Type: postgresql::server::instance::passwd

Defined in:
manifests/server/instance/passwd.pp

Summary

Overrides the default PostgreSQL superuser

Overview

Parameters:

  • user (String[1]) (defaults to: $postgresql::server::user)

    Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system.

  • group (String[1]) (defaults to: $postgresql::server::group)

    Overrides the default postgres user group to be used for related files in the file system. Default value: 5432. Meaning the Postgres server listens on TCP port 5432.

  • psql_path (Stdlib::Absolutepath) (defaults to: $postgresql::server::psql_path)

    Specifies the path to the psql command.

  • port (Stdlib::Port) (defaults to: $postgresql::server::port)

    Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change.

  • database (String[1]) (defaults to: $postgresql::server::default_database)

    Specifies the name of the database to connect with. On most systems this is ‘postgres’.

  • module_workdir (Stdlib::Absolutepath) (defaults to: $postgresql::server::module_workdir)

    Working directory for the PostgreSQL module

  • postgres_password (Optional[Variant[String[1], Sensitive[String[1]], Integer]]) (defaults to: $postgresql::server::postgres_password)

    Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'manifests/server/instance/passwd.pp', line 16

define postgresql::server::instance::passwd (
  String[1]                                                   $user              = $postgresql::server::user,
  String[1]                                                   $group             = $postgresql::server::group,
  Stdlib::Absolutepath                                        $psql_path         = $postgresql::server::psql_path,
  Stdlib::Port                                                $port              = $postgresql::server::port,
  String[1]                                                   $database          = $postgresql::server::default_database,
  Stdlib::Absolutepath                                        $module_workdir    = $postgresql::server::module_workdir,
  Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = $postgresql::server::postgres_password,
) {
  $real_postgres_password = if $postgres_password =~ Sensitive {
    $postgres_password.unwrap
  } else {
    $postgres_password
  }

  # psql will default to connecting as $user if you don't specify name
  $_datbase_user_same = $database == $user
  $_dboption = $_datbase_user_same ? {
    false => " --dbname ${stdlib::shell_escape($database)}",
    default => ''
  }

  if $real_postgres_password {
    # NOTE: this password-setting logic relies on the pg_hba.conf being
    #  configured to allow the postgres system user to connect via psql
    #  without specifying a password ('ident' or 'trust' security). This is
    #  the default for pg_hba.conf.
    $escaped = postgresql::postgresql_escape($real_postgres_password)
    $exec_command = "${stdlib::shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${stdlib::shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"" # lint:ignore:140chars
    exec { "set_postgres_postgrespw_${name}":
      # This command works w/no password because we run it as postgres system
      # user
      command     => $exec_command,
      user        => $user,
      group       => $group,
      logoutput   => true,
      cwd         => $module_workdir,
      environment => [
        "PGPASSWORD=${real_postgres_password}",
        "PGPORT=${port}",
        "NEWPASSWD_ESCAPED=${escaped}",
      ],
      # With this command we're passing -h to force TCP authentication, which
      # does require a password.  We specify the password via the PGPASSWORD
      # environment variable. If the password is correct (current), this
      # command will exit with an exit code of 0, which will prevent the main
      # command from running.
      unless      => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
      path        => '/usr/bin:/usr/local/bin:/bin',
    }
  }
}