From 985309e2df83aa16b1b5430ef1607eca56981de7 Mon Sep 17 00:00:00 2001 From: cruelsmith <92088441+cruelsmith@users.noreply.github.com> Date: Sun, 26 Feb 2023 02:14:14 +0100 Subject: [PATCH 1/2] Defaulting password_encryption to scram-sha-256 with version >= 14 * Fix missing handling of allowed undef value of parameter hash of postgresql::postgresql_password * Fix edgecase where passwords starting with md5 but are not followed by 32 base64 chars will not be hashed by postgresql::postgresql_password * Fix case of postgresql::postgresql_password where sensitive hashes are wrongly handled * Extend spec tests for 'postgresql_password function' to cover this * Add respecting password_encryption for all internal postgresql::postgresql_password calls * Add respecting password_encryption for postgresql::backup::pg_dump * Add spec tests for new hash type handling of postgresql::server::role See https://www.postgresql.org/docs/14/runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION --- .../postgresql/postgresql_password.rb | 16 +- manifests/backup/pg_dump.pp | 4 +- manifests/params.pp | 4 +- manifests/server.pp | 4 +- manifests/server/instance/config.pp | 2 +- manifests/server/role.pp | 63 ++-- spec/defines/server/role_spec.rb | 297 +++++++++++++++--- spec/spec_helper_local.rb | 48 +++ types/pg_password_encryption.pp | 2 + 9 files changed, 352 insertions(+), 88 deletions(-) create mode 100644 types/pg_password_encryption.pp diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb index 8d1013374a..68be8b7374 100644 --- a/lib/puppet/functions/postgresql/postgresql_password.rb +++ b/lib/puppet/functions/postgresql/postgresql_password.rb @@ -22,19 +22,25 @@ required_param 'Variant[String[1], Integer]', :username required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password optional_param 'Boolean', :sensitive - optional_param "Optional[Enum['md5', 'scram-sha-256']]", :hash + optional_param 'Optional[Postgresql::Pg_password_encryption]', :hash optional_param 'Optional[Variant[String[1], Integer]]', :salt return_type 'Variant[String, Sensitive[String]]' end def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil) - return password if password.is_a?(String) && password.match?(%r{^(md5|SCRAM-SHA-256).+}) - password = password.unwrap if password.respond_to?(:unwrap) - pass = if hash == 'md5' + if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)}) + return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive + + return password + end + pass = case hash + when 'md5', nil # ensure default value when definded with nil "md5#{Digest::MD5.hexdigest(password.to_s + username.to_s)}" - else + when 'scram-sha-256' pg_sha256(password, (salt || username)) + else + raise(Puppet::ParseError, "postgresql::postgresql_password(): got unkown hash type '#{hash}'") end if sensitive Puppet::Pops::Types::PSensitiveType::Sensitive.new(pass) diff --git a/manifests/backup/pg_dump.pp b/manifests/backup/pg_dump.pp index ff99779fb5..4fc05d179b 100644 --- a/manifests/backup/pg_dump.pp +++ b/manifests/backup/pg_dump.pp @@ -83,7 +83,7 @@ # Create user with superuser privileges postgresql::server::role { $db_user: ensure => $ensure, - password_hash => postgresql::postgresql_password($db_user, $db_password), + password_hash => postgresql::postgresql_password($db_user, $db_password, true, pick($postgresql::server::password_encryption, 'md5')), superuser => true, } @@ -92,7 +92,7 @@ type => 'local', database => 'all', user => $db_user, - auth_method => 'md5', + auth_method => pick($postgresql::server::password_encryption, 'md5'), order => 1, } } diff --git a/manifests/params.pp b/manifests/params.pp index fede3f0ce3..a6d3d6f370 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = undef + $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef } $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true @@ -298,7 +298,7 @@ # Since we can't determine defaults on our own, we rely on users setting # parameters with the postgresql::globals class. Here we are checking # that the mandatory minimum is set for the module to operate. - $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::" + $err_prefix = "Module ${module_name} does not provide defaults for osfamily: ${facts['os']['family']} operatingsystem: ${facts['os']['name']}; please specify a value for ${module_name}::globals::" # lint:ignore:140chars if ($needs_initdb == undef) { fail("${err_prefix}needs_initdb") } if ($service_name == undef) { fail("${err_prefix}service_name") } if ($client_package_name == undef) { fail("${err_prefix}client_package_name") } diff --git a/manifests/server.pp b/manifests/server.pp index 915a001883..35b0717275 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -95,7 +95,7 @@ class postgresql::server ( Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef, - Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $package_ensure = $postgresql::params::package_ensure, + Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $package_ensure = $postgresql::params::package_ensure, # lint:ignore:140chars String[1] $package_name = $postgresql::params::server_package_name, Optional[String[1]] $plperl_package_name = $postgresql::params::plperl_package_name, @@ -159,7 +159,7 @@ Boolean $manage_datadir = $postgresql::params::manage_datadir, Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, - Optional[String] $password_encryption = $postgresql::params::password_encryption, + Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 6a2aa8e49d..e792dcb067 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -60,7 +60,7 @@ Boolean $service_enable = $postgresql::server::service_enable, Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, - Optional[String] $password_encryption = $postgresql::server::password_encryption, + Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { if ($manage_pg_hba_conf == true) { diff --git a/manifests/server/role.pp b/manifests/server/role.pp index 8656141356..7e1ff26a88 100644 --- a/manifests/server/role.pp +++ b/manifests/server/role.pp @@ -21,26 +21,26 @@ # @param hash Specify the hash method for pg password # @param salt Specify the salt use for the scram-sha-256 encoding password (default username) define postgresql::server::role ( - Boolean $update_password = true, - Variant[Boolean, String, Sensitive[String]] $password_hash = false, - Boolean $createdb = false, - Boolean $createrole = false, - String[1] $db = $postgresql::server::default_database, - Optional[Variant[String[1], Stdlib::Port, Integer]] $port = undef, - Boolean $login = true, - Boolean $inherit = true, - Boolean $superuser = false, - Boolean $replication = false, - String[1] $connection_limit = '-1', - String[1] $username = $title, - Hash $connect_settings = $postgresql::server::default_connect_settings, - String[1] $psql_user = $postgresql::server::user, - String[1] $psql_group = $postgresql::server::group, - Variant[String[1], Stdlib::Absolutepath] $psql_path = $postgresql::server::psql_path, - String[1] $module_workdir = $postgresql::server::module_workdir, - Enum['present', 'absent'] $ensure = 'present', - Enum['md5', 'scram-sha-256'] $hash = 'md5', - Optional[Variant[String[1], Integer]] $salt = undef, + Boolean $update_password = true, + Variant[Boolean, String, Sensitive[String]] $password_hash = false, + Boolean $createdb = false, + Boolean $createrole = false, + String[1] $db = $postgresql::server::default_database, + Optional[Variant[String[1], Stdlib::Port, Integer]] $port = undef, + Boolean $login = true, + Boolean $inherit = true, + Boolean $superuser = false, + Boolean $replication = false, + String[1] $connection_limit = '-1', + String[1] $username = $title, + Hash $connect_settings = $postgresql::server::default_connect_settings, + String[1] $psql_user = $postgresql::server::user, + String[1] $psql_group = $postgresql::server::group, + Variant[String[1], Stdlib::Absolutepath] $psql_path = $postgresql::server::psql_path, + String[1] $module_workdir = $postgresql::server::module_workdir, + Enum['present', 'absent'] $ensure = 'present', + Optional[Enum['md5', 'scram-sha-256']] $hash = undef, + Optional[Variant[String[1], Integer]] $salt = undef, ) { $password_hash_unsensitive = if $password_hash =~ Sensitive[String] { $password_hash.unwrap @@ -106,7 +106,7 @@ ] ) } else { - $create_role_command = "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}" + $create_role_command = "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}" # lint:ignore:140chars } postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****": @@ -152,22 +152,29 @@ unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolconnlimit = ${connection_limit}", } + $_hash = if $hash { + $hash + } elsif $connect_settings != undef and 'DBVERSION' in $connect_settings { + if (versioncmp($version, '14') >= 0) { 'scram-sha-256' } else { undef } + } else { + $postgresql::server::password_encryption + } if $password_hash_unsensitive and $update_password { if $password_hash_unsensitive =~ Deferred { - $pwd_hash_sql = Deferred ( 'postgresql::postgresql_password', [$username, - $password_hash, + $pwd_hash_sql = Deferred ( 'postgresql::postgresql_password', [ + $username, + $password_hash_unsensitive, false, - $hash, + $_hash, $salt, ] ) - } - else { + } else { $pwd_hash_sql = postgresql::postgresql_password( $username, - $password_hash, + $password_hash_unsensitive, false, - $hash, + $_hash, $salt, ) } diff --git a/spec/defines/server/role_spec.rb b/spec/defines/server/role_spec.rb index fc5fe501eb..c04080d5cf 100644 --- a/spec/defines/server/role_spec.rb +++ b/spec/defines/server/role_spec.rb @@ -24,18 +24,22 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), - 'sensitive' => 'true', - 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", - 'port' => '5432') + .with( + 'command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), + 'sensitive' => 'true', + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", + 'port' => '5432', + ) end it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), - 'sensitive' => 'true', - 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), - 'port' => '5432') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'port' => '5432', + ) end end @@ -50,18 +54,22 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), - 'sensitive' => 'true', - 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", - 'port' => '5432') + .with( + 'command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), + 'sensitive' => 'true', + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", + 'port' => '5432', + ) end it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), - 'sensitive' => 'true', - 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), - 'port' => '5432') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'port' => '5432', + ) end end @@ -69,10 +77,12 @@ let :params do { password_hash: 'new-pa$s', - connect_settings: { 'PGHOST' => 'postgres-db-server', - 'DBVERSION' => '9.1', - 'PGUSER' => 'login-user', - 'PGPASSWORD' => 'login-pass' } + connect_settings: { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + } } end @@ -84,20 +94,34 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with_command(sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1))) - .with_sensitive('true') - .with_unless("SELECT 1 FROM pg_roles WHERE rolname = 'test'") - .with_port(5432) - .with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass') - .that_requires('Service[postgresqld]') + .with( + 'command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), + 'sensitive' => 'true', + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", + 'port' => 5432, + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ).that_requires('Service[postgresqld]') end it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true', - 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'port' => '5432', - 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', - 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'port' => '5432', + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ) end end @@ -105,11 +129,13 @@ let :params do { password_hash: 'new-pa$s', - connect_settings: { 'PGHOST' => 'postgres-db-server', - 'DBVERSION' => '9.1', - 'PGPORT' => '1234', - 'PGUSER' => 'login-user', - 'PGPASSWORD' => 'login-pass' } + connect_settings: { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + } } end @@ -121,18 +147,34 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), - 'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", - 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', - 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) + .with( + 'command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), + 'sensitive' => 'true', + 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ) end it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true', - 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), - 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', - 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ) end end @@ -153,6 +195,163 @@ end end + context 'with version >= 14' do + let :pre_condition do + <<-CONDITION + class { 'postgresql::globals': + version => '14', + } + -> class { 'postgresql::server': } + CONDITION + end + + let :params do + { + password_hash: 'new-pa$s' + } + end + + it 'use "scram-sha-256" passwords' do + expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:dGVzdA==$ouY1SZtT3yAonoIzvLCooZPtHkO7WigotDMNWL/xSms=:wEl4ewQJMRO2W5lHfiDvtlbmPcHnF0J1iBe6l82YnrQ=')), + 'sensitive' => 'true', + 'unless' => sensitive( + %(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'SCRAM-SHA-256$4096:dGVzdA==$ouY1SZtT3yAonoIzvLCooZPtHkO7WigotDMNWL/xSms=:wEl4ewQJMRO2W5lHfiDvtlbmPcHnF0J1iBe6l82YnrQ='), + ), + ) + end + end + + context 'with password_encryption "scram-sha-256"' do + let :pre_condition do + <<-CONDITION + class { 'postgresql::server': + password_encryption => 'scram-sha-256', + } + CONDITION + end + + let :params do + { + password_hash: 'new-pa$s', + connect_settings: { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + } + } + end + + it 'is expect to use "scram-sha-256" hashed password' do + expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ) + end + end + + context 'with password_encryption "scram-sha-256" and older DBVERSION in connect_settings' do + let :pre_condition do + <<-CONDITION + class { 'postgresql::server': + password_encryption => 'scram-sha-256', + } + CONDITION + end + + let :params do + { + password_hash: 'new-pa$s', + connect_settings: { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + } + } + end + + it 'is expect to use "md5" hashed password' do + expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'connect_settings' => { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, + ) + end + end + + context 'with password_encryption "scram-sha-256" and set hash type "md5"' do + let :pre_condition do + <<-CONDITION + class { 'postgresql::server': + password_encryption => 'scram-sha-256', + } + CONDITION + end + + let :params do + { + password_hash: 'new-pa$s', + hash: 'md5' + } + end + + it 'is expect to use "md5" hashed password' do + expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + ) + end + end + + context 'with password_encryption "scram-sha-256" and "md5" hashed password' do + let :pre_condition do + <<-CONDITION + class { 'postgresql::server': + password_encryption => 'scram-sha-256', + } + CONDITION + end + + let :params do + { + password_hash: 'md5b6f7fcbbabb4befde4588a26c1cfd2fa' + } + end + + it 'is expect to use definded "md5" password_hash' do + expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') + .with( + 'command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), + ) + end + end + context 'with ensure set to absent' do let :params do { @@ -178,11 +377,13 @@ let :params do { password_hash: 'new-pa$s', - connect_settings: { 'PGHOST' => 'postgres-db-server', - 'DBVERSION' => '9.1', - 'PGPORT' => '1234', - 'PGUSER' => 'login-user', - 'PGPASSWORD' => 'login-pass' }, + connect_settings: { + 'PGHOST' => 'postgres-db-server', + 'DBVERSION' => '9.1', + 'PGPORT' => '1234', + 'PGUSER' => 'login-user', + 'PGPASSWORD' => 'login-pass' + }, psql_user: 'postgresql', psql_group: 'postgresql', psql_path: '/usr/bin', diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb index b54d1556cd..c957f9ee1b 100644 --- a/spec/spec_helper_local.rb +++ b/spec/spec_helper_local.rb @@ -59,18 +59,66 @@ def param(type, title, param) ) } + it { + expect(subject).to run.with_params('foo', 'bar', true).and_return( + sensitive(%(md596948aad3fcae80c08a35c9b5958cd89)), + ) + } + it { expect(subject).to run.with_params('foo', 'bar', false, 'scram-sha-256').and_return( 'SCRAM-SHA-256$4096:Zm9v$ea66ynZ8cS9Ty4ZkEYicwC72StsKLSwjcXIXKMgepTk=:dJYmOU6BMCaWkQOB3lrXH9OAF3lW2n3NJ26NO7Srq7U=', ) } + it { + expect(subject).to run.with_params('foo', 'bar', true, 'scram-sha-256').and_return( + sensitive(%(SCRAM-SHA-256$4096:Zm9v$ea66ynZ8cS9Ty4ZkEYicwC72StsKLSwjcXIXKMgepTk=:dJYmOU6BMCaWkQOB3lrXH9OAF3lW2n3NJ26NO7Srq7U=)), + ) + } + it { expect(subject).to run.with_params('foo', 'bar', false, 'scram-sha-256', 'salt').and_return( 'SCRAM-SHA-256$4096:c2FsdA==$hl63wu9L6vKIjd/UGPfpRl/hIQRBnlkoCiJ9KgxzbX0=:3Q39uiwDZ51m3iPpV8rSgISgRiYqkbnpc+wScL2lSAU=', ) } + it { + expect(subject).to run.with_params('foo', 'bar', true, 'scram-sha-256', 'salt').and_return( + sensitive(%(SCRAM-SHA-256$4096:c2FsdA==$hl63wu9L6vKIjd/UGPfpRl/hIQRBnlkoCiJ9KgxzbX0=:3Q39uiwDZ51m3iPpV8rSgISgRiYqkbnpc+wScL2lSAU=)), + ) + } + + it { + expect(subject).to run.with_params('foo', 'bar', false, nil, 'salt').and_return( + 'md596948aad3fcae80c08a35c9b5958cd89', + ) + } + + it { + expect(subject).to run.with_params('foo', 'bar', true, nil, 'salt').and_return( + sensitive(%(md596948aad3fcae80c08a35c9b5958cd89)), + ) + } + + it { + expect(subject).to run.with_params('foo', 'md596948aad3fcae80c08a35c9b5958cd89', false).and_return( + 'md596948aad3fcae80c08a35c9b5958cd89', + ) + } + + it { + expect(subject).to run.with_params('foo', sensitive(%(SCRAM-SHA-256$4096:c2FsdA==$hl63wu9L6vKIjd/UGPfpRl/hIQRBnlkoCiJ9KgxzbX0=:3Q39uiwDZ51m3iPpV8rSgISgRiYqkbnpc+wScL2lSAU=)), true).and_return( + sensitive(%(SCRAM-SHA-256$4096:c2FsdA==$hl63wu9L6vKIjd/UGPfpRl/hIQRBnlkoCiJ9KgxzbX0=:3Q39uiwDZ51m3iPpV8rSgISgRiYqkbnpc+wScL2lSAU=)), + ) + } + + it { + expect(subject).to run.with_params('foo', sensitive('md596948aad3fcae80c08a35c9b5958cd89'), false).and_return( + 'md596948aad3fcae80c08a35c9b5958cd89', + ) + } + it 'raises an error if there is only 1 argument' do expect(subject).to run.with_params('foo').and_raise_error(StandardError) end diff --git a/types/pg_password_encryption.pp b/types/pg_password_encryption.pp new file mode 100644 index 0000000000..b2b5be66e5 --- /dev/null +++ b/types/pg_password_encryption.pp @@ -0,0 +1,2 @@ +# @summary the supported password_encryption +type Postgresql::Pg_password_encryption = Enum['md5', 'scram-sha-256'] From 6dee3b894a3a2b8e793a3e232b9e44b78a1deeeb Mon Sep 17 00:00:00 2001 From: cruelsmith <92088441+cruelsmith@users.noreply.github.com> Date: Sun, 26 Feb 2023 02:20:05 +0100 Subject: [PATCH 2/2] Update REFERENCE.md * Fixing lint 140chars inside REFERENCE.md --- REFERENCE.md | 377 ++++++++++++++++------- manifests/backup/pg_dump.pp | 4 +- manifests/globals.pp | 26 +- manifests/lib/devel.pp | 5 +- manifests/lib/docs.pp | 5 +- manifests/repo.pp | 2 +- manifests/server.pp | 48 ++- manifests/server/database.pp | 4 +- manifests/server/default_privileges.pp | 6 +- manifests/server/extension.pp | 11 +- manifests/server/grant.pp | 16 +- manifests/server/grant_role.pp | 2 +- manifests/server/instance/config.pp | 24 +- manifests/server/instance/initdb.pp | 13 +- manifests/server/instance/late_initdb.pp | 12 +- manifests/server/instance/passwd.pp | 14 +- manifests/server/instance/reload.pp | 2 + manifests/server/instance/service.pp | 13 +- manifests/server/pg_hba_rule.pp | 25 +- manifests/server/recovery.pp | 24 +- manifests/server/role.pp | 7 +- manifests/server/table_grant.pp | 7 +- manifests/server/tablespace.pp | 2 +- 23 files changed, 443 insertions(+), 206 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 44e13ad9c0..fe3afd0e86 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -49,12 +49,12 @@ * [`postgresql::server::extension`](#postgresql--server--extension): Activate an extension on a postgresql database. * [`postgresql::server::grant`](#postgresql--server--grant): Define for granting permissions to roles. * [`postgresql::server::grant_role`](#postgresql--server--grant_role): Define for granting membership to a role. -* [`postgresql::server::instance::config`](#postgresql--server--instance--config): lint:ignore:140chars lint:endignore:140chars -* [`postgresql::server::instance::initdb`](#postgresql--server--instance--initdb): lint:ignore:140chars lint:endignore:140chars +* [`postgresql::server::instance::config`](#postgresql--server--instance--config): Manages the config for a postgresql::server instance +* [`postgresql::server::instance::initdb`](#postgresql--server--instance--initdb): Manages initdb feature for a postgresql::server instance * [`postgresql::server::instance::late_initdb`](#postgresql--server--instance--late_initdb): Manage the default encoding when database initialization is managed by the package -* [`postgresql::server::instance::passwd`](#postgresql--server--instance--passwd): lint:ignore:140chars lint:endignore:140chars -* [`postgresql::server::instance::reload`](#postgresql--server--instance--reload) -* [`postgresql::server::instance::service`](#postgresql--server--instance--service): lint:ignore:140chars lint:endignore:140chars +* [`postgresql::server::instance::passwd`](#postgresql--server--instance--passwd): Overrides the default PostgreSQL superuser +* [`postgresql::server::instance::reload`](#postgresql--server--instance--reload): Overrides the default reload or status command for your PostgreSQL service +* [`postgresql::server::instance::service`](#postgresql--server--instance--service): Manages the service for the postgres main instance (default) or additional instances * [`postgresql::server::pg_hba_rule`](#postgresql--server--pg_hba_rule): This resource manages an individual rule that applies to the file defined in target. * [`postgresql::server::pg_ident_rule`](#postgresql--server--pg_ident_rule): This resource manages an individual rule that applies to the file defined in target. * [`postgresql::server::reassign_owned_by`](#postgresql--server--reassign_owned_by): Define for reassigning the ownership of objects within a database. @@ -97,6 +97,7 @@ * [`Postgresql::Pg_hba_rule_address`](#Postgresql--Pg_hba_rule_address): Supported address types * [`Postgresql::Pg_hba_rule_type`](#Postgresql--Pg_hba_rule_type): enum for all different types for the pg_hba_conf * [`Postgresql::Pg_hba_rules`](#Postgresql--Pg_hba_rules): validates a hash of entries for postgresql::server::pg_hab_conf +* [`Postgresql::Pg_password_encryption`](#Postgresql--Pg_password_encryption): the supported password_encryption ### Tasks @@ -156,7 +157,8 @@ Default value: `'present'` Class for setting cross-class global overrides. * **Note** Most server-specific defaults should be overridden in the postgresql::server class. -This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such as version or manage_package_repo. +This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such +as version or manage_package_repo. #### Parameters @@ -433,8 +435,10 @@ Data type: `Optional[String[1]]` Overrides the default PostgreSQL data directory for the target platform. Changing the datadir after installation causes the server to come to a full stop before making the change. For Red Hat systems, the data directory must be labeled appropriately for SELinux. -On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb defaults to true on other systems). -Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail if the data directory is changed back to the original +On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb +defaults to true on other systems). +Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail +if the data directory is changed back to the original Default value: `undef` @@ -547,7 +551,8 @@ Default value: `undef` Data type: `Optional[String[1]]` Sets the default encoding for all databases created with this module. -On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well. +On certain operating systems, this is also used during the template1 initialization, +so it becomes a default outside of the module as well. Default value: `undef` @@ -556,7 +561,8 @@ Default value: `undef` Data type: `Optional[String[1]]` Sets the default database