7 1. [Overview - What is the PostgreSQL module?](#overview)
8 2. [Module Description - What does the module do?](#module-description)
9 3. [Setup - The basics of getting started with PostgreSQL module](#setup)
10 4. [Usage - How to use the module for various tasks](#usage)
11 5. [Reference - The classes, defines,functions and facts available in this module](#reference)
12 6. [Limitations - OS compatibility, etc.](#limitations)
13 7. [Development - Guide for contributing to the module](#development)
14 8. [Disclaimer - Licensing information](#disclaimer)
15 9. [Transfer Notice - Notice of authorship change](#transfer-notice)
16 10. [Contributors - List of module contributors](#contributors)
21 The PostgreSQL module allows you to easily manage postgres databases with Puppet.
26 PostgreSQL is a high-performance, free, open-source relational database server. The postgresql module allows you to manage PostgreSQL packages and services on several operating systems, while also supporting basic management of PostgreSQL databases and users. The module offers support for managing firewall for postgres ports on RedHat-based distros, as well as support for basic management of common security settings.
31 **What puppetlabs-PostgreSQL affects:**
33 * package/service/configuration files for PostgreSQL
35 * system firewall (optional)
36 * IP and mask (optional)
38 **Introductory Questions**
40 The postgresql module offers many security configuration settings. Before getting started, you will want to consider:
42 * Do you want/need to allow remote connections?
43 * If yes, what about TCP connections?
44 * Would you prefer to work around your current firewall settings or overwrite some of them?
45 * How restrictive do you want the database superuser's permissions to be?
47 Your answers to these questions will determine which of the module's parameters you'll want to specify values for.
49 ###Configuring the server
51 The main configuration you’ll need to do will be around the `postgresql::server` class. The default parameters are reasonable, but fairly restrictive regarding permissions for who can connect and from where. To manage a PostgreSQL server with sane defaults:
53 include postgresql::server
55 For a more customized, less restrictive configuration:
57 class { 'postgresql::server':
59 'ip_mask_deny_postgres_user' => '0.0.0.0/32',
60 'ip_mask_allow_all_users' => '0.0.0.0/0',
61 'listen_addresses' => '*',
62 'ipv4acls' => ['hostssl all johndoe 192.168.0.0/24 cert'],
63 'manage_redhat_firewall' => true,
64 'manage_pg_hba_conf' => false,
65 'postgres_password' => 'TPSrep0rt!',
69 Once you've completed your configuration of `postgresql::server`, you can test out your settings from the command line:
71 $ psql -h localhost -U postgres
72 $ psql -h my.postgres.server -U
74 If you get an error message from these commands, it means that your permissions are set in a way that restricts access from where you’re trying to connect. That might be a good thing or a bad thing, depending on your goals.
76 Advanced configuration setting parameters can be placed into `postgresql_puppet_extras.conf` (located in the same folder as `postgresql.conf`). You can manage that file as a normal puppet file resource, or however you see fit; which gives you complete control over the settings. Any value you specify in that file will override any existing value set in the templated version.
78 For more details about server configuration parameters consult the [PostgreSQL Runtime Configuration docs](http://www.postgresql.org/docs/9.2/static/runtime-config.html).
83 ###Creating a database
85 There are many ways to set up a postgres database using the `postgresql::db` class. For instance, to set up a database for PuppetDB (this assumes you’ve already got the `postgresql::server` set up to your liking in your manifest, as discussed above):
87 postgresql::db { 'mydatabasename':
88 user => 'mydatabaseuser',
89 password => 'mypassword'
92 ###Managing users, roles and permissions
94 To manage users, roles and permissions:
96 postgresql::database_user{'marmot':
97 password_hash => 'foo',
100 postgresql::database_grant { 'test1':
106 postgresql::table_grant { 'my_table of test2':
114 In this example, you would grant ALL privileges on the test1 database and on the `my_table` table of the test2 database to the user or group specified by dan.
116 At this point, you would just need to plunk these database name/username/password values into your PuppetDB config files, and you are good to go.
121 The postgresql module comes with many options for configuring the server. While you are unlikely to use all of the below settings, they allow you a decent amount of control over your security settings.
