Merge pull request #6 from Yelp/y-trobinso_add_group_and_deduped_user_support

Add disambiguation for multiple users with the same name in a cluster, update documentation, add group stub in preparation of full functionality

Author: y-trobinso

README.md

@@ -325,6 +325,7 @@ The postgresql module comes with many options for configuring the server. While
 * [postgresql::server::extension](#postgresqlserverextension)
 * [postgresql::server::grant](#postgresqlservergrant)
 * [postgresql::server::grant_role](#postgresqlservergrant_role)
+* [postgresql::server::group](#postgresqlservergroup)
 * [postgresql::server::pg_hba_rule](#postgresqlserverpg_hba_rule)
 * [postgresql::server::pg_ident_rule](#postgresqlserverpg_ident_rule)
 * [postgresql::server::recovery](#postgresqlserverrecovery)
@@ -448,6 +449,12 @@ Overrides the default PostgreSQL devel package name.
 
 Default value: OS dependent.
 
+##### `dialect`
+
+Sets the dialect for all databases managed with this module. Select 'postgres' for managing vanilla postgres databases, or 'redshift' for Amazon Redshift databases. Note: local database software is only installable using the 'postgres' dialect.
+
+Default value: 'postgres'
+
 ##### `docs_package_name`
 
 Optional.
@@ -742,6 +749,12 @@ Specifies the name of the default database to connect with. On most systems this
 
 Specifies a hash of environment variables used when connecting to a remote server. Becomes the default for other defined-types. i.e. `postgresql::server::role`
 
+##### `dialect`
+
+Sets the dialect for all databases managed with this module. Select 'postgres' for managing vanilla postgres databases, or 'redshift' for Amazon Redshift databases. Note: local database software is only installable using the 'postgres' dialect.
+
+Default value: value set in `postgresql::params` or `postgresql::globals`
+
 ##### `encoding`
 
 Sets the default encoding for all databases created with this module. On certain operating systems this is also used during the `template1` initialization, so it becomes a default outside of the module as well.
@@ -945,6 +958,12 @@ Overrides the default status check command for your PostgreSQL service.
 
 Default value: OS dependent.
 
+##### `skip_install`
+
+Overrides the installation of a local PostgreSQL instance, such as when performing tests or when an instance is managed remotely.
+
+Default value: `false`.
+
 ##### `user`
 
 Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. 
@@ -1281,6 +1300,42 @@ Specifies a hash of environment variables used when connecting to a remote serve
 
 Default value: Connects to the local Postgres instance.
 
+#### postgresql::server::group
+
+Creates a Postgres group.
+
+##### `connect_settings`
+Required.
+
+Specifies a hash of environment variables used when connecting to a remote server.
+
+Default value: `undef`, because groups only currently make sense in remotely-managed Redshift clusters.
+
+##### `db`
+Required.
+
+Specifies which database psql will use to perform certain checks, such as what settings exist for the current group prior to applying changes.
+
+##### `dialect`
+Reserved for future use. Currently both the 'postgres' and 'redshift' dialects are identical in operation.
+
+Default value: inherit from server settings.
+
+##### `groupname`
+Defines the name of the group to create.
+
+Default value: the namevar.
+
+##### `groupmembers`
+Defines the users that are part of the current group, if any.
+
+Default value: `undef`, which specifies an empty members list.
+
+##### `port`
+Optional port override for connecting to postgres when applying this group.
+
+Default value: inherit from `$connect_settings` or `postgresql::server::port`
+
 #### postgresql::server::pg_hba_rule
 
 Allows you to create an access rule for `pg_hba.conf`. For more details see the [usage example](#create-an-access-rule-for-pghba.conf) and the [PostgreSQL documentation](http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html).
@@ -1410,7 +1465,7 @@ Provides the target for the rule, and is generally an internal only property.
 **Use with caution.**
 
 #### postgresql::server::role
-Creates a role or user in PostgreSQL.
+Creates a role or user in PostgreSQL. In the Redshift dialect, this creates a new redshift user (see `postgresql::server::group` for groups).
 