locale for all databases created with this module. -On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well. +On certain operating systems, this is also used during the template1 initialization, +so it becomes a default outside of the module as well. On Debian, you'll need to ensure that the 'locales-all' package is installed for full functionality of PostgreSQL. Default value: `undef` @@ -666,7 +672,8 @@ Default value: `false` Data type: `Optional[String[1]]` -Specifies working directory under which the psql command should be executed. May need to specify if '/tmp' is on volume mounted with noexec option. +Specifies working directory under which the psql command should be executed. +May need to specify if '/tmp' is on volume mounted with noexec option. Default value: `undef` @@ -702,7 +709,8 @@ Default value: `'present'` Data type: `Boolean` -If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir into usr/bin (not applicable to Debian systems). Set to false to disable this behavior. +If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir +into usr/bin (not applicable to Debian systems). Set to false to disable this behavior. Default value: `$postgresql::params::link_pg_config` @@ -885,12 +893,17 @@ The following parameters are available in the `postgresql::server` class: * [`backup_provider`](#-postgresql--server--backup_provider) * [`version`](#-postgresql--server--version) * [`extra_systemd_config`](#-postgresql--server--extra_systemd_config) +* [`auth_host`](#-postgresql--server--auth_host) +* [`auth_local`](#-postgresql--server--auth_local) +* [`lc_messages`](#-postgresql--server--lc_messages) +* [`username`](#-postgresql--server--username) ##### `postgres_password` Data type: `Optional[Variant[String[1], Sensitive[String[1]], Integer]]` -Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. +Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres +database, with a user called postgres and no password. Default value: `undef` @@ -962,7 +975,8 @@ Default value: `$postgresql::params::service_name` Data type: `Boolean` -Overrides the default behavior to restart your PostgreSQL service when a config entry has been changed that requires a service restart to become active. +Overrides the default behavior to restart your PostgreSQL service when a config entry has been changed that requires a service restart +to become active. Default value: `$postgresql::params::service_restart_on_change` @@ -1002,7 +1016,8 @@ Default value: `$postgresql::params::default_database` Data type: `Hash` -Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as postgresql::server::role. +Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as +postgresql::server::role. Default value: `$postgresql::globals::default_connect_settings` @@ -1018,7 +1033,10 @@ Default value: `$postgresql::params::listen_addresses` Data type: `Variant[String[1], Stdlib::Port, Integer]` -Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +Specifies the port for the PostgreSQL server to listen on. +Note: The same port number is used for all IP addresses the server listens on. +Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make +the change. Default value: 5432. Meaning the Postgres server listens on TCP port 5432. Default value: `$postgresql::params::port` @@ -1036,8 +1054,10 @@ Default value: `$postgresql::params::ip_mask_deny_postgres_user` Data type: `String[1]` -Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP from remote machines. If you'd like to allow this, you can override this setting. -Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine on your local '192.168' subnet. +Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP +from remote machines. If you'd like to allow this, you can override this setting. +Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine +on your local '192.168' subnet. Default value: '127.0.0.1/32'. Default value: `$postgresql::params::ip_mask_allow_all_users` @@ -1158,7 +1178,9 @@ Default value: `$postgresql::params::log_line_prefix` Data type: `Boolean` -If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform basic psql operations for example. +If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to +override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform +basic psql operations for example. Default value: `$postgresql::params::pg_hba_conf_defaults` @@ -1190,7 +1212,8 @@ Default value: `$postgresql::params::needs_initdb` Data type: `Optional[String[1]]` -Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. +Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the +template1 initialization, so it becomes a default outside of the module as well. Default value: `$postgresql::params::encoding` @@ -1198,7 +1221,8 @@ Default value: `$postgresql::params::encoding` Data type: `Optional[String[1]]` -Sets the default database locale for all databases created with this module. On certain operating systems this is used during the template1 initialization as well, so it becomes a default outside of the module. +Sets the default database locale for all databases created with this module. On certain operating systems this is used during the +template1 initialization as well, so it becomes a default outside of the module. Default value: `$postgresql::params::locale` @@ -1207,7 +1231,8 @@ Default value: `$postgresql::params::locale` Data type: `Optional[Boolean]` Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. -Warning: This option is used during initialization by initdb, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. +Warning: This option is used during initialization by initdb, and cannot be changed later. +If set, checksums are calculated for all objects, in all databases. Default value: `$postgresql::params::data_checksums` @@ -1295,7 +1320,7 @@ Default value: `$postgresql::params::manage_xlogdir` ##### `password_encryption` -Data type: `Optional[String]` +Data type: `Optional[Postgresql::Pg_password_encryption]` Specify the type of encryption set for the password. @@ -1365,6 +1390,38 @@ Adds extra config to systemd config file, can for instance be used to add extra Default value: `$postgresql::params::extra_systemd_config` +##### `auth_host` + +Data type: `Optional[String[1]]` + +auth method used by default for host authorization + +Default value: `undef` + +##### `auth_local` + +Data type: `Optional[String[1]]` + +auth method used by default for local authorization + +Default value: `undef` + +##### `lc_messages` + +Data type: `Optional[String[1]]` + +locale used for logging and system messages + +Default value: `undef` + +##### `username` + +Data type: `Optional[String[1]]` + +username of user running the postgres instance + +Default value: `undef` + ### `postgresql::server::contrib` Install the contrib postgresql packaging. @@ -1484,6 +1541,7 @@ Manage a postgresql.conf entry. The following parameters are available in the `postgresql::server::config_entry` defined type: * [`ensure`](#-postgresql--server--config_entry--ensure) +* [`key`](#-postgresql--server--config_entry--key) * [`value`](#-postgresql--server--config_entry--value) * [`path`](#-postgresql--server--config_entry--path) @@ -1495,6 +1553,14 @@ Removes an entry if set to 'absent'. Default value: `'present'` +##### `key` + +Data type: `String[1]` + +Defines the key/name for the setting. Defaults to $name + +Default value: `$name` + ##### `value` Data type: `Optional[Variant[String[1], Numeric, Array[String[1]]]]` @@ -1834,7 +1900,7 @@ Pattern[ /(?i:^SEQUENCES$)/, /(?i:^TABLES$)/, /(?i:^TYPES$)/, - /(?i:^SCHEMAS$)/ # lint:ignore:trailing_comma + /(?i:^SCHEMAS$)/ ] ``` @@ -1947,11 +2013,13 @@ Default value: `undef` Data type: `Optional[String[1]]` -Specifies the version of the extension which the database uses. When an extension package is updated, this does not automatically change the effective version in each database. +Specifies the version of the extension which the database uses. When an extension package is updated, this does not automatically +change the effective version in each database. This needs be updated using the PostgreSQL-specific SQL ALTER EXTENSION... version may be set to latest, in which case the SQL ALTER EXTENSION "extension" UPDATE is applied to this database (only). version may be set to a specific version, in which case the extension is updated using ALTER EXTENSION "extension" UPDATE TO 'version' -eg. If extension is set to postgis and version is set to 2.3.3, this will apply the SQL ALTER EXTENSION "postgis" UPDATE TO '2.3.3' to this database only. +eg. If extension is set to postgis and version is set to 2.3.3, this will apply the SQL ALTER EXTENSION "postgis" UPDATE TO '2.3.3' to +this database only. version may be omitted, in which case no ALTER EXTENSION... SQL is applied, and the version will be left unchanged. Default value: `undef` @@ -1976,7 +2044,8 @@ Default value: `undef` Data type: `Optional[Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]]]` -Overrides default package deletion behavior. By default, the package specified with package_name is installed when the extension is activated and removed when the extension is deactivated. To override this behavior, set the ensure value for the package. +Overrides default package deletion behavior. By default, the package specified with package_name is installed when the extension is +activated and removed when the extension is deactivated. To override this behavior, set the ensure value for the package. Default value: `undef` @@ -2064,12 +2133,13 @@ Pattern[#/(?i:^COLUMN$)/, /(?i:^TABLE$)/, #/(?i:^TABLESPACE$)/, /(?i:^SCHEMA$)/, - /(?i:^SEQUENCE$)/ # lint:ignore:trailing_comma + /(?i:^SEQUENCE$)/ #/(?i:^VIEW$)/ ] ``` -Specifies the type of object to which you are granting privileges. Valid options: 'DATABASE', 'SCHEMA', 'SEQUENCE', 'ALL SEQUENCES IN SCHEMA', 'TABLE' or 'ALL TABLES IN SCHEMA'. +Specifies the type of object to which you are granting privileges. +Valid options: 'DATABASE', 'SCHEMA', 'SEQUENCE', 'ALL SEQUENCES IN SCHEMA', 'TABLE' or 'ALL TABLES IN SCHEMA'. Default value: `'database'` @@ -2077,7 +2147,8 @@ Default value: `'database'` Data type: `Optional[Variant[Array[String,2,2],String[1]]]` -Specifies name of object_type to which to grant access, can be either a string or a two element array. String: 'object_name' Array: ['schema_name', 'object_name'] +Specifies name of object_type to which to grant access, can be either a string or a two element array. +String: 'object_name' Array: ['schema_name', 'object_name'] Default value: `undef` @@ -2225,8 +2296,7 @@ Default value: `$postgresql::server::default_connect_settings` ### `postgresql::server::instance::config` -lint:ignore:140chars -lint:endignore:140chars +Manages the config for a postgresql::server instance #### Parameters @@ -2273,8 +2343,10 @@ Default value: `$postgresql::server::ip_mask_deny_postgres_user` Data type: `String[1]` -Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP from remote machines. If you'd like to allow this, you can override this setting. -Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine on your local '192.168' subnet. +Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP +from remote machines. If you'd like to allow this, you can override this setting. +Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine +on your local '192.168' subnet. Default value: '127.0.0.1/32'. Default value: `$postgresql::server::ip_mask_allow_all_users` @@ -2291,7 +2363,9 @@ Default value: `$postgresql::server::listen_addresses` Data type: `Variant[String[1], Stdlib::Port, Integer]` -Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +Specifies the port for the PostgreSQL server to listen on. +Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +changing the port causes the server to come to a full stop before being able to make the change. Default value: 5432. Meaning the Postgres server listens on TCP port 5432. Default value: `$postgresql::server::port` @@ -2356,7 +2430,9 @@ Default value: `$postgresql::server::recovery_conf_path` Data type: `Boolean` -If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform basic psql operations for example. +If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to +override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform +basic psql operations for example. Default value: `$postgresql::server::pg_hba_conf_defaults` @@ -2468,7 +2544,7 @@ Default value: `$postgresql::server::timezone` ##### `password_encryption` -Data type: `Optional[String]` +Data type: `Optional[Postgresql::Pg_password_encryption]` Specify the type of encryption set for the password. @@ -2484,44 +2560,54 @@ Default value: `$postgresql::server::extra_systemd_config` ### `postgresql::server::instance::initdb` -lint:ignore:140chars -lint:endignore:140chars +Manages initdb feature for a postgresql::server instance #### Parameters The following parameters are available in the `postgresql::server::instance::initdb` defined type: -* [`needs_initdb`](#-postgresql--server--instance--initdb--needs_initdb) -* [`initdb_path`](#-postgresql--server--instance--initdb--initdb_path) +* [`auth_host`](#-postgresql--server--instance--initdb--auth_host) +* [`auth_local`](#-postgresql--server--instance--initdb--auth_local) +* [`data_checksums`](#-postgresql--server--instance--initdb--data_checksums) * [`datadir`](#-postgresql--server--instance--initdb--datadir) -* [`xlogdir`](#-postgresql--server--instance--initdb--xlogdir) +* [`encoding`](#-postgresql--server--instance--initdb--encoding) +* [`group`](#-postgresql--server--instance--initdb--group) +* [`initdb_path`](#-postgresql--server--instance--initdb--initdb_path) +* [`lc_messages`](#-postgresql--server--instance--initdb--lc_messages) +* [`locale`](#-postgresql--server--instance--initdb--locale) * [`logdir`](#-postgresql--server--instance--initdb--logdir) * [`manage_datadir`](#-postgresql--server--instance--initdb--manage_datadir) * [`manage_logdir`](#-postgresql--server--instance--initdb--manage_logdir) * [`manage_xlogdir`](#-postgresql--server--instance--initdb--manage_xlogdir) -* [`encoding`](#-postgresql--server--instance--initdb--encoding) -* [`locale`](#-postgresql--server--instance--initdb--locale) -* [`data_checksums`](#-postgresql--server--instance--initdb--data_checksums) -* [`user`](#-postgresql--server--instance--initdb--user) -* [`group`](#-postgresql--server--instance--initdb--group) * [`module_workdir`](#-postgresql--server--instance--initdb--module_workdir) +* [`needs_initdb`](#-postgresql--server--instance--initdb--needs_initdb) +* [`user`](#-postgresql--server--instance--initdb--user) +* [`username`](#-postgresql--server--instance--initdb--username) +* [`xlogdir`](#-postgresql--server--instance--initdb--xlogdir) -##### `needs_initdb` +##### `auth_host` -Data type: `Boolean` +Data type: `Optional[String[1]]` -Explicitly calls the initdb operation after server package is installed -and before the PostgreSQL service is started. +auth method used by default for host authorization -Default value: `$postgresql::server::needs_initdb` +Default value: `$postgresql::server::auth_host` -##### `initdb_path` +##### `auth_local` -Data type: `Variant[String[1], Stdlib::Absolutepath]` +Data type: `Optional[String[1]]` -Specifies the path to the initdb command. +auth method used by default for local authorization -Default value: `$postgresql::server::initdb_path` +Default value: `$postgresql::server::auth_local` + +##### `data_checksums` + +Data type: `Optional[Boolean]` + +Boolean. Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. + +Default value: `$postgresql::server::data_checksums` ##### `datadir` @@ -2531,13 +2617,50 @@ PostgreSQL data directory Default value: `$postgresql::server::datadir` -##### `xlogdir` +##### `encoding` Data type: `Optional[String[1]]` -PostgreSQL xlog directory +Sets the default encoding for all databases created with this module. +On certain operating systems this is also used during the template1 initialization, +so it becomes a default outside of the module as well. -Default value: `$postgresql::server::xlogdir` +Default value: `$postgresql::server::encoding` + +##### `group` + +Data type: `String[1]` + +Overrides the default postgres user group to be used for related files in the file system. + +Default value: `$postgresql::server::group` + +##### `initdb_path` + +Data type: `Variant[String[1], Stdlib::Absolutepath]` + +Specifies the path to the initdb command. + +Default value: `$postgresql::server::initdb_path` + +##### `lc_messages` + +Data type: `Optional[String[1]]` + +locale used for logging and system messages + +Default value: `$postgresql::server::lc_messages` + +##### `locale` + +Data type: `Optional[String[1]]` + +Sets the default database locale for all databases created with this module. +On certain operating systems this is used during the template1 initialization as well, so it becomes a default outside of the module. +Warning: This option is used during initialization by initdb, and cannot be changed later. +If set, checksums are calculated for all objects, in all databases. + +Default value: `$postgresql::server::locale` ##### `logdir` @@ -2571,32 +2694,22 @@ Set to false if you have file{ $xlogdir: } already defined Default value: `$postgresql::server::manage_xlogdir` -##### `encoding` - -Data type: `Optional[String[1]]` - -Sets the default encoding for all databases created with this module. -On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. - -Default value: `$postgresql::server::encoding` - -##### `locale` +##### `module_workdir` -Data type: `Optional[String[1]]` +Data type: `String[1]` -Sets the default database locale for all databases created with this module. -On certain operating systems this is used during the template1 initialization as well, so it becomes a default outside of the module. +Working directory for the PostgreSQL module -Default value: `$postgresql::server::locale` +Default value: `$postgresql::server::module_workdir` -##### `data_checksums` +##### `needs_initdb` -Data type: `Optional[Boolean]` +Data type: `Boolean` -Boolean. Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. -Warning: This option is used during initialization by initdb, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. +Explicitly calls the initdb operation after server package is installed +and before the PostgreSQL service is started. -Default value: `$postgresql::server::data_checksums` +Default value: `$postgresql::server::needs_initdb` ##### `user` @@ -2606,26 +2719,25 @@ Overrides the default PostgreSQL super user and owner of PostgreSQL related file Default value: `$postgresql::server::user` -##### `group` +##### `username` -Data type: `String[1]` +Data type: `Optional[String[1]]` -Overrides the default postgres user group to be used for related files in the file system. +username of user running the postgres instance -Default value: `$postgresql::server::group` +Default value: `$postgresql::server::username` -##### `module_workdir` +##### `xlogdir` -Data type: `String[1]` +Data type: `Optional[String[1]]` -Working directory for the PostgreSQL module +PostgreSQL xlog/WAL directory -Default value: `$postgresql::server::module_workdir` +Default value: `$postgresql::server::xlogdir` ### `postgresql::server::instance::late_initdb` -lint:ignore:140chars -lint:endignore:140chars +Manage the default encoding when database initialization is managed by the package #### Parameters @@ -2642,7 +2754,8 @@ The following parameters are available in the `postgresql::server::instance::lat Data type: `Optional[String[1]]` -Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. +Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the +template1 initialization, so it becomes a default outside of the module as well. Default value: `$postgresql::server::encoding` @@ -2674,7 +2787,9 @@ Default value: `$postgresql::server::psql_path` Data type: `Variant[String[1], Stdlib::Port, Integer]` -Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +Specifies the port for the PostgreSQL server to listen on. +Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +changing the port causes the server to come to a full stop before being able to make the change. Default value: `$postgresql::server::port` @@ -2688,8 +2803,7 @@ Default value: `$postgresql::server::module_workdir` ### `postgresql::server::instance::passwd` -lint:ignore:140chars -lint:endignore:140chars +Overrides the default PostgreSQL superuser #### Parameters @@ -2732,7 +2846,9 @@ Default value: `$postgresql::server::psql_path` Data type: `Variant[String[1], Stdlib::Port, Integer]` -Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +Specifies the port for the PostgreSQL server to listen on. +Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +changing the port causes the server to come to a full stop before being able to make the change. Default value: `$postgresql::server::port` @@ -2756,13 +2872,14 @@ Default value: `$postgresql::server::module_workdir` Data type: `Optional[Variant[String[1], Sensitive[String[1]], Integer]]` -Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. +Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres +database, with a user called postgres and no password. Default value: `$postgresql::server::postgres_password` ### `postgresql::server::instance::reload` -The postgresql::server::instance::reload class. +Overrides the default reload or status command for your PostgreSQL service #### Parameters @@ -2789,8 +2906,7 @@ Default value: `$postgresql::server::service_status` ### `postgresql::server::instance::service` -lint:ignore:140chars -lint:endignore:140chars +Manages the service for the postgres main instance (default) or additional instances #### Parameters @@ -2868,7 +2984,9 @@ Default value: `$postgresql::server::user` Data type: `Variant[String[1], Stdlib::Port, Integer]` -Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +Specifies the port for the PostgreSQL server to listen on. +Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +changing the port causes the server to come to a full stop before being able to make the change. Default value: 5432. Meaning the Postgres server listens on TCP port 5432. Default value: `$postgresql::server::port` @@ -2893,14 +3011,14 @@ Default value: `$postgresql::server::psql_path` Data type: `Hash` -Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as postgresql::server::role. +Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, +such as postgresql::server::role. Default value: `$postgresql::server::default_connect_settings` ### `postgresql::server::pg_hba_rule` -lint:ignore:140chars -lint:endignore:140chars +This resource manages an individual rule that applies to the file defined in target. #### Parameters @@ -2939,13 +3057,16 @@ Sets a comma-separated list of users that this rule matches. Data type: `String[1]` -Provides the method that is used for authentication for the connection that this rule matches. Described further in the PostgreSQL pg_hba.conf documentation. +Provides the method that is used for authentication for the connection that this rule matches. +Described further in the PostgreSQL pg_hba.conf documentation. ##### `address` Data type: `Optional[Postgresql::Pg_hba_rule_address]` -Sets a address for this rule matching when the type is not 'local'. Value can either be IPv4 CIDR, IPv6 CIDR, a FQDN, the strings 'all', 'samehost' or 'samenet' or a domain either with or without starting dot (.) https://www.postgresql.org/docs/current/auth-pg-hba-conf.html +Sets a address for this rule matching when the type is not 'local'. +Value can either be IPv4 CIDR, IPv6 CIDR, a FQDN, the strings 'all', 'samehost' or 'samenet' or a domain either with or without starting +dot (.) https://www.postgresql.org/docs/current/auth-pg-hba-conf.html Default value: `undef` @@ -2953,7 +3074,8 @@ Default value: `undef` Data type: `String[1]` -Defines a longer description for this rule, if required. This description is placed in the comments above the rule in pg_hba.conf. Default value: 'none'. +Defines a longer description for this rule, if required. This description is placed in the comments above the rule in pg_hba.conf. +Default value: 'none'. Default value: `'none'` @@ -2961,7 +3083,8 @@ Default value: `'none'` Data type: `Optional[String]` -For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for further details. +For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for +further details. Default value: `undef` @@ -2969,7 +3092,10 @@ Default value: `undef` Data type: `Variant[String, Integer]` -Sets an order for placing the rule in pg_hba.conf. This can be either a string or an integer. If