Puppet Class: puppetdb::database::postgresql

Inherits:
puppetdb::params
Defined in:
manifests/database/postgresql.pp

Overview

Class for creating the PuppetDB postgresql database. See README.md for more information.

Parameters:

  • listen_addresses (Any) (defaults to: $puppetdb::params::database_host)
  • puppetdb_server (Any) (defaults to: $puppetdb::params::puppetdb_server)
  • database_name (Any) (defaults to: $puppetdb::params::database_name)
  • database_username (Any) (defaults to: $puppetdb::params::database_username)
  • database_password (Any) (defaults to: $puppetdb::params::database_password)
  • database_port (Any) (defaults to: $puppetdb::params::database_port)
  • manage_database (Any) (defaults to: $puppetdb::params::manage_database)
  • manage_server (Any) (defaults to: $puppetdb::params::manage_dbserver)
  • manage_package_repo (Any) (defaults to: $puppetdb::params::manage_pg_repo)
  • postgres_version (Any) (defaults to: $puppetdb::params::postgres_version)
  • postgresql_ssl_on (Any) (defaults to: $puppetdb::params::postgresql_ssl_on)
  • postgresql_ssl_key_path (Any) (defaults to: $puppetdb::params::postgresql_ssl_key_path)
  • postgresql_ssl_cert_path (Any) (defaults to: $puppetdb::params::postgresql_ssl_cert_path)
  • postgresql_ssl_ca_cert_path (Any) (defaults to: $puppetdb::params::postgresql_ssl_ca_cert_path)
  • read_database_username (Any) (defaults to: $puppetdb::params::read_database_username)
  • read_database_password (Any) (defaults to: $puppetdb::params::read_database_password)
  • read_database_host (Any) (defaults to: $puppetdb::params::read_database_host) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'manifests/database/postgresql.pp', line 3

class puppetdb::database::postgresql (
  $listen_addresses            = $puppetdb::params::database_host,
  $puppetdb_server             = $puppetdb::params::puppetdb_server,
  $database_name               = $puppetdb::params::database_name,
  $database_username           = $puppetdb::params::database_username,
  $database_password           = $puppetdb::params::database_password,
  $database_port               = $puppetdb::params::database_port,
  $manage_database             = $puppetdb::params::manage_database,
  $manage_server               = $puppetdb::params::manage_dbserver,
  $manage_package_repo         = $puppetdb::params::manage_pg_repo,
  $postgres_version            = $puppetdb::params::postgres_version,
  $postgresql_ssl_on           = $puppetdb::params::postgresql_ssl_on,
  $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
  $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
  $read_database_username      = $puppetdb::params::read_database_username,
  $read_database_password      = $puppetdb::params::read_database_password,
  $read_database_host          = $puppetdb::params::read_database_host
) inherits puppetdb::params {

  if $manage_server {
    class { '::postgresql::globals':
      manage_package_repo => $manage_package_repo,
      version             => $postgres_version,
    }
    # get the pg server up and running
    class { '::postgresql::server':
      ip_mask_allow_all_users => '0.0.0.0/0',
      listen_addresses        => $listen_addresses,
      port                    => scanf($database_port, '%i')[0],
    }

    # We need to create the ssl connection for the read user, when
    # manage_database is set to true, or when read_database_host is defined.
    # Otherwise we don't create it.
    if $manage_database or $read_database_host != undef{
      $create_read_user_rule = true
    } else {
      $create_read_user_rule = false
    }

    # configure PostgreSQL communication with Puppet Agent SSL certificates if
    # postgresql_ssl_on is set to true
    if $postgresql_ssl_on {
      class { 'puppetdb::database::ssl_configuration':
        database_name               => $database_name,
        database_username           => $database_username,
        read_database_username      => $read_database_username,
        puppetdb_server             => $puppetdb_server,
        postgresql_ssl_key_path     => $postgresql_ssl_key_path,
        postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
        postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
        create_read_user_rule       => $create_read_user_rule
      }
    }

    # Only install pg_trgm extension, if database it is actually managed by the module
    if $manage_database {

      # get the pg contrib to use pg_trgm extension
      class { '::postgresql::server::contrib': }

      postgresql::server::extension { 'pg_trgm':
        database => $database_name,
        require  => Postgresql::Server::Db[$database_name],
      }
    }
  }

  if $manage_database {
    # create the puppetdb database
    postgresql::server::db { $database_name:
      user     => $database_username,
      password => $database_password,
      grant    => 'all',
    }

    -> postgresql_psql { 'revoke all access on public schema':
      db      => $database_name,
      command => 'REVOKE CREATE ON SCHEMA public FROM public',
      unless  => "SELECT * FROM
                  (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
                WHERE privs.can_create=false",
    }

    -> postgresql_psql { "grant all permissions to ${database_username}":
      db      => $database_name,
      command => "GRANT CREATE ON SCHEMA public TO \"${database_username}\"",
      unless  => "SELECT * FROM
                  (SELECT has_schema_privilege('${database_username}', 'public', 'create') can_create) privs
                WHERE privs.can_create=true",
    }

    -> puppetdb::database::read_only_user { $read_database_username:
      read_database_username => $read_database_username,
      database_name          => $database_name,
      password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
      database_owner         => $database_username
    }

    -> postgresql_psql { "grant ${read_database_username} role to ${database_username}":
      db      => $database_name,
      command => "GRANT \"${read_database_username}\" TO \"${database_username}\"",
      unless  => "SELECT oid, rolname FROM pg_roles WHERE
                   pg_has_role( '${database_username}', oid, 'member') and rolname = '${read_database_username}'";
    }
  }
}