125 * [postgresql](#class-postgresql)
126 * [postgresql::server](#class-postgresqlserver)
127 * [postgresql::client](#class-postgresqlclient)
128 * [postgresql::contrib](#class-postgresqlcontrib)
129 * [postgresql::devel](#class-postgresqldevel)
130 * [postgresql::java](#class-postgresqljava)
131 * [postgresql::python](#class-postgresqlpython)
135 * [postgresql::db](#resource-postgresqldb)
136 * [postgresql::database](#resource-postgresqldatabase)
137 * [postgresql::database_grant](#resource-postgresqldatabasegrant)
138 * [postgresql::table_grant](#resource-postgresqltablegrant)
139 * [postgresql::role](#resource-postgresqlrole)
140 * [postgresql::tablespace](#resource-postgresqltablespace)
141 * [postgresql::validate_db_connection](#resource-postgresqlvalidatedbconnection)
142 * [postgresql::pg_hba_rule](#resource-postgresqlpghbarule)
146 * [postgresql\_password](#function-postgresqlpassword)
147 * [postgresql\_acls\_to\_resources\_hash](#function-postgresqlaclstoresourceshashaclarray-id-orderoffset)
151 * [postgres\_default\_version](#fact-postgresdefaultversion)
154 This class is used to configure the main settings for this module, to be used by the other classes and defined resources. On its own it does nothing.
156 For example, if you wanted to overwrite the default `locale` and `charset` you could use the following combination:
158 class { 'postgresql':
162 class { 'postgresql::server':
165 That would make the `charset` and `locale` the default for all classes and defined resources in this module.
168 The version of PostgreSQL to install/manage. Defaults to your operating system default.
170 ####`manage_package_repo`
171 If `true` this will setup the official PostgreSQL repositories on your host. Defaults to `false`.
174 This will set the default database locale for all databases created with this module. On certain operating systems this will be used during the `template1` initialization as well so it becomes a default outside of the module as well. Defaults to `undef` which is effectively `C`.
177 This will set the default charset for all databases created with this module. On certain operating systems this will be used during the `template1` initialization as well so it becomes a default outside of the module as well. Defaults to `UTF8`.
180 This setting can be used to override the default postgresql data directory for the target platform. If not specified, the module will use whatever directory is the default for your OS distro.
183 This setting can be used to override the default postgresql configuration directory for the target platform. If not specified, the module will use whatever directory is the default for your OS distro.
186 This setting can be used to override the default postgresql binaries directory for the target platform. If not specified, the module will use whatever directory is the default for your OS distro.
188 ####`client_package_name`
189 This setting can be used to override the default postgresql client package name. If not specified, the module will use whatever package name is the default for your OS distro.
191 ####`server_package_name`
192 This setting can be used to override the default postgresql server package name. If not specified, the module will use whatever package name is the default for your OS distro.
194 ####`contrib_package_name`
195 This setting can be used to override the default postgresql contrib package name. If not specified, the module will use whatever package name is the default for your OS distro.
197 ####`devel_package_name`
198 This setting can be used to override the default postgresql devel package name. If not specified, the module will use whatever package name is the default for your OS distro.
200 ####`java_package_name`
201 This setting can be used to override the default postgresql java package name. If not specified, the module will use whatever package name is the default for your OS distro.
204 This setting can be used to override the default postgresql service name. If not specified, the module will use whatever service name is the default for your OS distro.
207 This setting can be used to override the default postgresql super user and owner of postgresql related files in the file system. If not specified, the module will use the user name 'postgres'.
210 This setting can be used to override the default postgresql user group to be used for related files in the file system. If not specified, the module will use the group name 'postgres'.
213 This setting can be used to explicitly call the initdb operation after server package is installed and before the postgresql service is started. If not specified, the module will decide whether to call initdb or not depending on your OS distro.
215 ###Class: postgresql::server
216 Here are the options that you can set in the `config_hash` parameter of `postgresql::server`:
219 This value default to `present`. When set to `absent` it will remove all packages, configuration and data so use this with extreme caution.
221 ####`postgres_password`
222 This value defaults to `undef`, meaning the super user account in the postgres database is a user called `postgres` and this account does not have a password. If you provide this setting, the module will set the password for the `postgres` user to your specified value.
