add pg_hba rules

2025-09-28 15:47:55 +02:00
parent 95347b22bf
commit 73214a1128
7 changed files with 123 additions and 13 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -14,6 +14,7 @@
        "geqo",
        "hashagg",
        "hashjoin",
+        "hostnossl",
        "hostssl",
        "indexonlyscan",
        "indexscan",
@@ -34,10 +35,12 @@
        "naptime",
        "nestloop",
        "partitionwise",
+        "pghba",
        "pgsql",
        "restartpoint",
        "seqscan",
        "seqscans",
+        "sspi",
        "sysconfdir",
        "sysv",
        "tablespace",
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -10,18 +10,19 @@ class postgresql_cd::main::files (
    require postgresql_cd::server::initdb
    require postgresql_cd::main::dirs

-    file { '/var/lib/pgsql/data/pg_hba.conf':
-      ensure   => file,
-      owner    => 'postgres',
-      group    => 'postgres',
-      mode     => '0600',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => postgresql_db_t,
-      seluser  => unconfined_u,
-      content  => template('postgresql_cd/pg_hba.conf.erb'),
-      notify   => Service[$pl_service],
-    }
+    # outsourced to pghba::pghba for concatenation
+#    file { '/var/lib/pgsql/data/pg_hba.conf':
+#      ensure   => file,
+#      owner    => 'postgres',
+#      group    => 'postgres',
+#      mode     => '0600',
+#      selrange => s0,
+#      selrole  => object_r,
+#      seltype  => postgresql_db_t,
+#      seluser  => unconfined_u,
+#      content  => template('postgresql_cd/pg_hba.conf.erb'),
+#      notify   => Service[$pl_service],
+#    }

    file { '/var/lib/pgsql/data/postgresql.conf':
      ensure   => file,
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -56,6 +56,10 @@ class postgresql_cd::params (
  # Directories
  $pl_data_dir              = '/var/lib/pgsql/data/'

+  # files
+  $pl_pl_pg_hba_conf        = "${pl_data_dir}/pg_hba.conf"
+  $pl_pg_hba_rule_conf      = 'postgresql_cd/pg_hba_rule.conf.erb'
+
  # includes must be last
  include postgresql_cd::main::config
 }
--- a/manifests/server/pghba/pg_hba.pp
+++ b/manifests/server/pghba/pg_hba.pp
@@ -0,0 +1,55 @@
+## postgresql_cd::server::pg_hba.pp
+# Module name: postgresql_cd
+# Author: Arne Teuke (arne_teuke@puppetsoft.com)
+# @summary Class manages pg_hba.conf file and line entries through define
+#   pg_hba_rule.pp
+# @example     postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres':
+#      psql_auth_type        => 'local',
+#      psql_auth_database    => 'all',
+#      psql_auth_user        => 'postgres',
+#      psql_auth_method      => 'trust',
+#      psql_auth_order       => '001',
+#      psql_auth_option      => '',
+#    }
+##############################################################################
+class postgresql_cd::server::pghba::pg_hba (
+
+) inherits postgresql_cd::params {
+  if $fqdn == $pl_server_fqdn {
+    # create the pg_hba.conf file
+
+    concat { $pl_pg_hba_conf:
+      ensure => present,
+      owner  => 'postgres',
+      mode   => '0640',
+      notify => Service[$pl_service],
+    }
+
+    # manage file header
+
+    concat::fragment { 'header':
+      target  => $pl_pg_hba_conf,
+      content => template($pl_pg_hba_conf_erb),
+      order   => '000',
+    }
+
+    # manage default rules => should go into  external config set
+#    postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres':
+#      psql_auth_type        => 'local',
+#      psql_auth_database    => 'all',
+#      psql_auth_user        => $ql_user_name,
+#      psql_auth_method      => 'trust',
+#      psql_auth_order       => '001',
+#      psql_auth_option      => $ql_auth_option,
+#    }
+
+#    postgresql_cd::server::pghba::pg_hba_rule { 'local access for all roles':
+#      psql_auth_type        => 'local',
+#      psql_auth_database    => 'all',
+#      psql_auth_user        => 'all',
+#      psql_auth_method      => 'trust',
+#      psql_auth_order       => '002',
+#      psql_auth_option      => $pl_auth_option,
+#    }
+  }
+}
--- a/manifests/server/pghba/pg_hba_rule.ppp
+++ b/manifests/server/pghba/pg_hba_rule.ppp
@@ -0,0 +1,45 @@
+## postgresql_cd::server::pghba::pg_hba_rule
+# Module name: postgresql_cd
+# Author: Arne Teuke (arne_teuke@puppetsoft.com)
+# @summary define manages rule entries for pg_hba configuration file
+# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html
+# @param [string] pl_auth_type  Specify the authentication type, can be
+#   'local', 'host', 'hostssl' or 'hostnossl'.
+# @param [string] pl_auth_database Specify the database for the connection
+# @param [string] pl_auth_user Specify the user for the connection
+# @param [string] pl_auth_address SPecify IP address or FQDN for the
+#   connection, i.e. where to connect FROM.
+# @param [string] pl_auth_method  Specify the auth method, can be 'trust',
+#   'reject', 'md5' , 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap',
+#   'radius', 'cert', 'pam','bsd'
+# @param [string] pl_auth_option After the auth-method field, there can be
+#   field(s) of the form name=value that specify options for the authentication
+#   method.
+# @param [string] pl_auth_order  Specify the  order in which the entry should
+#   appear on the list. Lower orders are higher on the list.
+# @param [string] pl_auth_description Specify a description for the entry.
+##############################################################################
+define postgresql_cd::server::pghba::pg_hba_rule (
+
+  Optional[String] $pl_auth_type         = undef,
+  Optional[String] $pl_auth_database     = undef,
+  Optional[String] $pl_auth_user         = undef,
+  Optional[String] $pl_auth_address      = undef,
+  Optional[String] $pl_auth_method       = undef,
+  Optional[String] $pl_auth_option       = undef,
+  Optional[String] $pl_auth_order        = undef,
+  Optional[String] $pl_auth_description  = undef,
+
+) {
+  $pl_pg_hba_conf       = $postgresql_cd::params::pl_pg_hba_conf
+  $pl_pg_hba_rule_conf  = $postgresql_cd::params::pl_pg_hba_rule_conf
+  $pl_data_dir          = $postgresql_cd::params::pl_data_dir
+
+# create rule fragment
+
+  concat::fragment { "pl_rule_${name}":
+    target  => $pl_pg_hba_conf,
+    content => template($pl_pg_hba_rule_conf),
+    order   => $pl_auth_order,
+  }
+}
--- a/templates/pg_hba.conf.erb
+++ b/templates/pg_hba.conf.erb
@@ -18,3 +18,5 @@ host    replication     all             127.0.0.1/32            md5
 host    replication     all             ::1/128                 md5

 host    all             all             0.0.0.0/0               md5
+
+# custom rules below
--- a/templates/pg_hba_rule.conf.erb
+++ b/templates/pg_hba_rule.conf.erb
@@ -1,3 +1,3 @@
 # description:  <%=@name%>
-# order number: <%=@psql_auth_order%>
+# order number: <%=@pl_auth_order%>
 <%= @pl_auth_type %>  <%= @pl_auth_database %>  <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%>