1 # PRIVATE CLASS: do not call directly
2 class postgresql::server::passwd {
3 $postgres_password = $postgresql::server::postgres_password
4 $user = $postgresql::server::user
5 $group = $postgresql::server::group
6 $psql_path = $postgresql::server::psql_path
7 $port = $postgresql::server::port
8 $database = $postgresql::server::default_database
9 $module_workdir = $postgresql::server::module_workdir
11 # psql will default to connecting as $user if you don't specify name
12 $_datbase_user_same = $database == $user
13 $_dboption = $_datbase_user_same ? {
14 false => " --dbname ${database}",
18 if ($postgres_password != undef) {
19 # NOTE: this password-setting logic relies on the pg_hba.conf being
20 # configured to allow the postgres system user to connect via psql
21 # without specifying a password ('ident' or 'trust' security). This is
22 # the default for pg_hba.conf.
23 $escaped = postgresql_escape($postgres_password)
24 exec { 'set_postgres_postgrespw':
25 # This command works w/no password because we run it as postgres system
27 command => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
31 cwd => $module_workdir,
33 "PGPASSWORD=${postgres_password}",
35 "NEWPASSWD_ESCAPED=${escaped}",
37 # With this command we're passing -h to force TCP authentication, which
38 # does require a password. We specify the password via the PGPASSWORD
39 # environment variable. If the password is correct (current), this
40 # command will exit with an exit code of 0, which will prevent the main
41 # command from running.
42 unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
43 path => '/usr/bin:/usr/local/bin:/bin',