224 ####`listen_addresses`
225 This value defaults to `localhost`, meaning the postgres server will only accept connections from localhost. If you’d like to be able to connect to postgres from remote machines, you can override this setting. A value of `*` will tell postgres to accept connections from any remote machine. Alternately, you can specify a comma-separated list of hostnames or IP addresses. (For more info, have a look at the `postgresql.conf` file from your system’s postgres package).
227 ####`manage_redhat_firewall`
228 This value defaults to `false`. Many RedHat-based distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you’d like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. *[This parameter is likely to change in future versions. Possible changes include support for non-RedHat systems and finer-grained control over the firewall rule (currently, it simply opens up the postgres port to all TCP connections).]*
230 ####`manage_pg_hba_conf`
231 This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
233 ####`ip_mask_allow_all_users`
234 This value defaults to `127.0.0.1/32`. By default, Postgres does not allow any database user accounts to connect via TCP from remote machines. If you’d like to allow them to, you can override this setting. You might set it to `0.0.0.0/0` to allow database users to connect from any remote machine, or `192.168.0.0/16` to allow connections from any machine on your local 192.168 subnet.
236 ####`ip_mask_deny_postgres_user`
237 This value defaults to `0.0.0.0/0`. Sometimes it can be useful to block the superuser account from remote connections if you are allowing other database users to connect remotely. Set this to an IP and mask for which you want to deny connections by the postgres superuser account. So, e.g., the default value of `0.0.0.0/0` will match any remote IP and deny access, so the postgres user won’t be able to connect remotely at all. Conversely, a value of `0.0.0.0/32` would not match any remote IP, and thus the deny rule will not be applied and the postgres user will be allowed to connect.
239 ####`pg_hba_conf_path`
240 If, for some reason, your system stores the `pg_hba.conf` file in a non-standard location, you can override the path here.
242 ####`postgresql_conf_path`
243 If, for some reason, your system stores the `postgresql.conf` file in a non-standard location, you can override the path here.
246 List of strings for access control for connection method, users, databases, IPv4 addresses; see [postgresql documentation](http://www.postgresql.org/docs/9.2/static/auth-pg-hba-conf.html) about `pg_hba.conf` for information (please note that the link will take you to documentation for the most recent version of Postgres, however links for earlier versions can be found on that page).
249 List of strings for access control for connection method, users, databases, IPv6 addresses; see [postgresql documentation](http://www.postgresql.org/docs/9.2/static/auth-pg-hba-conf.html) about `pg_hba.conf` for information (please note that the link will take you to documentation for the most recent version of Postgres, however links for earlier versions can be found on that page).
251 ###Class: postgresql::client
253 This class installs postgresql client software. Alter the following parameters if you have a custom version you would like to install (Note: don't forget to make sure to add any necessary yum or apt repositories if specifying a custom version):
256 The name of the postgresql client package.
259 The ensure parameter passed on to postgresql client package resource.
261 ###Class: postgresql::contrib
262 Installs the postgresql contrib package.
265 The name of the postgresql client package.
268 The ensure parameter passed on to postgresql contrib package resource.
270 ###Class: postgresql::devel
271 Installs the packages containing the development libraries for PostgreSQL.
274 Override for the `ensure` parameter during package installation. Defaults to `present`.
277 Overrides the default package name for the distribution you are installing to. Defaults to `postgresql-devel` or `postgresql<version>-devel` depending on your distro.
279 ###Class: postgresql::java
280 This class installs postgresql bindings for Java (JDBC). Alter the following parameters if you have a custom version you would like to install (Note: don't forget to make sure to add any necessary yum or apt repositories if specifying a custom version):
283 The name of the postgresql java package.
286 The ensure parameter passed on to postgresql java package resource.
288 ###Class: postgresql::python
289 This class installs the postgresql Python libraries. For customer requirements you can customise the following parameters:
292 The name of the postgresql python package.
295 The ensure parameter passed on to postgresql python package resource.
297 ###Resource: postgresql::db
298 This is a convenience resource that creates a database, user and assigns necessary permissions in one go.
300 For example, to create a database called `test1` with a corresponding user of the same name, you can use:
302 postgresql::db { 'test1':