 ##### `connection_limit`
 Specifies how many concurrent connections the role can make.
@@ -1432,6 +1487,16 @@ Specifies whether to grant the ability to create new roles with this role.
 
 Default value: `false`.
 
+##### `db`
+Required.
+
+Specifies which database psql will use to perform certain checks, such as what settings exist for the current role prior to applying changes.
+
+##### `dialect`
+Determines whether to use postgres or redshift's definition of a user. Also determines the tables to query for user metadata.
+
+Default value: inherit from server settings.
+
 ##### `inherit`
 Specifies whether to grant inherit capability for the new role.
 
@@ -1451,6 +1516,11 @@ password_hash => postgresql_password('myusername', 'mypassword'),
 }
 ```
 
+##### `port`
+Optional port override for connecting to postgres when applying this role.
+
+Default value: inherit from `$connect_settings` or `postgresql::server::port`
+
 ##### `replication`
 
 Provides provides replication capabilities for this role if set to `true`.

manifests/server/group.pp

@@ -0,0 +1,29 @@
+# Define for creating a redshift group. See README.md for more information
+define postgresql::server::group(
+  $db               = $postgresql::server::default_database,
+  $port             = undef, 
+  $groupmembers     = undef,
+  $groupname        = $title,
+  $dialect          = $postgresql::server::dialect,
+  $connect_settings = undef,
+) {
+  $psql_user      = $postgresql::server::user
+  $psql_group     = $postgresql::server::group
+  $psql_path      = $postgresql::server::psql_path
+  $module_workdir = $postgresql::server::module_workdir
+
+  # TODO: complete this functionality
+  $groupmembers_list = []
+  $groupmembers_sql = ''
+
+  postgresql_psql { "${title}: CREATE GROUP ${groupname}":
+    command     => "CREATE GROUP ${groupname}",
+    unless      => "SELECT 1 FROM pg_group WHERE groname = '${groupname}'",
+    environment => $environment,
+    require     => Class['Postgresql::Server'],
+  }
+
+  postgresql_psql {"${title}: ALTER GROUP \"${group}\" ${groupmembers_sql}":
+    unless => "SELECT 1 FROM pg_group WHERE groname = '${groupname}' AND grolist = ${groupmembers_list}",
+  }
+}

manifests/server/role.pp

@@ -93,7 +93,7 @@
     connect_settings => $connect_settings,
     cwd        => $module_workdir,
     require    => [
-      Postgresql_psql["CREATE ${role_keyword} ${username} ENCRYPTED PASSWORD ****"],
+      Postgresql_psql["${title}: CREATE ${role_keyword} ${username} ENCRYPTED PASSWORD ****"],
       Class['postgresql::server'],
     ],
   }
@@ -104,54 +104,54 @@
     $options_sql = "${createrole_sql} ${createdb_sql}"
   }
 
-  postgresql_psql { "CREATE ${role_keyword} ${username} ENCRYPTED PASSWORD ****":
+  postgresql_psql { "${title}: CREATE ${role_keyword} ${username} ENCRYPTED PASSWORD ****":
     command     => "CREATE ${role_keyword} \"${username}\" ${password_sql} ${options_sql} CONNECTION LIMIT ${role_connection_limit}",
     unless      => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}'",
     environment => $environment,
     require     => Class['Postgresql::Server'],
   }
 
-  postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${createdb_sql}":
+  postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createdb_sql}":
     unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND ${role_column_prefix}createdb = ${createdb}",
   }
 
   if ($dialect == 'postgres') {
-    postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
+    postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
       unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND rolcreaterole = ${createrole}",
     }
 
-    postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${superuser_sql}":
+    postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${superuser_sql}":
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolsuper = ${superuser}",
     }
 
-    postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${login_sql}":
+    postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${login_sql}":
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolcanlogin = ${login}",
     }
 
-    postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${inherit_sql}":
+    postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${inherit_sql}":
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolinherit = ${inherit}",
     }
 
     if(versioncmp($version, '9.1') >= 0) {
       if $replication_sql == '' {
-        postgresql_psql {"ALTER ${role_keyword} \"${username}\" NOREPLICATION":
+        postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" NOREPLICATION":
           unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolreplication = ${replication}",
         }
       } else {
