1 # This resource manages an individual rule that applies to the file defined in
2 # $target. See README.md for more details.
3 define postgresql::server::pg_hba_rule(
4 Enum['local', 'host', 'hostssl', 'hostnossl'] $type,
8 Optional[String] $address = undef,
9 String $description = 'none',
10 Optional[String] $auth_option = undef,
11 Variant[String, Integer] $order = 150,
13 # Needed for testing primarily, support for multiple files is not really
15 Stdlib::Absolutepath $target = $postgresql::server::pg_hba_conf_path,
16 String $postgresql_version = $postgresql::server::_version
19 #Allow users to manage pg_hba.conf even if they are not managing the whole PostgreSQL instance
20 if !defined( 'postgresql::server' ) {
21 $manage_pg_hba_conf = true
24 $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
27 if $manage_pg_hba_conf == false {
28 fail('postgresql::server::manage_pg_hba_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
31 if($type =~ /^host/ and $address == undef) {
32 fail('You must specify an address property when type is host based')
35 $allowed_auth_methods = $postgresql_version ? {
36 '9.6' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'bsd'],
37 '9.5' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
38 '9.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
39 '9.3' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
40 '9.2' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
41 '9.1' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
42 '9.0' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
43 '8.4' => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
44 '8.3' => ['trust', 'reject', 'md5', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
45 '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
46 '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
47 default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt', 'bsd']
50 assert_type(Enum[$allowed_auth_methods], $auth_method)
52 # Create a rule fragment
53 $fragname = "pg_hba_rule_${name}"
54 concat::fragment { $fragname:
56 content => template('postgresql/pg_hba_rule.conf'),