Defined Type: postgresql::user

Defined in:
modules/postgresql/manifests/user.pp

Overview

Definition: postgresql::user

This definition provides a way to manage postgresql users.

Parameters:

Actions:

Create/drop user

Requires:

Class postgresql::server

Sample Usage:

postgresql::user { 'test@host.example.com':
  ensure   => 'absent',
  user     => 'test',
  password => 'pass',
  cidr     => '127.0.0.1/32',
  type     => 'host',
  method   => 'trust',
  database => 'template1',
}

Based upon github.com/uggedal/puppet-module-postgresql

Parameters:

  • user (Any)
  • password (Any) (defaults to: undef)
  • database (Any) (defaults to: 'template1')
  • type (Any) (defaults to: 'host')
  • method (Any) (defaults to: 'md5')
  • cidr (Any) (defaults to: '127.0.0.1/32')
  • pgversion (Any) (defaults to: $::lsbdistcodename)
  • attrs (Any) (defaults to: '')
  • master (Any) (defaults to: true)
  • ensure (Any) (defaults to: 'present')


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'modules/postgresql/manifests/user.pp', line 27

define postgresql::user(
    $user,
    $password = undef,
    $database = 'template1',
    $type = 'host',
    $method = 'md5',
    $cidr = '127.0.0.1/32',
    $pgversion = $::lsbdistcodename ? {
        'buster'  => '11',
        'stretch' => '9.6',
    },
    $attrs = '',
    $master = true,
    $ensure = 'present'
    ) {

    $pg_hba_file = "/etc/postgresql/${pgversion}/main/pg_hba.conf"

    # Check if our user exists and store it
    $userexists = "/usr/bin/psql --tuples-only -c \'SELECT rolname FROM pg_catalog.pg_roles;\' | /bin/grep -P \'^ ${user}$\'"
    # Check if our user doesn't own databases, so we can safely drop
    $user_dbs = "/usr/bin/psql --tuples-only --no-align -c \'SELECT COUNT(*) FROM pg_catalog.pg_database JOIN pg_authid ON pg_catalog.pg_database.datdba = pg_authid.oid WHERE rolname = '${user}';\' | grep -e '^0$'"
    $pass_set = "/usr/bin/psql -c \"ALTER ROLE ${user} WITH ${attrs} PASSWORD '${password}';\""

    # xpath expression to identify the user entry in pg_hba.conf
    if $type == 'local' {
        $xpath = "/files${pg_hba_file}/*[type='${type}'][database='${database}'][user='${user}'][method='${method}']"
    }
    else {
        $xpath = "/files${pg_hba_file}/*[type='${type}'][database='${database}'][user='${user}'][address='${cidr}'][method='${method}']"
    }

    if $ensure == 'present' {
        exec { "create_user-${name}":
            command => "/usr/bin/createuser --no-superuser --no-createdb --no-createrole ${user}",
            user    => 'postgres',
            unless  => $userexists,
        }

        # This will not be run on a slave as it is read-only
        if $master and $password {
            $password_md5 = md5("${password}${user}")

            exec { "pass_set-${name}":
                command   => $pass_set,
                user      => 'postgres',
                onlyif    => "/usr/bin/test -n \"\$(/usr/bin/psql -Atc \"SELECT 1 FROM pg_authid WHERE rolname = '${user}' AND rolpassword IS DISTINCT FROM 'md5${password_md5}';\")\"",
                subscribe => Exec["create_user-${name}"],
            }
        }

        if $type == 'local' {
            $changes = [
                "set 01/type \'${type}\'",
                "set 01/database \'${database}\'",
                "set 01/user \'${user}\'",
                "set 01/method \'${method}\'",
            ]
        } else {
            $changes = [
                "set 01/type \'${type}\'",
                "set 01/database \'${database}\'",
                "set 01/user \'${user}\'",
                "set 01/address \'${cidr}\'",
                "set 01/method \'${method}\'",
            ]
        }

        augeas { "hba_create-${name}":
            context => "/files${pg_hba_file}/",
            changes => $changes,
            onlyif  => "match ${xpath} size == 0",
            notify  => Exec['pgreload'],
        }
    } elsif $ensure == 'absent' {
        exec { "drop_user-${name}":
            command => "/usr/bin/dropuser ${user}",
            user    => 'postgres',
            onlyif  => "${userexists} && ${user_dbs}",
        }

        augeas { "hba_drop-${name}":
            context => "/files${pg_hba_file}/",
            changes => "rm ${xpath}",
            # only if the user exists
            onlyif  => "match ${xpath} size > 0",
            notify  => Exec['pgreload'],
        }
    }
}