1 # Define for creating a database role. See README.md for more information
2 define postgresql::server::role(
3 $update_password = true,
4 $password_hash = false,
7 $db = $postgresql::server::default_database,
13 $connection_limit = '-1',
15 $connect_settings = $postgresql::server::default_connect_settings,
17 $psql_user = $postgresql::server::user
18 $psql_group = $postgresql::server::group
19 $psql_path = $postgresql::server::psql_path
20 $module_workdir = $postgresql::server::module_workdir
23 # Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port
26 $port_override = $port
27 } elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') {
28 $port_override = undef
30 $port_override = $postgresql::server::port
33 # If possible use the version of the remote database, otherwise
34 # fallback to our local DB version
35 if $connect_settings != undef and has_key( $connect_settings, 'DBVERSION') {
36 $version = $connect_settings['DBVERSION']
38 $version = $postgresql::server::_version
41 $login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' }
42 $inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' }
43 $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
44 $createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' }
45 $superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' }
46 $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
47 if ($password_hash != false) {
48 $environment = "NEWPGPASSWD=${password_hash}"
49 $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
57 port => $port_override,
58 psql_user => $psql_user,
59 psql_group => $psql_group,
60 psql_path => $psql_path,
61 connect_settings => $connect_settings,
62 cwd => $module_workdir,
64 Postgresql_psql["CREATE ROLE ${username} ENCRYPTED PASSWORD ****"],
65 Class['postgresql::server'],
69 postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
70 command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
71 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
72 environment => $environment,
73 require => Class['Postgresql::Server'],
76 postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
77 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}",
80 postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}":
81 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}",
84 postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}":
85 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}",
88 postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}":
89 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}",
92 postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}":
93 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
96 if(versioncmp($version, '9.1') >= 0) {
97 if $replication_sql == '' {
98 postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION":
99 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
102 postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
103 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}",
108 postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}":
109 unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}",
112 if $password_hash and $update_password {
113 if($password_hash =~ /^md5.+/) {
114 $pwd_hash_sql = $password_hash
116 $pwd_md5 = md5("${password_hash}${username}")
117 $pwd_hash_sql = "md5${pwd_md5}"
119 postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
120 command => "ALTER ROLE \"${username}\" ${password_sql}",
121 unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
122 environment => $environment,