2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
# File 'manifests/server/passwd.pp', line 2
class postgresql::server::passwd {
$postgres_password = if $postgresql::server::postgres_password =~ Sensitive {
$postgresql::server::postgres_password.unwrap
} else {
$postgresql::server::postgres_password
}
$user = $postgresql::server::user
$group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path
$port = $postgresql::server::port
$database = $postgresql::server::default_database
$module_workdir = $postgresql::server::module_workdir
# psql will default to connecting as $user if you don't specify name
$_datbase_user_same = $database == $user
$_dboption = $_datbase_user_same ? {
false => " --dbname ${database}",
default => ''
}
if $postgres_password {
# NOTE: this password-setting logic relies on the pg_hba.conf being
# configured to allow the postgres system user to connect via psql
# without specifying a password ('ident' or 'trust' security). This is
# the default for pg_hba.conf.
$escaped = postgresql::postgresql_escape($postgres_password)
exec { 'set_postgres_postgrespw':
# This command works w/no password because we run it as postgres system
# user
command => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
user => $user,
group => $group,
logoutput => true,
cwd => $module_workdir,
environment => [
"PGPASSWORD=${postgres_password}",
"PGPORT=${port}",
"NEWPASSWD_ESCAPED=${escaped}",
],
# With this command we're passing -h to force TCP authentication, which
# does require a password. We specify the password via the PGPASSWORD
# environment variable. If the password is correct (current), this
# command will exit with an exit code of 0, which will prevent the main
# command from running.
unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
path => '/usr/bin:/usr/local/bin:/bin',
}
}
}
|