Defined Type: postgresql::user

Defined in:
modules/postgresql/manifests/user.pp

Overview

Definition: postgresql::user

This definition provides a way to manage postgresql users.

Parameters:

Actions:

Create/drop user

Requires:

Class postgresql::server

Sample Usage:

postgresql::user { 'test@host.example.com':
  ensure   => 'absent',
  user     => 'test',
  password => 'pass',
  cidr     => '127.0.0.1/32',
  type     => 'host',
  method   => 'trust',
  database => 'template1',
}

Based upon github.com/uggedal/puppet-module-postgresql

Parameters:

  • user (String)
  • ensure (String) (defaults to: 'present')
  • database (String) (defaults to: 'template1')
  • type (String) (defaults to: 'host')
  • method (String) (defaults to: 'md5')
  • cidr (Stdlib::IP::Address) (defaults to: '127.0.0.1/32')
  • attrs (String) (defaults to: '')
  • master (Boolean) (defaults to: true)
  • privileges (Postgresql::Privileges) (defaults to: {})
  • password (Optional[String]) (defaults to: undef)
  • pgversion (Optional[Numeric]) (defaults to: undef)


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'modules/postgresql/manifests/user.pp', line 27

define postgresql::user(
    String                 $user,
    String                 $ensure     = 'present',
    String                 $database   = 'template1',
    String                 $type       = 'host',
    String                 $method     = 'md5',
    Stdlib::IP::Address    $cidr       = '127.0.0.1/32',
    String                 $attrs      = '',
    Boolean                $master     = true,
    Postgresql::Privileges $privileges = {},
    Optional[String]       $password   = undef,
    Optional[Numeric]      $pgversion  = undef,
) {

    $_pgversion = $pgversion ? {
        undef   => $facts['os']['distro']['codename'] ? {
            'bullseye' => 13,
            'buster'   => 11,
            'stretch'  => 9.6,
            default    => fail("unsupported pgversion: ${pgversion}"),
        },
        default => $pgversion,
    }

    # Check if our user exists and store it
    $userexists = "/usr/bin/psql --tuples-only -c \'SELECT rolname FROM pg_catalog.pg_roles;\' | /bin/grep -P \'^ ${user}$\'"
    # Check if our user doesn't own databases, so we can safely drop
    $user_dbs = "/usr/bin/psql --tuples-only --no-align -c \'SELECT COUNT(*) FROM pg_catalog.pg_database JOIN pg_authid ON pg_catalog.pg_database.datdba = pg_authid.oid WHERE rolname = '${user}';\' | grep -e '^0$'"
    $pass_set = "/usr/bin/psql -c \"ALTER ROLE ${user} WITH ${attrs} PASSWORD '${password}';\""

    if $ensure == 'present' {
        exec { "create_user-${name}":
            command => "/usr/bin/createuser --no-superuser --no-createdb --no-createrole ${user}",
            user    => 'postgres',
            unless  => $userexists,
        }

        # This will not be run on a slave as it is read-only
        if $master and $password {
            $password_md5 = md5("${password}${user}")

            exec { "pass_set-${name}":
                command   => $pass_set,
                user      => 'postgres',
                onlyif    => "/usr/bin/test -n \"\$(/usr/bin/psql -Atc \"SELECT 1 FROM pg_authid WHERE rolname = '${user}' AND rolpassword IS DISTINCT FROM 'md5${password_md5}';\")\"",
                subscribe => Exec["create_user-${name}"],
            }
        }
    } elsif $ensure == 'absent' {
        exec { "drop_user-${name}":
            command => "/usr/bin/dropuser ${user}",
            user    => 'postgres',
            onlyif  => "${userexists} && ${user_dbs}",
        }
    }

    # Host based access configuration for user connections
    postgresql::user::hba { "Access configuration for ${name}}":
        ensure    => $ensure,
        user      => $user,
        database  => $database,
        type      => $type,
        method    => $method,
        cidr      => $cidr,
        hba_label => $name,
        pgversion => $_pgversion,
    }

    unless $privileges.empty or ! $master {
        $table_priv = 'table' in $privileges ? {
            true    => $privileges['table'],
            default => undef,
        }
        $sequence_priv = 'sequence' in $privileges ? {
            true    => $privileges['sequence'],
            default => undef,
        }
        $function_priv = 'function' in $privileges ? {
            true    => $privileges['function'],
            default => undef,
        }
        postgresql::db_grant {"grant access to ${title} on ${database}":
            db            => $database,
            pg_role       => $user,
            table_priv    => $table_priv,
            sequence_priv => $sequence_priv,
            function_priv => $function_priv,
        }
    }
}