|
13 | 13 | $connection_limit = '-1', |
14 | 14 | $username = $title, |
15 | 15 | $connect_settings = $postgresql::server::default_connect_settings, |
| 16 | + Enum['present', 'absent'] $ensure = 'present', |
16 | 17 | ) { |
17 | 18 | $psql_user = $postgresql::server::user |
18 | 19 | $psql_group = $postgresql::server::group |
|
38 | 39 | $version = $postgresql::server::_version |
39 | 40 | } |
40 | 41 |
|
41 | | - $login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' } |
42 | | - $inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' } |
43 | | - $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' } |
44 | | - $createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' } |
45 | | - $superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' } |
46 | | - $replication_sql = $replication ? { true => 'REPLICATION', default => '' } |
47 | | - if ($password_hash != false) { |
48 | | - $environment = "NEWPGPASSWD=${password_hash}" |
49 | | - $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'" |
50 | | - } else { |
51 | | - $password_sql = '' |
52 | | - $environment = [] |
53 | | - } |
54 | | - |
55 | 42 | Postgresql_psql { |
56 | 43 | db => $db, |
57 | 44 | port => $port_override, |
|
66 | 53 | ], |
67 | 54 | } |
68 | 55 |
|
69 | | - postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****": |
70 | | - command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}", |
71 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'", |
72 | | - environment => $environment, |
73 | | - require => Class['Postgresql::Server'], |
74 | | - } |
| 56 | + if $ensure == 'present' { |
| 57 | + $login_sql = $login ? { true => 'LOGIN', default => 'NOLOGIN' } |
| 58 | + $inherit_sql = $inherit ? { true => 'INHERIT', default => 'NOINHERIT' } |
| 59 | + $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' } |
| 60 | + $createdb_sql = $createdb ? { true => 'CREATEDB', default => 'NOCREATEDB' } |
| 61 | + $superuser_sql = $superuser ? { true => 'SUPERUSER', default => 'NOSUPERUSER' } |
| 62 | + $replication_sql = $replication ? { true => 'REPLICATION', default => '' } |
| 63 | + if ($password_hash != false) { |
| 64 | + $environment = "NEWPGPASSWD=${password_hash}" |
| 65 | + $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'" |
| 66 | + } else { |
| 67 | + $password_sql = '' |
| 68 | + $environment = [] |
| 69 | + } |
75 | 70 |
|
76 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}": |
77 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}", |
78 | | - } |
| 71 | + postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****": |
| 72 | + command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}", |
| 73 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'", |
| 74 | + environment => $environment, |
| 75 | + require => Class['Postgresql::Server'], |
| 76 | + } |
79 | 77 |
|
80 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}": |
81 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}", |
82 | | - } |
| 78 | + postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}": |
| 79 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolsuper = ${superuser}", |
| 80 | + } |
83 | 81 |
|
84 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}": |
85 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}", |
86 | | - } |
| 82 | + postgresql_psql {"ALTER ROLE \"${username}\" ${createdb_sql}": |
| 83 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreatedb = ${createdb}", |
| 84 | + } |
87 | 85 |
|
88 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}": |
89 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}", |
90 | | - } |
| 86 | + postgresql_psql {"ALTER ROLE \"${username}\" ${createrole_sql}": |
| 87 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcreaterole = ${createrole}", |
| 88 | + } |
91 | 89 |
|
92 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}": |
93 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}", |
94 | | - } |
| 90 | + postgresql_psql {"ALTER ROLE \"${username}\" ${login_sql}": |
| 91 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolcanlogin = ${login}", |
| 92 | + } |
95 | 93 |
|
96 | | - if(versioncmp($version, '9.1') >= 0) { |
97 | | - if $replication_sql == '' { |
98 | | - postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION": |
99 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", |
100 | | - } |
101 | | - } else { |
102 | | - postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}": |
103 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", |
| 94 | + postgresql_psql {"ALTER ROLE \"${username}\" ${inherit_sql}": |
| 95 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}", |
| 96 | + } |
| 97 | + |
| 98 | + if(versioncmp($version, '9.1') >= 0) { |
| 99 | + if $replication_sql == '' { |
| 100 | + postgresql_psql {"ALTER ROLE \"${username}\" NOREPLICATION": |
| 101 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", |
| 102 | + } |
| 103 | + } else { |
| 104 | + postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}": |
| 105 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolreplication = ${replication}", |
| 106 | + } |
104 | 107 | } |
105 | 108 | } |
106 | | - } |
107 | 109 |
|
108 | | - postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}": |
109 | | - unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}", |
110 | | - } |
| 110 | + postgresql_psql {"ALTER ROLE \"${username}\" CONNECTION LIMIT ${connection_limit}": |
| 111 | + unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}", |
| 112 | + } |
111 | 113 |
|
112 | | - if $password_hash and $update_password { |
113 | | - if($password_hash =~ /^md5.+/) { |
114 | | - $pwd_hash_sql = $password_hash |
115 | | - } else { |
116 | | - $pwd_md5 = md5("${password_hash}${username}") |
117 | | - $pwd_hash_sql = "md5${pwd_md5}" |
| 114 | + if $password_hash and $update_password { |
| 115 | + if($password_hash =~ /^md5.+/) { |
| 116 | + $pwd_hash_sql = $password_hash |
| 117 | + } else { |
| 118 | + $pwd_md5 = md5("${password_hash}${username}") |
| 119 | + $pwd_hash_sql = "md5${pwd_md5}" |
| 120 | + } |
| 121 | + postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****": |
| 122 | + command => "ALTER ROLE \"${username}\" ${password_sql}", |
| 123 | + unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'", |
| 124 | + environment => $environment, |
| 125 | + } |
118 | 126 | } |
119 | | - postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****": |
120 | | - command => "ALTER ROLE \"${username}\" ${password_sql}", |
121 | | - unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'", |
122 | | - environment => $environment, |
| 127 | + } else { |
| 128 | + # ensure == absent |
| 129 | + postgresql_psql { "DROP ROLE \"${username}\"": |
| 130 | + onlyif => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'", |
| 131 | + require => Class['Postgresql::Server'], |
123 | 132 | } |
124 | 133 | } |
125 | 134 | } |
0 commit comments