Merge pull request #7 from Yelp/y-trobinso_full_group_support

Provide postgres and redshift groups support (dbgroup.pp)

Author: y-trobinso

README.md

@@ -322,10 +322,10 @@ The postgresql module comes with many options for configuring the server. While
 * [postgresql::server::database](#postgresqlserverdatabase)
 * [postgresql::server::database_grant](#postgresqlserverdatabase_grant)
 * [postgresql::server::db](#postgresqlserverdb)
+* [postgresql::server::dbgroup](#postgresqlserverdbgroup)
 * [postgresql::server::extension](#postgresqlserverextension)
 * [postgresql::server::grant](#postgresqlservergrant)
 * [postgresql::server::grant_role](#postgresqlservergrant_role)
-* [postgresql::server::group](#postgresqlservergroup)
 * [postgresql::server::pg_hba_rule](#postgresqlserverpg_hba_rule)
 * [postgresql::server::pg_ident_rule](#postgresqlserverpg_ident_rule)
 * [postgresql::server::recovery](#postgresqlserverrecovery)
@@ -1094,6 +1094,42 @@ Defaults value: `template0`.
 
 User to create and assign access to the database upon creation. Mandatory.
 
+#### postgresql::server::dbgroup
+
+Creates a Postgres group.
+
+##### `connect_settings`
+Required.
+
+Specifies a hash of environment variables used when connecting to a remote server.
+
+Default value: `undef`, because groups only currently make sense in remotely-managed Redshift clusters.
+
+##### `db`
+Required.
+
+Specifies which database psql will use to perform certain checks, such as what settings exist for the current group prior to applying changes.
+
+##### `dialect`
+Reserved for future use. Currently both the 'postgres' and 'redshift' dialects are identical in operation.
+
+Default value: inherit from server settings.
+
+##### `groupname`
+Defines the name of the group to create.
+
+Default value: the namevar.
+
+##### `groupmembers`
+Defines the users that are part of the current group, if any.
+
+Default value: `undef`, which specifies an empty members list.
+
+##### `port`
+Optional port override for connecting to postgres when applying this group.
+
+Default value: inherit from `$connect_settings` or `postgresql::server::port`
+
 #### postgresql::server::database
 
 Creates a database with no users and no permissions.
@@ -1300,42 +1336,6 @@ Specifies a hash of environment variables used when connecting to a remote serve
 
 Default value: Connects to the local Postgres instance.
 
-#### postgresql::server::group
-
-Creates a Postgres group.
-
-##### `connect_settings`
-Required.
-
-Specifies a hash of environment variables used when connecting to a remote server.
-
-Default value: `undef`, because groups only currently make sense in remotely-managed Redshift clusters.
-
-##### `db`
-Required.
-
-Specifies which database psql will use to perform certain checks, such as what settings exist for the current group prior to applying changes.
-
-##### `dialect`
-Reserved for future use. Currently both the 'postgres' and 'redshift' dialects are identical in operation.
-
-Default value: inherit from server settings.
-
-##### `groupname`
-Defines the name of the group to create.
-
-Default value: the namevar.
-
-##### `groupmembers`
-Defines the users that are part of the current group, if any.
-
-Default value: `undef`, which specifies an empty members list.
-
-##### `port`
-Optional port override for connecting to postgres when applying this group.
-
-Default value: inherit from `$connect_settings` or `postgresql::server::port`
-
 #### postgresql::server::pg_hba_rule
 
 Allows you to create an access rule for `pg_hba.conf`. For more details see the [usage example](#create-an-access-rule-for-pghba.conf) and the [PostgreSQL documentation](http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html).

