Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parameter ensure on postgresql::server::grant and postgresql::server::database_grant #891

Merged
merged 3 commits into from
Mar 1, 2018
Merged

Parameter ensure on postgresql::server::grant and postgresql::server::database_grant #891

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8423d78
postgresql::server::grant with ensure => absent uses REVOKE instead o…
Sep 14, 2017
70f15cf
Merge branch 'master' of https://github.com/puppetlabs/puppetlabs-pos…
Dec 12, 2017
9a5ffdb
update branch from master, fix merge conflicts, fix rubocop style fai…
Mar 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1280,6 +1280,16 @@ Consult
[the PostgreSQL documentation for `GRANT`](http://www.postgresql.org/docs/current/static/sql-grant.html)
for more information.

##### `ensure`

Specifies whether to grant or revoke the privilege. Default is to grant the privilege.

Valid values: 'present', 'absent'.
* 'present' to grant the privilege
* 'absent' to revoke the privilege

Default value: 'present'.

#### `connect_settings`

Specifies a hash of environment variables used when connecting to a remote
Expand Down Expand Up @@ -1377,6 +1387,16 @@ Manages grant-based access privileges for roles. See
[PostgreSQL documentation for `grant`](http://www.postgresql.org/docs/current/static/sql-grant.html)
for more information.

##### `ensure`

Specifies whether to grant or revoke the privilege. Default is to grant the privilege.

Valid values: 'present', 'absent'.
* 'present' to grant the privilege
* 'absent' to revoke the privilege

Default value: 'present'.

##### `db`

Specifies the database to which you are granting access.
Expand Down Expand Up @@ -1778,6 +1798,16 @@ Manages grant-based access privileges for users. Consult
[the PostgreSQL documentation for `GRANT`](http://www.postgresql.org/docs/current/static/sql-grant.html)
for more information.

##### `ensure`

Specifies whether to grant or revoke the privilege. Default is to grant the privilege.

Valid values: 'present', 'absent'.
* 'present' to grant the privilege
* 'absent' to revoke the privilege

Default value: 'present'.

##### `connect_settings`

Specifies a hash of environment variables used when connecting to a remote
Expand Down
2 changes: 2 additions & 0 deletions manifests/server/database_grant.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@
$privilege,
$db,
$role,
$ensure = undef,
$psql_db = undef,
$psql_user = undef,
$connect_settings = undef,
) {
postgresql::server::grant { "database:${name}":
ensure => $ensure,
role => $role,
db => $db,
privilege => $privilege,
Expand Down
219 changes: 149 additions & 70 deletions manifests/server/grant.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,23 @@
Integer $port = $postgresql::server::port,
Boolean $onlyif_exists = false,
Hash $connect_settings = $postgresql::server::default_connect_settings,
Enum['present',
'absent'
] $ensure = 'present',
) {

case $ensure {
default: {
# default is 'present'
$sql_command = 'GRANT %s ON %s "%s" TO "%s"'
$unless_is = true
}
'absent': {
$sql_command = 'REVOKE %s ON %s "%s" FROM "%s"'
$unless_is = false
}
}

$group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path

Expand Down Expand Up @@ -81,7 +96,10 @@
}
$unless_function = 'has_database_privilege'
$on_db = $psql_db
$onlyif_function = undef
$onlyif_function = $ensure ? {
default => undef,
'absent' => 'role_exists',
}
}
'SCHEMA': {
$unless_privilege = $_privilege ? {
Expand Down Expand Up @@ -149,43 +167,78 @@
# If this number is not zero then there is at least one sequence for which
# the role does not have the specified privilege, making it necessary to
# execute the GRANT statement.
$custom_unless = "SELECT 1 FROM (
SELECT sequence_name
FROM information_schema.sequences
WHERE sequence_schema='${schema}'
EXCEPT DISTINCT
SELECT object_name as sequence_name
FROM (
SELECT object_schema,
object_name,
grantee,
CASE privs_split
WHEN 'r' THEN 'SELECT'
WHEN 'w' THEN 'UPDATE'
WHEN 'U' THEN 'USAGE'
END AS privilege_type
FROM (
SELECT DISTINCT
object_schema,
object_name,
(regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee,
regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split
FROM (
SELECT n.nspname as object_schema,
c.relname as object_name,
regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs
FROM pg_catalog.pg_class c
LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
WHERE c.relkind = 'S'
AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' )
) P1
) P2
) P3
WHERE grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.sequence_name) = 0"
if $ensure == 'present' {
$custom_unless = "SELECT 1 WHERE NOT EXISTS (
SELECT sequence_name
FROM information_schema.sequences
WHERE sequence_schema='${schema}'
EXCEPT DISTINCT
SELECT object_name as sequence_name
FROM (
SELECT object_schema,
object_name,
grantee,
CASE privs_split
WHEN 'r' THEN 'SELECT'
WHEN 'w' THEN 'UPDATE'
WHEN 'U' THEN 'USAGE'
END AS privilege_type
FROM (
SELECT DISTINCT
object_schema,
object_name,
(regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee,
regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split
FROM (
SELECT n.nspname as object_schema,
c.relname as object_name,
regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs
FROM pg_catalog.pg_class c
LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
WHERE c.relkind = 'S'
AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' )
) P1
) P2
) P3
WHERE grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
)"
} else {
# ensure == absent
$custom_unless = "SELECT 1 WHERE NOT EXISTS (
SELECT object_name as sequence_name
FROM (
SELECT object_schema,
object_name,
grantee,
CASE privs_split
WHEN 'r' THEN 'SELECT'
WHEN 'w' THEN 'UPDATE'
WHEN 'U' THEN 'USAGE'
END AS privilege_type
FROM (
SELECT DISTINCT
object_schema,
object_name,
(regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[1] AS grantee,
regexp_split_to_table((regexp_split_to_array(regexp_replace(privs,E'/.*',''),'='))[2],E'\\s*') AS privs_split
FROM (
SELECT n.nspname as object_schema,
c.relname as object_name,
regexp_split_to_table(array_to_string(c.relacl,','),',') AS privs
FROM pg_catalog.pg_class c
LEFT JOIN pg_catalog.pg_namespace n ON c.relnamespace = n.oid
WHERE c.relkind = 'S'
AND n.nspname NOT IN ( 'pg_catalog', 'information_schema' )
) P1
) P2
) P3
WHERE grantee='${role}'
AND object_schema='${schema}'
AND privilege_type='${custom_privilege}'
)"
}
}
'TABLE': {
$unless_privilege = $_privilege ? {
Expand Down Expand Up @@ -233,37 +286,62 @@
$schema = $object_name