it is an integer, it will be converted to a string by zero-padding it to three digits. E.g. 42 will be zero-padded to the string '042'. The pg_hba_rule fragments are sorted using the alpha sorting order. Default value: 150. +Sets an order for placing the rule in pg_hba.conf. This can be either a string or an integer. If it is an integer, it will be converted +to a string by zero-padding it to three digits. E.g. 42 will be zero-padded to the string '042'. The pg_hba_rule fragments are sorted +using the alpha sorting order. +Default value: 150. Default value: `150` @@ -3109,13 +3235,14 @@ Default value: `$postgresql::server::default_connect_settings` ### `postgresql::server::recovery` -lint:ignore:140chars -lint:endignore:140chars +This resource manages the parameters that applies to the recovery.conf template. * **Note** Allows you to create the content for recovery.conf. For more details see the usage example and the PostgreSQL documentation. -Every parameter value is a string set in the template except recovery_target_inclusive, pause_at_recovery_target, standby_mode and recovery_min_apply_delay. +Every parameter value is a string set in the template except recovery_target_inclusive, pause_at_recovery_target, standby_mode and +recovery_min_apply_delay. A detailed description of all listed parameters can be found in the PostgreSQL documentation. -Only the specified parameters are recognized in the template. The recovery.conf is only created if at least one parameter is set and manage_recovery_conf is set to true. +Only the specified parameters are recognized in the template. The recovery.conf is only created if at least one parameter is set and +manage_recovery_conf is set to true. #### Parameters @@ -3238,7 +3365,8 @@ Default value: `undef` Data type: `Optional[String[1]]` -Optionally specifies an existing replication slot to be used when connecting to the primary via streaming replication to control resource removal on the upstream node. +Optionally specifies an existing replication slot to be used when connecting to the primary via streaming replication to control +resource removal on the upstream node. Default value: `undef` @@ -3435,17 +3563,18 @@ Default value: `$postgresql::server::psql_path` Data type: `String[1]` -Specifies working directory under which the psql command should be executed. May need to specify if '/tmp' is on volume mounted with noexec option. +Specifies working directory under which the psql command should be executed. +May need to specify if '/tmp' is on volume mounted with noexec option. Default value: `$postgresql::server::module_workdir` ##### `hash` -Data type: `Enum['md5', 'scram-sha-256']` +Data type: `Optional[Enum['md5', 'scram-sha-256']]` Specify the hash method for pg password -Default value: `'md5'` +Default value: `undef` ##### `salt` @@ -3533,9 +3662,15 @@ The following parameters are available in the `postgresql::server::table_grant` ##### `privilege` -Data type: `Enum['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'all', 'select', 'insert', 'update', 'delete', 'truncate', 'references', 'trigger']` +Data type: -Specifies comma-separated list of privileges to grant. Valid options: 'ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER'. +```puppet +Enum['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'all', 'select', 'insert', 'update', 'delete', + 'truncate', 'references', 'trigger'] +``` + +Specifies comma-separated list of privileges to grant. +Valid options: 'ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER'. ##### `table` @@ -4119,7 +4254,7 @@ Type: Ruby 4.x API This function returns the postgresql password hash from the clear text username / password -#### `postgresql::postgresql_password(Variant[String[1], Integer] $username, Variant[String[1], Sensitive[String[1]], Integer] $password, Optional[Boolean] $sensitive, Optional[Optional[Enum['md5', 'scram-sha-256']]] $hash, Optional[Optional[Variant[String[1], Integer]]] $salt)` +#### `postgresql::postgresql_password(Variant[String[1], Integer] $username, Variant[String[1], Sensitive[String[1]], Integer] $password, Optional[Boolean] $sensitive, Optional[Optional[Postgresql::Pg_password_encryption]] $hash, Optional[Optional[Variant[String[1], Integer]]] $salt)` The postgresql::postgresql_password function. @@ -4145,7 +4280,7 @@ If the Postgresql-Passwordhash should be of Datatype Sensitive[String] ##### `hash` -Data type: `Optional[Optional[Enum['md5', 'scram-sha-256']]]` +Data type: `Optional[Optional[Postgresql::Pg_password_encryption]]` Set type for password hash @@ -4262,6 +4397,12 @@ validates a hash of entries for postgresql::server::pg_hab_conf Alias of `Hash[String[1], Postgresql::Pg_hba_rule]` +### `Postgresql::Pg_password_encryption` + +the supported password_encryption + +Alias of `Enum['md5', 'scram-sha-256']` + ## Tasks ### `sql` diff --git a/manifests/backup/pg_dump.pp b/manifests/backup/pg_dump.pp index 4fc05d179b..64ac5cfb4f 100644 --- a/manifests/backup/pg_dump.pp +++ b/manifests/backup/pg_dump.pp @@ -26,7 +26,8 @@ # @param manage_user # Manage creation of the backup user. # @param optional_args -# Specifies an array of optional arguments which should be passed through to the backup tool. These options are not validated, unsupported options may break the backup. +# Specifies an array of optional arguments which should be passed through to the backup tool. These options are not validated, +# unsupported options may break the backup. # @param post_script # One or more scripts that are executed when the backup is finished. This could be used to sync the backup to a central store. # @param pre_script @@ -39,7 +40,6 @@ # An array of two elements to set the backup time. Allows `['23', '5']` (i.e., 23:05) or `['3', '45']` (i.e., 03:45) for HH:MM times. # @param weekday # Weekdays on which the backup job should run. Defaults to `*`. This parameter is passed directly to the cron resource. -# class postgresql::backup::pg_dump ( String[1] $dir, Variant[Enum['present', 'absent', 'purged', 'disabled', 'installed', 'latest'], String[1]] $ensure = 'present', diff --git a/manifests/globals.pp b/manifests/globals.pp index 53cf5529cc..c9243cd41c 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -2,7 +2,8 @@ # # @note # Most server-specific defaults should be overridden in the postgresql::server class. -# This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such as version or manage_package_repo. +# This class should be used only if you are using a non-standard OS, or if you are changing elements that can only be changed here, such +# as version or manage_package_repo. # # # @param client_package_name Overrides the default PostgreSQL client package name. @@ -40,8 +41,10 @@ # Overrides the default PostgreSQL data directory for the target platform. # Changing the datadir after installation causes the server to come to a full stop before making the change. # For Red Hat systems, the data directory must be labeled appropriately for SELinux. -# On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb defaults to true on other systems). -# Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail if the data directory is changed back to the original +# On Ubuntu, you must explicitly set needs_initdb = true to allow Puppet to initialize the database in the new datadir (needs_initdb +# defaults to true on other systems). +# Warning! If datadir is changed from the default, Puppet does not manage purging of the original data directory, which causes it to fail +# if the data directory is changed back to the original # # @param confdir Overrides the default PostgreSQL configuration directory for the target platform. # @param bindir Overrides the default PostgreSQL binaries directory for the target platform. @@ -59,20 +62,24 @@ # @param repo_baseurl Sets the baseurl for the PostgreSQL repository. Useful if you host your own mirror of the repository. # @param yum_repo_commonurl Sets the url for the PostgreSQL common Yum repository. Useful if you host your own mirror of the YUM repository. # -# @param needs_initdb Explicitly calls the initdb operation after the server package is installed and before the PostgreSQL service is started. +# @param needs_initdb +# Explicitly calls the initdb operation after the server package is installed and before the PostgreSQL service is started. # # @param encoding # Sets the default encoding for all databases created with this module. -# On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well. +# On certain operating systems, this is also used during the template1 initialization, +# so it becomes a default outside of the module as well. # @param locale # Sets the default database locale for all databases created with this module. -# On certain operating systems, this is also used during the template1 initialization, so it becomes a default outside of the module as well. +# On certain operating systems, this is also used during the template1 initialization, +# so it becomes a default outside of the module as well. # On Debian, you'll need to ensure that the 'locales-all' package is installed for full functionality of PostgreSQL. # @param data_checksums # Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. # Warning: This option is used during initialization by initdb, and cannot be changed later. # -# @param timezone Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information. +# @param timezone +# Sets the default timezone of the postgresql server. The postgresql built-in default is taking the systems timezone information. # # @param manage_pg_hba_conf Allow Puppet to manage the pg_hba.conf file. # @param manage_pg_ident_conf Allow Puppet to manage the pg_ident.conf file. @@ -92,8 +99,9 @@ # Manage the DNF module. This only makes sense on distributions that use DNF # package manager, such as EL8 or Fedora. It also requires Puppet 5.5.20+ or # Puppet 6.15.0+ since they ship the dnfmodule provider. -# @param module_workdir Specifies working directory under which the psql command should be executed. May need to specify if '/tmp' is on volume mounted with noexec option. -# +# @param module_workdir +# Specifies working directory under which the psql command should be executed. +# May need to specify if '/tmp' is on volume mounted with noexec option. # class postgresql::globals ( Optional[String[1]] $client_package_name = undef, diff --git a/manifests/lib/devel.pp b/manifests/lib/devel.pp index 70ab31da97..8b215b8b0f 100644 --- a/manifests/lib/devel.pp +++ b/manifests/lib/devel.pp @@ -1,11 +1,12 @@ -# @summary This class installs postgresql development libraries. +# @summary This class installs postgresql development libraries. # # @param package_name # Override devel package name # @param package_ensure # Ensure the development libraries are installed # @param link_pg_config -# If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir into usr/bin (not applicable to Debian systems). Set to false to disable this behavior. +# If the bin directory used by the PostgreSQL page is not /usr/bin or /usr/local/bin, symlinks pg_config from the package's bin dir +# into usr/bin (not applicable to Debian systems). Set to false to disable this behavior. # # class postgresql::lib::devel ( diff --git a/manifests/lib/docs.pp b/manifests/lib/docs.pp index 0f132cd98a..354c7c1b0d 100644 --- a/manifests/lib/docs.pp +++ b/manifests/lib/docs.pp @@ -1,4 +1,5 @@ -# @summary Installs PostgreSQL bindings for Postgres-Docs. Set the following parameters if you have a custom version you would like to install. +# @summary +# Installs PostgreSQL bindings for Postgres-Docs. Set the following parameters if you have a custom version you would like to install. # # @note # Make sure to add any necessary yum or apt repositories if specifying a custom version. @@ -7,7 +8,7 @@ # Specifies the name of the PostgreSQL docs package. # @param package_ensure # Whether the PostgreSQL docs package resource should be present. -# +# # class postgresql::lib::docs ( String $package_name = $postgresql::params::docs_package_name, diff --git a/manifests/repo.pp b/manifests/repo.pp index e67236b1bb..88c27b5e6f 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -18,7 +18,7 @@ } default: { - fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat and Debian") + fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat and Debian") # lint:ignore:140chars } } } diff --git a/manifests/server.pp b/manifests/server.pp index 35b0717275..9239231379 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,6 +1,8 @@ # @summary This installs a PostgreSQL server # -# @param postgres_password Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. +# @param postgres_password +# Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres +# database, with a user called postgres and no password. # @param package_name Specifies the name of the package to use for installing the server software. # @param package_ensure Passes a value through to the package resource when creating the server instance. # @@ -11,22 +13,33 @@ # @param service_enable Enable the PostgreSQL service # @param service_manage Defines whether or not Puppet should manage the service. # @param service_name Overrides the default PostgreSQL service name. -# @param service_restart_on_change Overrides the default behavior to restart your PostgreSQL service when a config entry has been changed that requires a service restart to become active. +# @param service_restart_on_change +# Overrides the default behavior to restart your PostgreSQL service when a config entry has been changed that requires a service restart +# to become active. # @param service_provider Overrides the default PostgreSQL service provider. # @param service_reload Overrides the default reload command for your PostgreSQL service. # @param service_status Overrides the default status check command for your PostgreSQL service. # @param default_database Specifies the name of the default database to connect with. On most systems this is 'postgres'. -# @param default_connect_settings Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as postgresql::server::role. +# @param default_connect_settings +# Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as +# postgresql::server::role. # # @param listen_addresses Address list on which the PostgreSQL service will listen -# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param port +# Specifies the port for the PostgreSQL server to listen on. +# Note: The same port number is used for all IP addresses the server listens on. +# Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make +# the change. # Default value: 5432. Meaning the Postgres server listens on TCP port 5432. # # @param ip_mask_deny_postgres_user Specifies the IP mask from which remote connections should be denied for the postgres superuser. # Default value: '0.0.0.0/0', which denies any remote connection. # -# @param ip_mask_allow_all_users Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP from remote machines. If you'd like to allow this, you can override this setting. -# Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine on your local '192.168' subnet. +# @param ip_mask_allow_all_users +# Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP +# from remote machines. If you'd like to allow this, you can override this setting. +# Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine +# on your local '192.168' subnet. # Default value: '127.0.0.1/32'. # # @param ipv4acls Lists strings for access control for connection method, users, databases, IPv4 addresses; @@ -47,17 +60,26 @@ # # @param log_line_prefix PostgreSQL log line prefix # -# @param pg_hba_conf_defaults If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform basic psql operations for example. +# @param pg_hba_conf_defaults +# If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to +# override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform +# basic psql operations for example. # # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. # @param group Overrides the default postgres user group to be used for related files in the file system. # # @param needs_initdb Explicitly calls the initdb operation after server package is installed, and before the PostgreSQL service is started. # -# @param encoding Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. -# @param locale Sets the default database locale for all databases created with this module. On certain operating systems this is used during the template1 initialization as well, so it becomes a default outside of the module. -# @param data_checksums Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. -# Warning: This option is used during initialization by initdb, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. +# @param encoding +# Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the +# template1 initialization, so it becomes a default outside of the module as well. +# @param locale +# Sets the default database locale for all databases created with this module. On certain operating systems this is used during the +# template1 initialization as well, so it becomes a default outside of the module. +# @param data_checksums +# Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. +# Warning: This option is used during initialization by initdb, and cannot be changed later. +# If set, checksums are calculated for all objects, in all databases. # # @param timezone Set timezone for the PostgreSQL instance # @@ -86,7 +108,8 @@ # # @param version Deprecated. Use postgresql::globals instead. Sets PostgreSQL version # -# @param extra_systemd_config Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string +# @param extra_systemd_config +# Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string # @param auth_host auth method used by default for host authorization # @param auth_local auth method used by default for local authorization # @param lc_messages locale used for logging and system messages @@ -172,7 +195,6 @@ #Deprecated Optional[String[1]] $version = undef, - ) inherits postgresql::params { if $version != undef { warning('Passing "version" to postgresql::server is deprecated; please use postgresql::globals instead.') diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 49de501591..bfc7d53247 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -108,7 +108,7 @@ } Postgresql_psql["CREATE DATABASE \"${dbname}\""] -> postgresql_psql { "COMMENT ON DATABASE \"${dbname}\" IS '${comment}'": - unless => "SELECT 1 FROM pg_catalog.pg_database d WHERE datname = '${dbname}' AND pg_catalog.${comment_information_function}(d.oid, 'pg_database') = '${comment}'", + unless => "SELECT 1 FROM pg_catalog.pg_database d WHERE datname = '${dbname}' AND pg_catalog.${comment_information_function}(d.oid, 'pg_database') = '${comment}'", # lint:ignore:140chars db => $dbname, } } @@ -126,7 +126,7 @@ if $tablespace { postgresql_psql { "ALTER DATABASE \"${dbname}\" SET ${tablespace_option}": - unless => "SELECT 1 FROM pg_database JOIN pg_tablespace spc ON dattablespace = spc.oid WHERE datname = '${dbname}' AND spcname = '${tablespace}'", + unless => "SELECT 1 FROM pg_database JOIN pg_tablespace spc ON dattablespace = spc.oid WHERE datname = '${dbname}' AND spcname = '${tablespace}'", # lint:ignore:140chars require => Postgresql_psql["CREATE DATABASE \"${dbname}\""], } diff --git a/manifests/server/default_privileges.pp b/manifests/server/default_privileges.pp index 0f09703978..34c4475f66 100644 --- a/manifests/server/default_privileges.pp +++ b/manifests/server/default_privileges.pp @@ -23,7 +23,7 @@ /(?i:^SEQUENCES$)/, /(?i:^TABLES$)/, /(?i:^TYPES$)/, - /(?i:^SCHEMAS$)/ # lint:ignore:trailing_comma + /(?i:^SCHEMAS$)/ ] $object_type, String $schema = 'public', String $psql_db = $postgresql::server::default_database, @@ -159,8 +159,8 @@ } $_unless = $ensure ? { - 'absent' => "SELECT 1 WHERE NOT EXISTS (SELECT * FROM pg_default_acl AS da LEFT JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl)%s and defaclobjtype = '%s')", - default => "SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da LEFT JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl)%s and defaclobjtype = '%s')" + 'absent' => "SELECT 1 WHERE NOT EXISTS (SELECT * FROM pg_default_acl AS da LEFT JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl)%s and defaclobjtype = '%s')", # lint:ignore:140chars + default => "SELECT 1 WHERE EXISTS (SELECT * FROM pg_default_acl AS da LEFT JOIN pg_namespace AS n ON da.defaclnamespace = n.oid WHERE '%s=%s%s' = ANY (defaclacl)%s and defaclobjtype = '%s')", # lint:ignore:140chars } $unless_cmd = sprintf($_unless, $role, $_check_privilege, $_check_target_role, $_check_schema, $_check_type) diff --git a/manifests/server/extension.pp b/manifests/server/extension.pp index c8b62985f6..9f28e3e85c 100644 --- a/manifests/server/extension.pp +++ b/manifests/server/extension.pp @@ -3,16 +3,21 @@ # @param database Specifies the database on which to activate the extension. # @param extension Specifies the extension to activate. If left blank, uses the name of the resource. # @param schema Specifies the schema on which to activate the extension. -# @param version Specifies the version of the extension which the database uses. When an extension package is updated, this does not automatically change the effective version in each database. +# @param version +# Specifies the version of the extension which the database uses. When an extension package is updated, this does not automatically +# change the effective version in each database. # This needs be updated using the PostgreSQL-specific SQL ALTER EXTENSION... # version may be set to latest, in which case the SQL ALTER EXTENSION "extension" UPDATE is applied to this database (only). # version may be set to a specific version, in which case the extension is updated using ALTER EXTENSION "extension" UPDATE TO 'version' -# eg. If extension is set to postgis and version is set to 2.3.3, this will apply the SQL ALTER EXTENSION "postgis" UPDATE TO '2.3.3' to this database only. +# eg. If extension is set to postgis and version is set to 2.3.3, this will apply the SQL ALTER EXTENSION "postgis" UPDATE TO '2.3.3' to +# this database only. # version may be omitted, in which case no ALTER EXTENSION... SQL is applied, and the version will be left unchanged. # # @param ensure Specifies whether to activate or deactivate the extension. Valid options: 'present' or 'absent'. # @param package_name Specifies a package to install prior to activating the extension. -# @param package_ensure Overrides default package deletion behavior. By default, the package specified with package_name is installed when the extension is activated and removed when the extension is deactivated. To override this behavior, set the ensure value for the package. +# @param package_ensure +# Overrides default package deletion behavior. By default, the package specified with package_name is installed when the extension is +# activated and removed when the extension is deactivated. To override this behavior, set the ensure value for the package. # @param port Port to use when connecting. # @param connect_settings Specifies a hash of environment variables used when connecting to a remote server. # @param database_resource_name Specifies the resource name of the DB being managed. Defaults to the parameter $database, if left blank. diff --git a/manifests/server/grant.pp b/manifests/server/grant.pp index 4221d65dea..c6bd7fe24b 100644 --- a/manifests/server/grant.pp +++ b/manifests/server/grant.pp @@ -3,8 +3,12 @@ # @param role Specifies the role or user whom you are granting access to. # @param db Specifies the database to which you are granting access. # @param privilege Specifies the privilege to grant. Valid options: 'ALL', 'ALL PRIVILEGES' or 'object_type' dependent string. -# @param object_type Specifies the type of object to which you are granting privileges. Valid options: 'DATABASE', 'SCHEMA', 'SEQUENCE', 'ALL SEQUENCES IN SCHEMA', 'TABLE' or 'ALL TABLES IN SCHEMA'. -# @param object_name Specifies name of object_type to which to grant access, can be either a string or a two element array. String: 'object_name' Array: ['schema_name', 'object_name'] +# @param object_type +# Specifies the type of object to which you are granting privileges. +# Valid options: 'DATABASE', 'SCHEMA', 'SEQUENCE', 'ALL SEQUENCES IN SCHEMA', 'TABLE' or 'ALL TABLES IN SCHEMA'. +# @param object_name +# Specifies name of object_type to which to grant access, can be either a string or a two element array. +# String: 'object_name' Array: ['schema_name', 'object_name'] # @param object_arguments Specifies