X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fconfig%2Fbeforeservice.pp;fp=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fconfig%2Fbeforeservice.pp;h=1b30e2aaec203abd2ae0dcbe344d904afd569400;hb=a29c0d1b4d2420aeb3ef6acf66feb00709dd2652;hp=0000000000000000000000000000000000000000;hpb=d98d8ae49a60547132c555f3669f3b9ae6a666bd;p=mirror%2Fdsa-puppet.git

diff --git a/3rdparty/modules/postgresql/manifests/config/beforeservice.pp b/3rdparty/modules/postgresql/manifests/config/beforeservice.pp
new file mode 100644
index 000000000..1b30e2aae
--- /dev/null
+++ b/3rdparty/modules/postgresql/manifests/config/beforeservice.pp
@@ -0,0 +1,168 @@
+# Class: postgresql::config::beforeservice
+#
+# Parameters:
+#
+#   [*ip_mask_deny_postgres_user*]   - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',
+#                                       meaning that all TCP access for postgres user is denied.
+#   [*ip_mask_allow_all_users*]      - ip mask for allowing remote access for other users (besides postgres);
+#                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
+#   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
+#                                    'localhost', '*' = all
+#   [*ipv4acls*]                - list of strings for access control for connection method, users, databases, IPv4
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
+#   [*ipv6acls*]                - list of strings for access control for connection method, users, databases, IPv6
+#                                    addresses; see postgresql documentation about pg_hba.conf for information
+#   [*pg_hba_conf_path*]        - path to pg_hba.conf file
+#   [*postgresql_conf_path*]    - path to postgresql.conf file
+#   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
+#                                    redhat-based systems; this parameter is likely to change in future versions.  Possible
+#                                    changes include support for non-RedHat systems and finer-grained control over the
+#                                    firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#   [*manage_pg_hba_conf*]      - boolean indicating whether or not the module manages pg_hba.conf file.
+#
+# Actions:
+#
+# Requires:
+#
+# Usage:
+#   This class is not intended to be used directly; it is
+#   managed by postgresl::config.  It contains resources
+#   that should be handled *before* the postgres service
+#   has been started up.
+#
+#   class { 'postgresql::config::before_service':
+#     ip_mask_allow_all_users    => '0.0.0.0/0',
+#   }
+#
+class postgresql::config::beforeservice(
+  $pg_hba_conf_path,
+  $postgresql_conf_path,
+  $ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
+  $ip_mask_allow_all_users    = $postgresql::params::ip_mask_allow_all_users,
+  $listen_addresses           = $postgresql::params::listen_addresses,
+  $ipv4acls                   = $postgresql::params::ipv4acls,
+  $ipv6acls                   = $postgresql::params::ipv6acls,
+  $manage_redhat_firewall     = $postgresql::params::manage_redhat_firewall,
+  $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf
+) inherits postgresql::params {
+
+
+  File {
+    owner  => $postgresql::params::user,
+    group  => $postgresql::params::group,
+  }
+
+  if $manage_pg_hba_conf {
+    # Create the main pg_hba resource
+    postgresql::pg_hba { 'main':
+      notify => Exec['reload_postgresql'],
+    }
+
+    Postgresql::Pg_hba_rule {
+      database => 'all',
+      user => 'all',
+    }
+
+    # Lets setup the base rules
+    postgresql::pg_hba_rule { 'local access as postgres user':
+      type        => 'local',
+      user        => $postgresql::params::user,
+      auth_method => 'ident',
+      auth_option => $postgresql::params::version ? {
+        '8.1'   => 'sameuser',
+        default => undef,
+      },
+      order       => '001',
+    }
+    postgresql::pg_hba_rule { 'local access to database with same name':
+      type        => 'local',
+      auth_method => 'ident',
+      auth_option => $postgresql::params::version ? {
+        '8.1'   => 'sameuser',
+        default => undef,
+      },
+      order       => '002',
+    }
+    postgresql::pg_hba_rule { 'deny access to postgresql user':
+      type        => 'host',
+      user        => $postgresql::params::user,
+      address     => $ip_mask_deny_postgres_user,
+      auth_method => 'reject',
+      order       => '003',
+    }
+
+    # ipv4acls are passed as an array of rule strings, here we transform them into
+    # a resources hash, and pass the result to create_resources
+    $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10)
+    create_resources('postgresql::pg_hba_rule', $ipv4acl_resources)
+
+    postgresql::pg_hba_rule { 'allow access to all users':
+      type        => 'host',
+      address     => $ip_mask_allow_all_users,
+      auth_method => 'md5',
+      order       => '100',
+    }
+    postgresql::pg_hba_rule { 'allow access to ipv6 localhost':
+      type        => 'host',
+      address     => '::1/128',
+      auth_method => 'md5',
+      order       => '101',
+    }
+
+    # ipv6acls are passed as an array of rule strings, here we transform them into
+    # a resources hash, and pass the result to create_resources
+    $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
+    create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
+  }
+
+  # We must set a "listen_addresses" line in the postgresql.conf if we
+  #  want to allow any connections from remote hosts.
+  file_line { 'postgresql.conf#listen_addresses':
+    path        => $postgresql_conf_path,
+    match       => '^listen_addresses\s*=.*$',
+    line        => "listen_addresses = '${listen_addresses}'",
+    notify      => Service['postgresqld'],
+  }
+
+  # Here we are adding an 'include' line so that users have the option of
+  # managing their own settings in a second conf file. This only works for
+  # postgresql 8.2 and higher.
+  if(versioncmp($postgresql::params::version, '8.2') >= 0) {
+    # Since we're adding an "include" for this extras config file, we need
+    # to make sure it exists.
+    exec { "create_postgresql_conf_path":
+      command => "touch `dirname ${postgresql_conf_path}`/postgresql_puppet_extras.conf",
+      path    => '/usr/bin:/bin',
+      unless  => "[ -f `dirname ${postgresql_conf_path}`/postgresql_puppet_extras.conf ]"
+    }
+
+    file_line { 'postgresql.conf#include':
+      path        => $postgresql_conf_path,
+      line        => "include 'postgresql_puppet_extras.conf'",
+      require     => Exec["create_postgresql_conf_path"],
+      notify      => Service['postgresqld'],
+    }
+  }
+
+
+  # TODO: is this a reasonable place for this firewall stuff?
+  # TODO: figure out a way to make this not platform-specific; debian and ubuntu have
+  #        an out-of-the-box firewall configuration that seems trickier to manage
+  # TODO: get rid of hard-coded port
+  if ($manage_redhat_firewall and $firewall_supported) {
+      exec { 'postgresql-persist-firewall':
+        command     => $persist_firewall_command,
+        refreshonly => true,
+      }
+
+      Firewall {
+        notify => Exec['postgresql-persist-firewall']
+      }
+
+      firewall { '5432 accept - postgres':
+        port   => '5432',
+        proto  => 'tcp',
+        action => 'accept',
+      }
+  }
+}