# Again there seems to be no easy way in plain SQL to check if ALL
# PRIVILEGES are granted on a table. By convention we use INSERT
# here to represent ALL PRIVILEGES (truly terrible).
$custom_privilege = $_privilege ? {
'ALL' => 'INSERT',
'ALL PRIVILEGES' => 'INSERT',
default => $_privilege,
# PRIVILEGES are granted on a table.
# There are currently 7 possible priviliges:
# ('SELECT','UPDATE','INSERT','DELETE','TRIGGER','REFERENCES','TRUNCATE')
# This list is consistant from Postgresql 8.0
#
# There are 4 cases to cover, each with it's own distinct unless clause:
# grant ALL
# grant SELECT (or INSERT or DELETE ...)
# revoke ALL
# revoke SELECT (or INSERT or DELETE ...)

if $ensure == 'present' {
if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
# GRANT ALL
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT 1 FROM pg_catalog.pg_tables AS t,
(VALUES ('SELECT'), ('UPDATE'), ('INSERT'), ('DELETE'), ('TRIGGER'), ('REFERENCES'), ('TRUNCATE')) AS p(privilege_type)
WHERE t.schemaname = '${schema}'
AND NOT EXISTS (
SELECT 1 FROM information_schema.role_table_grants AS g
WHERE g.grantee = '${role}'
AND g.table_schema = '${schema}'
AND g.privilege_type = p.privilege_type
)
)"

} else {
# GRANT $_privilege
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT 1 FROM pg_catalog.pg_tables AS t
WHERE t.schemaname = '${schema}'
AND NOT EXISTS (
SELECT 1 FROM information_schema.role_table_grants AS g
WHERE g.grantee = '${role}'
AND g.table_schema = '${schema}'
AND g.privilege_type = '${_privilege}'
)
)"
}
} else {
if $_privilege == 'ALL' or $_privilege == 'ALL PRIVILEGES' {
# REVOKE ALL
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT table_name FROM information_schema.role_table_grants
WHERE grantee = '${role}' AND table_schema ='${schema}'
)"
} else {
# REVOKE $_privilege
$custom_unless = "SELECT 1 WHERE NOT EXISTS
( SELECT table_name FROM information_schema.role_table_grants
WHERE grantee = '${role}' AND table_schema ='${schema}'
AND privilege_type = '${_privilege}'
)"
}
}

# This checks if there is a difference between the tables in the
# specified schema and the tables for which the role has the specified
# privilege. It uses the EXCEPT clause which computes the set of rows
# that are in the result of the first SELECT statement but not in the
# result of the second one. It then counts the number of rows from this
# operation. If this number is zero then the role has the specified
# privilege for all tables in the schema and the whole query returns a
# single row, which satisfies the `unless` parameter of Postgresql_psql.
# If this number is not zero then there is at least one table for which
# the role does not have the specified privilege, making it necessary to
# execute the GRANT statement.
$custom_unless = "SELECT 1 FROM (
SELECT table_name
FROM information_schema.tables
WHERE table_schema='${schema}'
EXCEPT DISTINCT
SELECT table_name
FROM information_schema.role_table_grants
WHERE grantee='${role}'
AND table_schema='${schema}'
AND privilege_type='${custom_privilege}'
) P
HAVING count(P.table_name) = 0"
}
'LANGUAGE': {
$unless_privilege = $_privilege ? {
Expand Down Expand Up @@ -313,17 +391,18 @@
false => undef,
'custom' => $custom_unless,
default => "SELECT 1 WHERE ${unless_function}('${role}',
'${_granted_object}', '${unless_privilege}')",
'${_granted_object}', '${unless_privilege}') = ${unless_is}",
}

$_onlyif = $onlyif_function ? {
'table_exists' => "SELECT true FROM pg_tables WHERE tablename = '${_togrant_object}'",
'language_exists' => "SELECT true from pg_language WHERE lanname = '${_togrant_object}'",
'role_exists' => "SELECT 1 FROM pg_roles WHERE rolname = '${role}'",
default => undef,
}

$grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO
\"${role}\""
$grant_cmd = sprintf($sql_command, $_privilege, $_object_type, $_togrant_object, $role)

postgresql_psql { "grant:${name}":
command => $grant_cmd,
db => $on_db,
Expand Down
4 changes: 3 additions & 1 deletion manifests/server/table_grant.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,15 @@
$table,
$db,
$role,
$ensure = undef,
$port = undef,
$psql_db = undef,
$psql_user = undef,
$connect_settings = undef,
$onlyif_exists = false,
) {
postgresql::server::grant { "table:${name}":
ensure => $ensure,
role => $role,
db => $db,
port => $port,
Expand All @@ -23,4 +25,4 @@
onlyif_exists => $onlyif_exists,
connect_settings => $connect_settings,
}
}
}
Loading