any arguments to be passed alongisde the access grant. # @param psql_db Specifies the database to execute the grant against. This should not ordinarily be changed from the default # @param psql_user Sets the OS user to run psql. @@ -17,7 +21,7 @@ define postgresql::server::grant ( String $role, String $db, - String $privilege = '', + String $privilege = '', # lint:ignore:params_empty_string_assignment Pattern[#/(?i:^COLUMN$)/, /(?i:^ALL SEQUENCES IN SCHEMA$)/, /(?i:^ALL TABLES IN SCHEMA$)/, @@ -30,7 +34,7 @@ /(?i:^TABLE$)/, #/(?i:^TABLESPACE$)/, /(?i:^SCHEMA$)/, - /(?i:^SEQUENCE$)/ # lint:ignore:trailing_comma + /(?i:^SEQUENCE$)/ #/(?i:^VIEW$)/ ] $object_type = 'database', Optional[Variant[Array[String,2,2],String[1]]] $object_name = undef, @@ -330,6 +334,7 @@ if $ensure == 'present' { if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { # GRANT ALL + # lint:ignore:140chars $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT 1 FROM ( SELECT t.tablename,count(privilege_type) AS priv_count FROM pg_catalog.pg_tables AS t @@ -339,13 +344,16 @@ GROUP BY t.tablename ) AS j WHERE j.priv_count < 7 )" + # lint:endignore:140chars } else { # GRANT $_privilege + # lint:ignore:140chars $custom_unless = "SELECT 1 WHERE NOT EXISTS ( SELECT 1 FROM pg_catalog.pg_tables AS t LEFT JOIN information_schema.role_table_grants AS g ON t.tablename = g.table_name AND g.grantee = '${role}' AND g.table_schema = '${schema}' AND g.privilege_type = '${_privilege}' WHERE t.schemaname = '${schema}' AND g.table_name IS NULL )" + # lint:endignore:140chars } } else { if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' { diff --git a/manifests/server/grant_role.pp b/manifests/server/grant_role.pp index f66f803e3f..92a82a5f0f 100644 --- a/manifests/server/grant_role.pp +++ b/manifests/server/grant_role.pp @@ -32,7 +32,7 @@ postgresql_psql { "grant_role:${name}": command => $command, - unless => "SELECT 1 WHERE EXISTS (SELECT 1 FROM pg_roles AS r_role JOIN pg_auth_members AS am ON r_role.oid = am.member JOIN pg_roles AS r_group ON r_group.oid = am.roleid WHERE r_group.rolname = '${group}' AND r_role.rolname = '${role}') ${unless_comp} true", + unless => "SELECT 1 WHERE EXISTS (SELECT 1 FROM pg_roles AS r_role JOIN pg_auth_members AS am ON r_role.oid = am.member JOIN pg_roles AS r_group ON r_group.oid = am.roleid WHERE r_group.rolname = '${group}' AND r_role.rolname = '${role}') ${unless_comp} true", # lint:ignore:140chars db => $psql_db, psql_user => $psql_user, port => $port, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index e792dcb067..84a51b5ae9 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -1,11 +1,18 @@ -# lint:ignore:140chars +# @summary Manages the config for a postgresql::server instance +# # @param ip_mask_deny_postgres_user Specifies the IP mask from which remote connections should be denied for the postgres superuser. # Default value: '0.0.0.0/0', which denies any remote connection. -# @param ip_mask_allow_all_users Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP from remote machines. If you'd like to allow this, you can override this setting. -# Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine on your local '192.168' subnet. +# @param ip_mask_allow_all_users +# Overrides PostgreSQL defaults for remote connections. By default, PostgreSQL does not allow database user accounts to connect via TCP +# from remote machines. If you'd like to allow this, you can override this setting. +# Set to '0.0.0.0/0' to allow database users to connect from any remote machine, or '192.168.0.0/1' to allow connections from any machine +# on your local '192.168' subnet. # Default value: '127.0.0.1/32'. # @param listen_addresses Address list on which the PostgreSQL service will listen -# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param port +# Specifies the port for the PostgreSQL server to listen on. +# Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +# changing the port causes the server to come to a full stop before being able to make the change. # Default value: 5432. Meaning the Postgres server listens on TCP port 5432. # @param ipv4acls Lists strings for access control for connection method, users, databases, IPv4 addresses. # @param ipv6acls Lists strings for access control for connection method, users, databases, IPv6 addresses. @@ -14,7 +21,10 @@ # @param postgresql_conf_path Specifies the path to your postgresql.conf file. # @param postgresql_conf_mode Sets the mode of your postgresql.conf file. Only relevant if manage_postgresql_conf_perms is true. # @param recovery_conf_path Specifies the path to your recovery.conf file. -# @param pg_hba_conf_defaults If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform basic psql operations for example. +# @param pg_hba_conf_defaults +# If false, disables the defaults supplied with the module for pg_hba.conf. This is useful if you disagree with the defaults and wish to +# override them yourself. Be sure that your changes of course align with the rest of the module, as some access is required to perform +# basic psql operations for example. # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. # @param group Overrides the default postgres user group to be used for related files in the file system. # @param version Sets PostgreSQL version @@ -32,8 +42,8 @@ # @param log_line_prefix PostgreSQL log line prefix # @param timezone Set timezone for the PostgreSQL instance # @param password_encryption Specify the type of encryption set for the password. -# @param extra_systemd_config Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string -# lint:endignore:140chars +# @param extra_systemd_config +# Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string define postgresql::server::instance::config ( String[1] $ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user, String[1] $ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users, diff --git a/manifests/server/instance/initdb.pp b/manifests/server/instance/initdb.pp index b6b0631f9c..74a5882465 100644 --- a/manifests/server/instance/initdb.pp +++ b/manifests/server/instance/initdb.pp @@ -1,16 +1,20 @@ -# lint:ignore:140chars +# @summary Manages initdb feature for a postgresql::server instance +# # @param auth_host auth method used by default for host authorization # @param auth_local auth method used by default for local authorization # @param data_checksums Boolean. Use checksums on data pages to help detect corruption by the I/O system that would otherwise be silent. # @param datadir PostgreSQL data directory -# @param encoding Sets the default encoding for all databases created with this module. -# On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. +# @param encoding +# Sets the default encoding for all databases created with this module. +# On certain operating systems this is also used during the template1 initialization, +# so it becomes a default outside of the module as well. # @param group Overrides the default postgres user group to be used for related files in the file system. # @param initdb_path Specifies the path to the initdb command. # @param lc_messages locale used for logging and system messages # @param locale Sets the default database locale for all databases created with this module. # On certain operating systems this is used during the template1 initialization as well, so it becomes a default outside of the module. -# Warning: This option is used during initialization by initdb, and cannot be changed later. If set, checksums are calculated for all objects, in all databases. +# Warning: This option is used during initialization by initdb, and cannot be changed later. +# If set, checksums are calculated for all objects, in all databases. # @param logdir PostgreSQL log directory # @param manage_datadir Set to false if you have file{ $datadir: } already defined # @param manage_logdir Set to false if you have file{ $logdir: } already defined @@ -21,7 +25,6 @@ # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. # @param username username of user running the postgres instance # @param xlogdir PostgreSQL xlog/WAL directory -# lint:endignore:140chars define postgresql::server::instance::initdb ( Optional[String[1]] $auth_host = $postgresql::server::auth_host, Optional[String[1]] $auth_local = $postgresql::server::auth_local, diff --git a/manifests/server/instance/late_initdb.pp b/manifests/server/instance/late_initdb.pp index 71652fe293..09b5b42121 100644 --- a/manifests/server/instance/late_initdb.pp +++ b/manifests/server/instance/late_initdb.pp @@ -1,12 +1,16 @@ -# lint:ignore:140chars # @summary Manage the default encoding when database initialization is managed by the package -# @param encoding Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the template1 initialization, so it becomes a default outside of the module as well. +# +# @param encoding +# Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the +# template1 initialization, so it becomes a default outside of the module as well. # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. # @param group Overrides the default postgres user group to be used for related files in the file system. # @param psql_path Specifies the path to the psql command. -# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param port +# Specifies the port for the PostgreSQL server to listen on. +# Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +# changing the port causes the server to come to a full stop before being able to make the change. # @param module_workdir Working directory for the PostgreSQL module -# lint:endignore:140chars define postgresql::server::instance::late_initdb ( Optional[String[1]] $encoding = $postgresql::server::encoding, String[1] $user = $postgresql::server::user, diff --git a/manifests/server/instance/passwd.pp b/manifests/server/instance/passwd.pp index a397beda54..b4fdfb5384 100644 --- a/manifests/server/instance/passwd.pp +++ b/manifests/server/instance/passwd.pp @@ -1,13 +1,18 @@ -# lint:ignore:140chars +# @summary Overrides the default PostgreSQL superuser +# # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. # @param group Overrides the default postgres user group to be used for related files in the file system. # Default value: 5432. Meaning the Postgres server listens on TCP port 5432. # @param psql_path Specifies the path to the psql command. -# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param port +# Specifies the port for the PostgreSQL server to listen on. +# Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +# changing the port causes the server to come to a full stop before being able to make the change. # @param database Specifies the name of the database to connect with. On most systems this is 'postgres'. # @param module_workdir Working directory for the PostgreSQL module -# @param postgres_password Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. -# lint:endignore:140chars +# @param postgres_password +# Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres +# database, with a user called postgres and no password. define postgresql::server::instance::passwd ( String[1] $user = $postgresql::server::user, String[1] $group = $postgresql::server::group, @@ -16,7 +21,6 @@ String[1] $database = $postgresql::server::default_database, String[1] $module_workdir = $postgresql::server::module_workdir, Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = $postgresql::server::postgres_password, - ) { $real_postgres_password = if $postgres_password =~ Sensitive { $postgres_password.unwrap diff --git a/manifests/server/instance/reload.pp b/manifests/server/instance/reload.pp index 7bcc7130ca..d663b840a9 100644 --- a/manifests/server/instance/reload.pp +++ b/manifests/server/instance/reload.pp @@ -1,3 +1,5 @@ +# @summary Overrides the default reload or status command for your PostgreSQL service +# # @param service_reload Overrides the default reload command for your PostgreSQL service. # @param service_status Overrides the default status check command for your PostgreSQL service. define postgresql::server::instance::reload ( diff --git a/manifests/server/instance/service.pp b/manifests/server/instance/service.pp index 27cff330e0..00e7010a90 100644 --- a/manifests/server/instance/service.pp +++ b/manifests/server/instance/service.pp @@ -1,4 +1,5 @@ -# lint:ignore:140chars +# @summary Manages the service for the postgres main instance (default) or additional instances +# # @param service_ensure Ensure service is installed # @param service_enable Enable the PostgreSQL service # @param service_manage Defines whether or not Puppet should manage the service. @@ -6,12 +7,16 @@ # @param service_provider Overrides the default PostgreSQL service provider. # @param service_status Overrides the default status check command for your PostgreSQL service. # @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. -# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. +# @param port +# Specifies the port for the PostgreSQL server to listen on. +# Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, +# changing the port causes the server to come to a full stop before being able to make the change. # Default value: 5432. Meaning the Postgres server listens on TCP port 5432. # @param default_database Specifies the name of the default database to connect with. On most systems this is 'postgres'. # @param psql_path Specifies the path to the psql command. -# @param connect_settings Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, such as postgresql::server::role. -# lint:endignore:140chars +# @param connect_settings +# Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined types, +# such as postgresql::server::role. define postgresql::server::instance::service ( Variant[Enum['running', 'stopped'], Boolean] $service_ensure = $postgresql::server::service_ensure, Boolean $service_enable = $postgresql::server::service_enable, diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp index 20e2235cc9..ffcb9b03da 100644 --- a/manifests/server/pg_hba_rule.pp +++ b/manifests/server/pg_hba_rule.pp @@ -1,17 +1,28 @@ -# lint:ignore:140chars # @summary This resource manages an individual rule that applies to the file defined in target. # # @param type Sets the type of rule. # @param database Sets a comma-separated list of databases that this rule matches. # @param user Sets a comma-separated list of users that this rule matches. -# @param auth_method Provides the method that is used for authentication for the connection that this rule matches. Described further in the PostgreSQL pg_hba.conf documentation. -# @param address Sets a address for this rule matching when the type is not 'local'. Value can either be IPv4 CIDR, IPv6 CIDR, a FQDN, the strings 'all', 'samehost' or 'samenet' or a domain either with or without starting dot (.) https://www.postgresql.org/docs/current/auth-pg-hba-conf.html -# @param description Defines a longer description for this rule, if required. This description is placed in the comments above the rule in pg_hba.conf. Default value: 'none'. -# @param auth_option For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for further details. -# @param order Sets an order for placing the rule in pg_hba.conf. This can be either a string or an integer. If it is an integer, it will be converted to a string by zero-padding it to three digits. E.g. 42 will be zero-padded to the string '042'. The pg_hba_rule fragments are sorted using the alpha sorting order. Default value: 150. +# @param auth_method +# Provides the method that is used for authentication for the connection that this rule matches. +# Described further in the PostgreSQL pg_hba.conf documentation. +# @param address +# Sets a address for this rule matching when the type is not 'local'. +# Value can either be IPv4 CIDR, IPv6 CIDR, a FQDN, the strings 'all', 'samehost' or 'samenet' or a domain either with or without starting +# dot (.) https://www.postgresql.org/docs/current/auth-pg-hba-conf.html +# @param description +# Defines a longer description for this rule, if required. This description is placed in the comments above the rule in pg_hba.conf. +# Default value: 'none'. +# @param auth_option +# For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for +# further details. +# @param order +# Sets an order for placing the rule in pg_hba.conf. This can be either a string or an integer. If it is an integer, it will be converted +# to a string by zero-padding it to three digits. E.g. 42 will be zero-padded to the string '042'. The pg_hba_rule fragments are sorted +# using the alpha sorting order. +# Default value: 150. # @param target Provides the target for the rule, and is generally an internal only property. Use with caution. # @param postgresql_version Manages pg_hba.conf without managing the entire PostgreSQL instance. -# lint:endignore:140chars define postgresql::server::pg_hba_rule ( Postgresql::Pg_hba_rule_type $type, String[1] $database, diff --git a/manifests/server/recovery.pp b/manifests/server/recovery.pp index bcb8db9349..b8ad9c3513 100644 --- a/manifests/server/recovery.pp +++ b/manifests/server/recovery.pp @@ -1,29 +1,35 @@ -# lint:ignore:140chars # @summary This resource manages the parameters that applies to the recovery.conf template. # # @note # Allows you to create the content for recovery.conf. For more details see the usage example and the PostgreSQL documentation. -# Every parameter value is a string set in the template except recovery_target_inclusive, pause_at_recovery_target, standby_mode and recovery_min_apply_delay. +# Every parameter value is a string set in the template except recovery_target_inclusive, pause_at_recovery_target, standby_mode and +# recovery_min_apply_delay. # A detailed description of all listed parameters can be found in the PostgreSQL documentation. -# Only the specified parameters are recognized in the template. The recovery.conf is only created if at least one parameter is set and manage_recovery_conf is set to true. +# Only the specified parameters are recognized in the template. The recovery.conf is only created if at least one parameter is set and +# manage_recovery_conf is set to true. # # @param restore_command The shell command to execute to retrieve an archived segment of the WAL file series. # @param archive_cleanup_command This optional parameter specifies a shell command that will be executed at every restartpoint. # @param recovery_end_command This parameter specifies a shell command that will be executed once only at the end of recovery. -# @param recovery_target_name This parameter specifies the named restore point (created with pg_create_restore_point()) to which recovery will proceed. +# @param recovery_target_name +# This parameter specifies the named restore point (created with pg_create_restore_point()) to which recovery will proceed. # @param recovery_target_time This parameter specifies the time stamp up to which recovery will proceed. # @param recovery_target_xid This parameter specifies the transaction ID up to which recovery will proceed. -# @param recovery_target_inclusive Specifies whether to stop just after the specified recovery target (true), or just before the recovery target (false). -# @param recovery_target This parameter specifies that recovery should end as soon as a consistent state is reached, i.e. as early as possible. +# @param recovery_target_inclusive +# Specifies whether to stop just after the specified recovery target (true), or just before the recovery target (false). +# @param recovery_target +# This parameter specifies that recovery should end as soon as a consistent state is reached, i.e. as early as possible. # @param recovery_target_timeline Specifies recovering into a particular timeline. # @param pause_at_recovery_target Specifies whether recovery should pause when the recovery target is reached. # @param standby_mode Specifies whether to start the PostgreSQL server as a standby. # @param primary_conninfo Specifies a connection string to be used for the standby server to connect with the primary. -# @param primary_slot_name Optionally specifies an existing replication slot to be used when connecting to the primary via streaming replication to control resource removal on the upstream node. +# @param primary_slot_name +# Optionally specifies an existing replication slot to be used when connecting to the primary via streaming replication to control +# resource removal on the upstream node. # @param trigger_file Specifies a trigger file whose presence ends recovery in the standby. -# @param recovery_min_apply_delay This parameter allows you to delay recovery by a fixed period of time, measured in milliseconds if no unit is specified. +# @param recovery_min_apply_delay +# This parameter allows you to delay recovery by a fixed period of time, measured in milliseconds if no unit is specified. # @param target Provides the target for the rule, and is generally an internal only property. Use with caution. -# lint:endignore:140chars define postgresql::server::recovery ( Optional[String] $restore_command = undef, Optional[String[1]] $archive_cleanup_command = undef, diff --git a/manifests/server/role.pp b/manifests/server/role.pp index 7e1ff26a88..dad17be125 100644 --- a/manifests/server/role.pp +++ b/manifests/server/role.pp @@ -1,6 +1,7 @@ # @summary Define for creating a database role. # -# @param update_password If set to true, updates the password on changes. Set this to false to not modify the role's password after creation. +# @param update_password +# If set to true, updates the password on changes. Set this to false to not modify the role's password after creation. # @param password_hash Sets the hash to use during password creation. # @param createdb Specifies whether to grant the ability to create new databases with this role. # @param createrole Specifies whether to grant the ability to create new roles with this role. @@ -17,7 +18,9 @@ # @param psql_user Sets the OS user to run psql # @param psql_group Sets the OS group to run psql # @param psql_path Sets path to psql command -# @param module_workdir Specifies working directory under which the psql command should be executed. May need to specify if '/tmp' is on volume mounted with noexec option. +# @param module_workdir +# Specifies working directory under which the psql command should be executed. +# May need to specify if '/tmp' is on volume mounted with noexec option. # @param hash Specify the hash method for pg password # @param salt Specify the salt use for the scram-sha-256 encoding password (default username) define postgresql::server::role ( diff --git a/manifests/server/table_grant.pp b/manifests/server/table_grant.pp index d2310ce9fe..4ff0bd1ce8 100644 --- a/manifests/server/table_grant.pp +++ b/manifests/server/table_grant.pp @@ -1,6 +1,8 @@ # @summary This resource wraps the grant resource to manage table grants specifically. # -# @param privilege Specifies comma-separated list of privileges to grant. Valid options: 'ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER'. +# @param privilege +# Specifies comma-separated list of privileges to grant. +# Valid options: 'ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER'. # @param table Specifies the table to which you are granting access. # @param db Specifies which database the table is in. # @param role Specifies the role or user to whom you are granting access. @@ -11,7 +13,8 @@ # @param connect_settings Specifies a hash of environment variables used when connecting to a remote server. # @param onlyif_exists Create grant only if it doesn't exist. define postgresql::server::table_grant ( - Enum['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'all', 'select', 'insert', 'update', 'delete', 'truncate', 'references', 'trigger'] $privilege, + Enum['ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'all', 'select', 'insert', 'update', 'delete', + 'truncate', 'references', 'trigger'] $privilege, String[1] $table, String[1] $db, String[1] $role, diff --git a/manifests/server/tablespace.pp b/manifests/server/tablespace.pp index 0be68d97f9..aa96f926e7 100644 --- a/manifests/server/tablespace.pp +++ b/manifests/server/tablespace.pp @@ -65,7 +65,7 @@ if $owner { postgresql_psql { "ALTER TABLESPACE \"${spcname}\" OWNER TO \"${owner}\"": - unless => "SELECT 1 FROM pg_tablespace JOIN pg_roles rol ON spcowner = rol.oid WHERE spcname = '${spcname}' AND rolname = '${owner}'", + unless => "SELECT 1 FROM pg_tablespace JOIN pg_roles rol ON spcowner = rol.oid WHERE spcname = '${spcname}' AND rolname = '${owner}'", # lint:ignore:140chars require => Postgresql_psql["CREATE TABLESPACE \"${spcname}\""], }