Merge pull request #181 from EvaSDK/handle-pg_ident-conf

aboe76 · web-flow · commit 9b6f86aa95d5 · 2018-03-12T20:48:47.000+01:00
Add support for configure pg_ident.conf
diff --git a/pillar.example b/pillar.example
@@ -54,9 +54,14 @@ postgres:
   # If ``acls`` item value is empty ('', [], null), then the contents of
   # ``pg_hba.conf`` file will not be touched at all.
   acls:
+    - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
     - ['local', 'db1', 'localUser']
     - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
 
+  identity_map:
+    - ['users_as_appuser', 'jdoe', 'connuser']
+    - ['users_as_appuser', 'jsmith', 'connuser']
+
   # Backup extension for configuration files, defaults to ``.bak``.
   # Set ``False`` to stop creation of backups when config files change.
   {%- if salt['status.time']|default(none) is callable %}
diff --git a/postgres/defaults.yaml b/postgres/defaults.yaml
@@ -47,6 +47,9 @@ postgres:
     # IPv6 local connections:
     - ['host', 'all', 'all', '::1/128', 'md5']
 
+  pg_ident.conf: salt://postgres/templates/pg_ident.conf.j2
+  identity_map: []
+
   config_backup: '.bak'
 
   service: postgresql
diff --git a/postgres/server/init.sls b/postgres/server/init.sls
@@ -129,6 +129,33 @@ postgresql-pg_hba:
     - require:
       - file: postgresql-config-dir
 
+{%- set pg_ident_path = salt['file.join'](postgres.conf_dir, 'pg_ident.conf') %}
+
+postgresql-pg_ident:
+  file.managed:
+    - name: {{ pg_ident_path }}
+    - user: {{ postgres.user }}
+    - group: {{ postgres.group }}
+    - mode: 600
+{%- if postgres.identity_map %}
+    - source: {{ postgres['pg_ident.conf'] }}
+    - template: jinja
+    - defaults:
+        mappings: {{ postgres.identity_map }}
+  {%- if postgres.config_backup %}
+    # Create the empty file before managing to overcome the limitation of check_cmd
+    - onlyif: test -f {{ pg_ident_path }} || touch {{ pg_ident_path }}
+    # Make a local backup before the file modification
+    - check_cmd: >-
+        salt-call --local file.copy
+        {{ pg_ident_path }} {{ pg_ident_path ~ postgres.config_backup }} remove_existing=true
+  {%- endif %}
+{%- else %}
+    - replace: False
+{%- endif %}
+    - require:
+      - file: postgresql-config-dir
+
 {%- for name, tblspace in postgres.tablespaces|dictsort() %}
 
 postgresql-tablespace-dir-{{ name }}:
@@ -158,5 +185,6 @@ postgresql-running:
    {% endif %}
     - watch:
       - file: postgresql-pg_hba
+      - file: postgresql-pg_ident
 
 {%- endif %}
diff --git a/postgres/templates/pg_ident.conf.j2 b/postgres/templates/pg_ident.conf.j2
@@ -0,0 +1,51 @@
+######################################################################
+# ATTENTION! Managed by SaltStack.                                   #
+# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN! #
+######################################################################
+#
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+
+{%- for mapping in mappings %}
+{{ '{0:<15} {1:<22} {2}'.format(mapping) -}}
+{% endfor %}
