|
24 | 24 | #'FOREIGN DATA WRAPPER', |
25 | 25 | #'FUNCTION', |
26 | 26 | #'PROCEDURAL LANGUAGE', |
27 | | - #'SCHEMA', |
| 27 | + 'SCHEMA', |
28 | 28 | #'SEQUENCE', |
29 | 29 | 'TABLE', |
| 30 | + 'ALL TABLES IN SCHEMA', |
30 | 31 | #'TABLESPACE', |
31 | 32 | #'VIEW', |
32 | 33 | ) |
| 34 | + # You can use ALL TABLES IN SCHEMA by passing schema_name to object_name |
33 | 35 |
|
34 | 36 | ## Validate that the object type's privilege is acceptable |
35 | 37 | # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege, |
|
43 | 45 | case $_object_type { |
44 | 46 | 'DATABASE': { |
45 | 47 | $unless_privilege = $_privilege ? { |
46 | | - 'ALL' => 'CREATE', |
47 | | - default => $_privilege, |
| 48 | + 'ALL' => 'CREATE', |
| 49 | + 'ALL PRIVILEGES' => 'CREATE', |
| 50 | + default => $_privilege, |
48 | 51 | } |
49 | 52 | validate_string($unless_privilege,'CREATE','CONNECT','TEMPORARY','TEMP', |
50 | 53 | 'ALL','ALL PRIVILEGES') |
51 | 54 | $unless_function = 'has_database_privilege' |
52 | 55 | $on_db = $psql_db |
53 | 56 | } |
| 57 | + 'SCHEMA': { |
| 58 | + $unless_privilege = $_privilege ? { |
| 59 | + 'ALL' => 'CREATE', |
| 60 | + 'ALL PRIVILEGES' => 'CREATE', |
| 61 | + default => $_privilege, |
| 62 | + } |
| 63 | + validate_string($_privilege, 'CREATE', 'USAGE', 'ALL', 'ALL PRIVILEGES') |
| 64 | + $unless_function = 'has_schema_privilege' |
| 65 | + $on_db = $db |
| 66 | + } |
54 | 67 | 'TABLE': { |
55 | 68 | $unless_privilege = $_privilege ? { |
56 | 69 | 'ALL' => 'INSERT', |
|
61 | 74 | $unless_function = 'has_table_privilege' |
62 | 75 | $on_db = $db |
63 | 76 | } |
| 77 | + 'ALL TABLES IN SCHEMA': { |
| 78 | + validate_string($_privilege, 'SELECT', 'INSERT', 'UPDATE', 'REFERENCES', |
| 79 | + 'ALL', 'ALL PRIVILEGES') |
| 80 | + $unless_function = false # There is no way to test it simply |
| 81 | + $on_db = $db |
| 82 | + } |
64 | 83 | default: { |
65 | 84 | fail("Missing privilege validation for object type ${_object_type}") |
66 | 85 | } |
67 | 86 | } |
68 | 87 |
|
69 | | - $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"" |
70 | | - postgresql_psql { $grant_cmd: |
| 88 | + # This is used to give grant to "schemaname"."tablename" |
| 89 | + # If you need such grant, use: |
| 90 | + # postgresql::grant { 'table:foo': |
| 91 | + # role => 'joe', |
| 92 | + # … |
| 93 | + # object_type => 'TABLE', |
| 94 | + # object_name => [$schema, $table], |
| 95 | + # } |
| 96 | + if is_array($object_name) { |
| 97 | + $_togrant_object = join($object_name, '"."') |
| 98 | + # Never put double quotes into has_*_privilege function |
| 99 | + $_granted_object = join($object_name, '.') |
| 100 | + } else { |
| 101 | + $_granted_object = $object_name |
| 102 | + $_togrant_object = $object_name |
| 103 | + } |
| 104 | + |
| 105 | + $_unless = $unless_function ? { |
| 106 | + false => undef, |
| 107 | + default => "SELECT 1 WHERE ${unless_function}('${role}', |
| 108 | + '${_granted_object}', '${unless_privilege}')", |
| 109 | + } |
| 110 | + |
| 111 | + $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO |
| 112 | + \"${role}\"" |
| 113 | + postgresql_psql { "grant:${name}": |
| 114 | + command => $grant_cmd, |
71 | 115 | db => $on_db, |
72 | 116 | port => $port, |
73 | 117 | psql_user => $psql_user, |
74 | 118 | psql_group => $group, |
75 | 119 | psql_path => $psql_path, |
76 | | - unless => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')", |
| 120 | + unless => $_unless, |
77 | 121 | require => Class['postgresql::server'] |
78 | 122 | } |
79 | 123 |
|
80 | 124 | if($role != undef and defined(Postgresql::Server::Role[$role])) { |
81 | | - Postgresql::Server::Role[$role]->Postgresql_psql[$grant_cmd] |
| 125 | + Postgresql::Server::Role[$role]->Postgresql_psql["grant:${name}"] |
82 | 126 | } |
83 | 127 |
|
84 | 128 | if($db != undef and defined(Postgresql::Server::Database[$db])) { |
85 | | - Postgresql::Server::Database[$db]->Postgresql_psql[$grant_cmd] |
| 129 | + Postgresql::Server::Database[$db]->Postgresql_psql["grant:${name}"] |
86 | 130 | } |
87 | 131 | } |
0 commit comments