manifests/server/dbgroup.pp

@@ -0,0 +1,51 @@
+# Define for creating a redshift group. See README.md for more information
+define postgresql::server::dbgroup(
+  $db               = $postgresql::server::default_database,
+  $port             = undef, 
+  $groupmembers     = [],
+  $groupname        = $title,
+  $dialect          = $postgresql::server::dialect,
+  $connect_settings = undef,
+) {
+  $psql_user      = $postgresql::server::user
+  $psql_group     = $postgresql::server::group
+  $psql_path      = $postgresql::server::psql_path
+  $module_workdir = $postgresql::server::module_workdir
+
+  #
+  # Port, order of precedence: $port parameter, $connect_settings[PGPORT], $postgresql::server::port
+  #
+  if $port != undef {
+    $port_override = $port
+  } elsif $connect_settings != undef and has_key( $connect_settings, 'PGPORT') {
+    $port_override = undef
+  } else {
+    $port_override = $postgresql::server::port
+  }
+
+  Postgresql_psql {
+    db         => $db,
+    port       => $port_override,
+    psql_user  => $psql_user,
+    psql_group => $psql_group,
+    psql_path  => $psql_path,
+    connect_settings => $connect_settings,
+    cwd        => $module_workdir,
+    require    => [
+      Postgresql_psql["${title}: CREATE GROUP ${groupname}"],
+      Class['postgresql::server'],
+    ],
+  }
+
+  postgresql_psql { "${title}: CREATE GROUP ${groupname}":
+    command     => "CREATE GROUP '${groupname}'",
+    unless      => "SELECT 1 FROM pg_group WHERE groname = '${groupname}'",
+    environment => [],
+    require     => Class['Postgresql::Server'],
+  }
+
+  postgresql_psql {"${title}: UPDATE pg_group SET grolist = ARRAY${groupmembers} WHERE groname = '${groupname}'":
+    command => "UPDATE pg_group SET grolist = ARRAY${groupmembers} WHERE groname = '${groupname}'",
+    unless => "SELECT 1 FROM pg_group WHERE groname = '${groupname}' AND grolist = ARRAY${groupmembers}",
+  }
+}

manifests/server/group.pp

@@ -112,33 +112,40 @@
   }
 
   postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createdb_sql}":
+    command => "ALTER ${role_keyword} \"${username}\" ${createdb_sql}",
     unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND ${role_column_prefix}createdb = ${createdb}",
   }
 
   if ($dialect == 'postgres') {
     postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
+      command => "ALTER ${role_keyword} \"${username}\" ${createrole_sql}",
       unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND rolcreaterole = ${createrole}",
     }
 
     postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${superuser_sql}":
+      command => "ALTER ${role_keyword} \"${username}\" ${superuser_sql}",
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolsuper = ${superuser}",
     }
 
     postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${login_sql}":
+      command => "ALTER ${role_keyword} \"${username}\" ${login_sql}",
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolcanlogin = ${login}",
     }
 
     postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${inherit_sql}":
+      command => "ALTER ${role_keyword} \"${username}\" ${inherit_sql}",
       unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolinherit = ${inherit}",
     }
 
     if(versioncmp($version, '9.1') >= 0) {
       if $replication_sql == '' {
         postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" NOREPLICATION":
+          command => "ALTER ${role_keyword} \"${username}\" NOREPLICATION",
           unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolreplication = ${replication}",
         }
       } else {
         postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${replication_sql}":
+          command => "ALTER ${role_keyword} \"${username}\" ${replication_sql}",
           unless => "SELECT 1 FROM ${role_table} WHERE rolname = '${username}' AND rolreplication = ${replication}",
         }
       }
@@ -147,11 +154,13 @@
 
     # CREATEUSER actually defines superuser privileges in Redshift: http://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html
     postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" ${createrole_sql}":
+      command => "ALTER ${role_keyword} \"${username}\" ${createrole_sql}",
       unless => "SELECT 1 FROM ${role_table} WHERE usename = '${username}' AND usesuper = ${createrole}",
     }
   }
 
   postgresql_psql {"${title}: ALTER ${role_keyword} \"${username}\" CONNECTION LIMIT ${role_connection_limit}":
+    command => "ALTER ${role_keyword} \"${username}\" CONNECTION LIMIT ${role_connection_limit}",
     unless => "SELECT 1 FROM ${role_table} WHERE ${role_column_prefix}name = '${username}' AND ${role_column_prefix}connlimit = '${role_connection_limit}'",
   }
 

