+++ /dev/null
-# Resource postgresql::grant
-#
-# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname';
-# I think that the API for the resource type should split these up, because it's
-# easier / safer to recombine them for mysql than it is to parse them for other
-# databases. Also, in the mysql module, the hostname portion of that string
-# affects the user's ability to connect from remote hosts. In postgres this is
-# managed via pg_hba.conf; not sure if we want to try to reconcile that difference
-# in the modules or not.
-define postgresql::grant (
- $role,
- $db,
- # TODO: mysql supports an array of privileges here. We should do that if we
- # port this to ruby.
- $privilege = undef,
- $object_type = 'database',
- $object_name = $db,
- $psql_db = $postgresql::params::user,
- $psql_user = $postgresql::params::user
-) {
-
- ## Munge the input values
- $_object_type = upcase($object_type)
- $_privilege = upcase($privilege)
-
- ## Validate that the object type is known
- validate_string($_object_type,
- #'COLUMN',
- 'DATABASE',
- #'FOREIGN SERVER',
- #'FOREIGN DATA WRAPPER',
- #'FUNCTION',
- #'PROCEDURAL LANGUAGE',
- #'SCHEMA',
- #'SEQUENCE',
- 'TABLE',
- #'TABLESPACE',
- #'VIEW',
- )
-
- ## Validate that the object type's privilege is acceptable
- case $_object_type {
- 'DATABASE': {
- validate_string($_privilege,'CREATE','CONNECT','TEMPORARY','TEMP','ALL','ALL PRIVILEGES')
- $unless_function = 'has_database_privilege'
- $on_db = $psql_db
- }
- 'TABLE': {
- validate_string($_privilege,'SELECT','INSERT','UPDATE','REFERENCES','ALL','ALL PRIVILEGES')
- $unless_function = 'has_table_privilege'
- $on_db = $db
- }
- default: {
- fail("Missing privilege validation for object type ${_object_type}")
- }
- }
-
- # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
- # we need a way to test for it--and has_database_privilege does not recognize
- # 'ALL' as a valid privilege name. So we probably need to hard-code a mapping
- # between 'ALL' and the list of actual privileges that it entails, and loop
- # over them to check them. That sort of thing will probably need to wait until
- # we port this over to ruby, so, for now, we're just going to assume that if
- # they have "CREATE" privileges on a database, then they have "ALL". (I told
- # you that it was terrible!)
- $unless_privilege = $_privilege ? {
- 'ALL' => 'CREATE',
- default => $_privilege,
- }
- postgresql_psql { "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"":
- db => $on_db,
- psql_user => $psql_user,
- psql_group => $postgresql::params::group,
- psql_path => $postgresql::params::psql_path,
- unless => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')",
- }
-}