X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fgrant.pp;fp=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fgrant.pp;h=0000000000000000000000000000000000000000;hb=a69999e580f8b3abd12446c2d6ad59e517651813;hp=6b383b3d50637da442bf4f115e162e64bff654fe;hpb=e7b6b352165009c385c52fcfe5a1055690dbfa4b;p=mirror%2Fdsa-puppet.git diff --git a/3rdparty/modules/postgresql/manifests/grant.pp b/3rdparty/modules/postgresql/manifests/grant.pp deleted file mode 100644 index 6b383b3d5..000000000 --- a/3rdparty/modules/postgresql/manifests/grant.pp +++ /dev/null @@ -1,77 +0,0 @@ -# Resource postgresql::grant -# -# TODO: in mysql module, the grant resource name might look like this: 'user@host/dbname'; -# I think that the API for the resource type should split these up, because it's -# easier / safer to recombine them for mysql than it is to parse them for other -# databases. Also, in the mysql module, the hostname portion of that string -# affects the user's ability to connect from remote hosts. In postgres this is -# managed via pg_hba.conf; not sure if we want to try to reconcile that difference -# in the modules or not. -define postgresql::grant ( - $role, - $db, - # TODO: mysql supports an array of privileges here. We should do that if we - # port this to ruby. - $privilege = undef, - $object_type = 'database', - $object_name = $db, - $psql_db = $postgresql::params::user, - $psql_user = $postgresql::params::user -) { - - ## Munge the input values - $_object_type = upcase($object_type) - $_privilege = upcase($privilege) - - ## Validate that the object type is known - validate_string($_object_type, - #'COLUMN', - 'DATABASE', - #'FOREIGN SERVER', - #'FOREIGN DATA WRAPPER', - #'FUNCTION', - #'PROCEDURAL LANGUAGE', - #'SCHEMA', - #'SEQUENCE', - 'TABLE', - #'TABLESPACE', - #'VIEW', - ) - - ## Validate that the object type's privilege is acceptable - case $_object_type { - 'DATABASE': { - validate_string($_privilege,'CREATE','CONNECT','TEMPORARY','TEMP','ALL','ALL PRIVILEGES') - $unless_function = 'has_database_privilege' - $on_db = $psql_db - } - 'TABLE': { - validate_string($_privilege,'SELECT','INSERT','UPDATE','REFERENCES','ALL','ALL PRIVILEGES') - $unless_function = 'has_table_privilege' - $on_db = $db - } - default: { - fail("Missing privilege validation for object type ${_object_type}") - } - } - - # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege, - # we need a way to test for it--and has_database_privilege does not recognize - # 'ALL' as a valid privilege name. So we probably need to hard-code a mapping - # between 'ALL' and the list of actual privileges that it entails, and loop - # over them to check them. That sort of thing will probably need to wait until - # we port this over to ruby, so, for now, we're just going to assume that if - # they have "CREATE" privileges on a database, then they have "ALL". (I told - # you that it was terrible!) - $unless_privilege = $_privilege ? { - 'ALL' => 'CREATE', - default => $_privilege, - } - postgresql_psql { "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"": - db => $on_db, - psql_user => $psql_user, - psql_group => $postgresql::params::group, - psql_path => $postgresql::params::psql_path, - unless => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')", - } -}