-        postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${replication_sql}":
+        postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${replication_sql}":
           unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolreplication = ${replication}",
         }
       }
     }
   } elsif ($dialect == 'redshift') {
 
     # CREATEUSER actually defines superuser privileges in Redshift: http://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html
-    postgresql_psql {"ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
+    postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
       unless => "SELECT 1 FROM ${role_table} WHERE usename = '${username}' AND usesuper = ${createrole}",
     }
   }
 
-  postgresql_psql {"ALTER ${role_keyword} \"${username}\" CONNECTION LIMIT ${role_connection_limit}":
+  postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" CONNECTION LIMIT ${role_connection_limit}":
     unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND ${role_column_prefix}connlimit = '${role_connection_limit}'",
   }
 
@@ -162,7 +162,7 @@
       $pwd_md5 = md5("${password_hash}${username}")
       $pwd_hash_sql = "md5${pwd_md5}"
     }
-    postgresql_psql { "ALTER ${role_keyword} ${username} ENCRYPTED PASSWORD ****":
+    postgresql_psql { "${title}: ALTER ${role_keyword} ${username} ENCRYPTED PASSWORD ****":
       command     => "ALTER ${role_keyword} \"${username}\" ${password_sql}",
       unless      => "SELECT 1 FROM ${password_table} WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
       environment => $environment,

spec/unit/defines/server/role_spec.rb

@@ -32,15 +32,15 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' NOCREATEROLE NOCREATEDB LOGIN NOSUPERUSER  CONNECTION LIMIT -1",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
         'port'        => "5432",
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
@@ -61,7 +61,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE ROLE \"test\"  NOCREATEROLE NOCREATEDB LOGIN NOSUPERUSER  CONNECTION LIMIT -1",
         'environment' => [],
         'unless'      => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
@@ -87,7 +87,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' NOCREATEROLE NOCREATEDB LOGIN NOSUPERUSER  CONNECTION LIMIT -1",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
@@ -100,7 +100,7 @@
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
@@ -132,7 +132,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' NOCREATEROLE NOCREATEDB LOGIN NOSUPERUSER  CONNECTION LIMIT -1",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
@@ -144,7 +144,7 @@
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER ROLE test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
@@ -171,15 +171,15 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE USER \"test\" PASSWORD '$NEWPGPASSWD' NOCREATEUSER NOCREATEDB CONNECTION LIMIT UNLIMITED",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user_info WHERE usename = 'test'",
         'port'        => "5432",
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER USER \"test\" PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
@@ -200,7 +200,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE USER \"test\" PASSWORD DISABLE NOCREATEUSER NOCREATEDB CONNECTION LIMIT UNLIMITED",
         'environment' => [],
         'unless'      => "SELECT 1 FROM pg_user_info WHERE usename = 'test'",
@@ -226,7 +226,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE USER \"test\" PASSWORD '$NEWPGPASSWD' NOCREATEUSER NOCREATEDB CONNECTION LIMIT UNLIMITED",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user_info WHERE usename = 'test'",
@@ -239,7 +239,7 @@
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER USER \"test\" PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
@@ -271,7 +271,7 @@
 
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'should have create role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('CREATE USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: CREATE USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "CREATE USER \"test\" PASSWORD '$NEWPGPASSWD' NOCREATEUSER NOCREATEDB CONNECTION LIMIT UNLIMITED",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user_info WHERE usename = 'test'",
@@ -283,7 +283,7 @@
       })
     end
     it 'should have alter role for "test" user with password as ****' do
-      is_expected.to contain_postgresql_psql('ALTER USER test ENCRYPTED PASSWORD ****').with({
+      is_expected.to contain_postgresql_psql('test: ALTER USER test ENCRYPTED PASSWORD ****').with({
         'command'     => "ALTER USER \"test\" PASSWORD '$NEWPGPASSWD'",
         'environment' => "NEWPGPASSWD=new-pa$s",
         'unless'      => "SELECT 1 FROM pg_user WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",