308 The namevar for the resource designates the name of the database.
311 User to create and assign access to the database upon creation. Mandatory.
314 Password for the created user. Mandatory.
317 The name of the tablespace to allocate this database to. If not specifies, it defaults to the PostgreSQL default.
320 Override the character set during creation of the database. Defaults to the default defined during installation.
323 Override the locale during creation of the database. Defaults to the default defined during installation.
326 Grant permissions during creation. Defaults to `ALL`.
329 Define database as a template. Defaults to `false`.
331 ###Resource: postgresql::database
332 This defined type can be used to create a database with no users and no permissions, which is a rare use case.
335 Name of the database to create.
338 Name of the database user who should be set as the owner of the database. Defaults to `$postgresql::params::user`.
341 Tablespace for where to create this database. Defaults to the defaults defined during PostgreSQL installation.
344 Override the character set during creation of the database. Defaults to the default defined during installation.
347 Override the locale during creation of the database. Defaults to the default defined during installation.
350 Define database as a template. Defaults to `false`.
352 ###Resource: postgresql::database\_grant
353 This defined type manages grant based access privileges for users. Consult the PostgreSQL documentation for `grant` for more information.
356 Used to uniquely identify this resource, but functionality not used during grant.
359 Can be one of `SELECT`, `TEMPORARY`, `TEMP`, `CONNECT`. `ALL` is used as a synonym for `CREATE`. If you need to add multiple privileges, a space delimited string can be used.
362 Database to grant access to.
365 Role or user whom you are granting access for.
368 Database to execute the grant against. This should not ordinarily be changed from the default, which is `postgres`.
371 OS user for running `psql`. Defaults to the default user for the module, usually `postgres`.
373 ###Resource: postgresql::table\_grant
374 This defined type manages grant based access privileges for users. Consult the PostgreSQL documentation for `grant` for more information.
377 Used to uniquely identify this resource, but functionality not used during grant.
380 Can be one of `SELECT`, `INSERT`, `UPDATE`, `REFERENCES`. `ALL` is used as a synonym for `CREATE`. If you need to add multiple privileges, a space delimited string can be used.
383 Table to grant access on.
389 Role or user whom you are granting access for.
392 Database to execute the grant against. This should not ordinarily be changed from the default, which is `postgres`.
395 OS user for running `psql`. Defaults to the default user for the module, usually `postgres`.
397 ###Resource: postgresql::role
398 This resource creates a role or user in PostgreSQL.
401 The role name to create.
404 The hash to use during password creation. Use the `postgresql_password` function to provide an MD5 hash here.
407 Weither to grant the ability to create new databases with this role. Defaults to `false`.
410 Weither to grant the ability to create new roles with this role. Defaults to `false`.
413 Weither to grant login capability for the new role. Defaults to `false`.
416 Weither to grant super user capability for the new role. Defaults to `false`.
419 If `true` provides replication capabilities for this role. Defaults to `false`.
421 ####`connection_limit`
422 Specifies how many concurrent connections the role can make. Defaults to `-1` meaning no limit.
424 ###Resource: postgresql::tablespace
425 This defined type can be used to create a tablespace. For example:
427 postgresql::tablespace{ 'tablespace1':
428 location => '/srv/space1',
431 It will create the location if necessary, assigning it the same permissions as your
435 The tablespace name to create.
438 The path to locate this tablespace.
441 The default owner of the tablespace.
443 ###Resource: postgresql::validate\_db\_connection
444 This resource can be utilised inside composite manifests to validate that a client has a valid connection with a remote PostgreSQL database. It can be ran from any node where the PostgreSQL client software is installed to validate connectivity before commencing other dependent tasks in your Puppet manifests, so it is often used when chained to other tasks such as: starting an application server, performing a database migration.