manifests/server/role.pp

@@ -0,0 +1,76 @@
+require 'spec_helper'
+
+describe 'postgresql::server::dbgroup', :type => :define do
+
+  let :facts do
+    {
+      :osfamily => 'Debian',
+      :operatingsystem => 'Debian',
+      :operatingsystemrelease => '6.0',
+      :kernel => 'Linux',
+      :concat_basedir => tmpfilename('contrib'),
+      :id => 'root',
+      :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+    }
+  end
+
+  let :title do
+    'test'
+  end
+
+  context 'no members' do
+
+    let :pre_condition do
+     "class {'postgresql::server': dialect => 'postgres'}"
+    end
+  
+    it { is_expected.to contain_postgresql__server__dbgroup('test') }
+    it 'should have create group for test' do
+      is_expected.to contain_postgresql_psql('test: CREATE GROUP test').with({
+        'command'     => "CREATE GROUP 'test'",
+        'environment' => [],
+        'unless'      => "SELECT 1 FROM pg_group WHERE groname = 'test'",
+        'port'        => "5432",
+      })
+    end
+    it 'should have update pg_group for test group with groupmembers as []' do
+      is_expected.to contain_postgresql_psql("test: UPDATE pg_group SET grolist = ARRAY[] WHERE groname = 'test'").with({
+        'command'     => "UPDATE pg_group SET grolist = ARRAY[] WHERE groname = 'test'",
+        'environment' => [],
+        'unless'      => "SELECT 1 FROM pg_group WHERE groname = 'test' AND grolist = ARRAY[]",
+        'port'        => "5432",
+      })
+    end
+  end
+
+  context 'group containing test members' do
+
+    let :pre_condition do
+     "class {'postgresql::server': dialect => 'postgres'}"
+    end
+  
+    let :params do
+      {
+        :groupmembers => ['testuser1', 'testuser2'],
+      }
+    end
+
+    it { is_expected.to contain_postgresql__server__dbgroup('test') }
+    it 'should have create group for test' do
+      is_expected.to contain_postgresql_psql('test: CREATE GROUP test').with({
+        'command'     => "CREATE GROUP 'test'",
+        'environment' => [],
+        'unless'      => "SELECT 1 FROM pg_group WHERE groname = 'test'",
+        'port'        => "5432",
+      })
+    end
+    it 'should have update pg_group for test group with provided groupmembers' do
+      is_expected.to contain_postgresql_psql("test: UPDATE pg_group SET grolist = ARRAY[testuser1, testuser2] WHERE groname = 'test'").with({
+        'command'     => "UPDATE pg_group SET grolist = ARRAY[testuser1, testuser2] WHERE groname = 'test'",
+        'environment' => [],
+        'unless'      => "SELECT 1 FROM pg_group WHERE groname = 'test' AND grolist = ARRAY[testuser1, testuser2]",
+        'port'        => "5432",
+      })
+    end
+  end
+end

spec/unit/defines/server/dbgroup_spec.rb

@@ -75,9 +75,9 @@
       {
         :password_hash => 'new-pa$s',
         :connect_settings => { 'PGHOST'     => 'postgres-db-server',
-	                       'DBVERSION'  => '9.1',
-	                       'PGUSER'     => 'login-user',
-			       'PGPASSWORD' => 'login-pass' },
+                           'DBVERSION'  => '9.1',
+                           'PGUSER'     => 'login-user',
+                           'PGPASSWORD' => 'login-pass' },
       }
     end
 
@@ -119,10 +119,10 @@
       {
         :password_hash => 'new-pa$s',
         :connect_settings => { 'PGHOST'     => 'postgres-db-server',
-	                       'DBVERSION'  => '9.1',
-	                       'PGPORT'     => '1234',
-	                       'PGUSER'     => 'login-user',
-			       'PGPASSWORD' => 'login-pass' },
+                           'DBVERSION'  => '9.1',
+                           'PGPORT'     => '1234',
+                           'PGUSER'     => 'login-user',
+                           'PGPASSWORD' => 'login-pass' },
       }
     end
 
@@ -214,9 +214,9 @@
       {
         :password_hash => 'new-pa$s',
         :connect_settings => { 'PGHOST'     => 'redshift-db-server',
-	                       'DBVERSION'  => '9.1',
-	                       'PGUSER'     => 'login-user',
-			       'PGPASSWORD' => 'login-pass' },
+                           'DBVERSION'  => '9.1',
+                           'PGUSER'     => 'login-user',
+                           'PGPASSWORD' => 'login-pass' },
       }
     end
 
@@ -258,10 +258,10 @@
       {
         :password_hash => 'new-pa$s',
         :connect_settings => { 'PGHOST'     => 'redshift-db-server',
-	                       'DBVERSION'  => '9.1',
-	                       'PGPORT'     => '1234',
-	                       'PGUSER'     => 'login-user',
-			       'PGPASSWORD' => 'login-pass' },
+                           'DBVERSION'  => '9.1',
+                           'PGPORT'     => '1234',
+                           'PGUSER'     => 'login-user',
+                           'PGPASSWORD' => 'login-pass' },
       }
     end