]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 0e7cbac)
Add support for granting roles to postgres users
authorTom Hughes <tom@compton.nu>
Sun, 15 Oct 2023 10:16:01 +0000 (11:16 +0100)
committerTom Hughes <tom@compton.nu>
Sun, 15 Oct 2023 10:36:46 +0000 (10:36 +0000)
cookbooks/postgresql/libraries/postgresql.rb patch | blob | history
cookbooks/postgresql/resources/user.rb patch | blob | history

diff --git a/cookbooks/postgresql/libraries/postgresql.rb b/cookbooks/postgresql/libraries/postgresql.rb
index ab8ea6fbebc36e56e4a2eaeb50aadd71a2811a20..1a39da25a146bc6426ee9d694e1cc0f714da989c 100644 (file)
--- a/cookbooks/postgresql/libraries/postgresql.rb
+++ b/cookbooks/postgresql/libraries/postgresql.rb
@@ -76,12 +76,13 @@ module OpenStreetMap
     end
 
     def users
     end
 
     def users
-      @users ||= query("SELECT * FROM pg_user").each_with_object({}) do |user, users|
+      @users ||= query("SELECT *, ARRAY(SELECT groname FROM pg_group WHERE usesysid = ANY(grolist)) AS roles FROM pg_user").each_with_object({}) do |user, users|
         users[user[:usename]] = {
           :superuser => user[:usesuper] == "t",
           :createdb => user[:usercreatedb] == "t",
           :createrole => user[:usecatupd] == "t",
         users[user[:usename]] = {
           :superuser => user[:usesuper] == "t",
           :createdb => user[:usercreatedb] == "t",
           :createrole => user[:usecatupd] == "t",
-          :replication => user[:userepl] == "t"
+          :replication => user[:userepl] == "t",
+          :roles => parse_array(user[:roles] || "{}")
         }
       end
     end
         }
       end
     end
@@ -140,8 +141,12 @@ module OpenStreetMap
 
     private
 
 
     private
 
+    def parse_array(array)
+      array.sub(/^\{(.*)\}$/, "\\1").split(",")
+    end
+
     def parse_acl(acl)
     def parse_acl(acl)
-      acl.sub(/^\{(.*)\}$/, "\\1").split(",").each_with_object({}) do |entry, permissions|
+      parse_array(acl).each_with_object({}) do |entry, permissions|
         entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub(/\\"/, '"') }.sub(%r{/.*$}, "")
         user, privileges = entry.split("=")
 
         entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub(/\\"/, '"') }.sub(%r{/.*$}, "")
         user, privileges = entry.split("=")
 
diff --git a/cookbooks/postgresql/resources/user.rb b/cookbooks/postgresql/resources/user.rb
index 35ff5aa8ba153ecc9e8376a165b595e5c9f59bc3..31194fedcac2ac1cce3cbae44a9629f7a7c637b8 100644 (file)
--- a/cookbooks/postgresql/resources/user.rb
+++ b/cookbooks/postgresql/resources/user.rb
@@ -30,6 +30,7 @@ property :superuser, :kind_of => [TrueClass, FalseClass], :default => false
 property :createdb, :kind_of => [TrueClass, FalseClass], :default => false
 property :createrole, :kind_of => [TrueClass, FalseClass], :default => false
 property :replication, :kind_of => [TrueClass, FalseClass], :default => false
 property :createdb, :kind_of => [TrueClass, FalseClass], :default => false
 property :createrole, :kind_of => [TrueClass, FalseClass], :default => false
 property :replication, :kind_of => [TrueClass, FalseClass], :default => false
+property :roles, :kind_of => [String, Array]
 
 action :create do
   password = new_resource.password ? "ENCRYPTED PASSWORD '#{new_resource.password.shellescape}'" : ""
 
 action :create do
   password = new_resource.password ? "ENCRYPTED PASSWORD '#{new_resource.password.shellescape}'" : ""
@@ -70,6 +71,24 @@ action :create do
         end
       end
     end
         end
       end
     end
+
+    roles = Array(new_resource.roles)
+
+    roles.each do |role|
+      next if current_user[:roles].include?(role)
+
+      converge_by "grant #{role} to #{new_resource.user}" do
+        cluster.execute(:command => "GRANT \"#{role}\" TO \"#{new_resource.user}\"")
+      end
+    end
+
+    current_user[:roles].each do |role|
+      next if roles.include?(role)
+
+      converge_by "revoke #{role} from #{new_resource.user}" do
+        cluster.execute(:command => "REVOKE \"#{role}\" FROM \"#{new_resource.user}\"")
+      end
+    end
   end
 end
 
   end
 end
 
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.