448 postgresql::validate_db_connection { 'validate my postgres connection':
449 database_host => 'my.postgres.host',
450 database_username => 'mydbuser',
451 database_password => 'mydbpassword',
452 database_name => 'mydbname',
454 exec { 'rake db:migrate':
455 cwd => '/opt/myrubyapp',
459 Uniquely identify this resource, but functionally does nothing.
462 The hostname of the database you wish to test.
465 Port to use when connecting.
468 The name of the database you wish to test.
470 ####`database_username`
471 Username to connect with.
473 ####`database_password`
474 Password to connect with. Can be left blank, but that is not recommended.
476 ###Resource: postgresql::pg\_hba\_rule
477 This defined type allows you to create an access rule for `pg_hba.conf`. For more details see the [PostgreSQL documentation](http://www.postgresql.org/docs/8.2/static/auth-pg-hba-conf.html).
481 postgresql::pg_hba_rule { 'allow application network to access app database':
482 description => "Open up postgresql for access from 200.1.2.0/24",
486 address => '200.1.2.0/24',
487 auth_method => 'md5',
490 This would create a ruleset in `pg_hba.conf` similar to:
492 # Rule Name: allow application network to access app database
493 # Description: Open up postgresql for access from 200.1.2.0/24
495 host app app 200.1.2.0/24 md5
498 A unique identifier or short description for this rule. The namevar doesn't provide any functional usage, but it is stored in the comments of the produced `pg_hba.conf` so the originating resource can be identified.
501 A longer description for this rule if required. Defaults to `none`. This description is placed in the comments above the rule in `pg_hba.conf`.
504 The type of rule, this is usually one of: `local`, `host`, `hostssl` or `hostnossl`.
507 A comma separated list of databases that this rule matches.
510 A comma separated list of database users that this rule matches.
513 If the type is not 'local' you can provide a CIDR based address here for rule matching.
516 The `auth_method` is described further in the `pg_hba.conf` documentation, but it provides the method that is used for authentication for the connection that this rule matches.
519 For certain `auth_method` settings there are extra options that can be passed. Consult the PostgreSQL `pg_hba.conf` documentation for further details.
522 An order for placing the rule in `pg_hba.conf`. Defaults to `150`.
525 This provides the target for the rule, and is generally an internal only property. Use with caution.
527 ###Function: postgresql\_password
528 If you need to generate a postgres encrypted password, use `postgresql_password`. You can call it from your production manifests if you don't mind them containing the clear text versions of your passwords, or you can call it from the command line and then copy and paste the encrypted password into your manifest:
530 $ puppet apply --execute 'notify { "test": message => postgresql_password("username", "password") }'
532 ###Function: postgresql\_acls\_to\_resources\_hash(acl\_array, id, order\_offset)
533 This internal function converts a list of `pg_hba.conf` based acls (passed in as an array of strings) to a format compatible with the `postgresql::pg_hba_rule` resource.
535 **This function should only be used internally by the module**.
537 ###Fact: postgres\_default\_version
538 The module provides a Facter fact that can be used to determine what the default version of postgres is for your operating system/distribution. Depending on the distribution, it might be 8.1, 8.4, 9.1, or possibly another version. This can be useful in a few cases, like when building path strings for the postgres directories.
543 Works with versions of PostgreSQL from 8.1 through 9.2.
548 Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can't access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
550 We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
552 You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing)
556 There are two types of tests distributed with the module. Unit tests with rspec-puppet and system tests using rspec-system.
558 For unit testing, make sure you have:
563 Install the necessary gems:
565 bundle install --path=vendor
567 And then run the unit tests:
569 bundle exec rake spec
571 The unit tests are ran in Travis-CI as well, if you want to see the results of your own tests regsiter the service hook through Travis-CI via the accounts section for your Github clone of this project.
573 If you want to run the system tests, make sure you also have:
576 * Virtualbox > 4.2.10
578 Then run the tests using:
580 bundle exec rake spec:system
582 To run the tests on different operating systems, see the sets available in .nodeset.yml and run the specific set with the following syntax:
584 RSPEC_SET=debian-607-x64 bundle exec rake spec:system
589 This Puppet module was originally authored by Inkling Systems. The maintainer preferred that Puppet Labs take ownership of the module for future improvement and maintenance as Puppet Labs is using it in the PuppetDB module. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of Inkling.
591 Previously: [https://github.com/inkling/puppet-postgresql](https://github.com/inkling/puppet-postgresql)
597 * [Kenn Knowles](https://github.com/kennknowles) ([@kennknowles](https://twitter.com/KennKnowles))
615 * William Van Hevelingen