Provide new defined resources for managing pg_hba.conf #120
Conversation
There was a problem hiding this comment.
Could we possibly have the system test create a postgres user account, add or deny privileges to that user using the new pg_hba_rule stuff, and then attempt to connect via psql -h? This test is good--it confirms that we're writing something to the correct file--but it doesn't actually validate the syntax of the data we're writing.
There was a problem hiding this comment.
Yes of course, we can give it a try.
|
I haven't tested this myself yet but I really like the API. I'm a The one improvement that occurred to me is validating the type & -Josh On 02/11/2013 12:12 PM, Ken Barber wrote:
|
|
@kbarber this looks reasonable to me, though I must admin that you're using some patterns here that I'm not very experienced with so I have to defer to your judgment to some degree. It will be interesting to see if any of the authors of the other pull requests have any input! My few minor comments:
|
I couldn't think of a better solution either. Having said that, the class based API could be changed after this PR to perhaps allow us to pass an array of hashes, pre-ordered as apposed to the current ipv4acl mechanism which just takes strings of rule lines. Then the order could be explicitly based on the array. I didn't want to do such a change to the class this time around, but we could explore it later on as an option.
Yes, this can be done.
I'm on it.
You are right of course, my feelings on the tests directory are secondary - its the status quo and we should continue to maintain it, or debate removing it in another ticket/PR and do it properly. Thanks everyone for your comments ... |
|
@cprice-puppet @jhoblitt I think I've captured the things you've asked for, and I've pushed a new update to this branch. I also caught a bug with the 'service postgresql reload' call with the new system test you asked me to add @cprice-puppet so 👍. Let me know if there is anything else you need. |
This patch provides a more advanced way of managing pg_hba rules, by providing a defined resource to manage a pg_hba file, and a defined resource for managing rules within such a file (pg_hba_rule). These new resources are wrappers around ripinaar-concat, and utilise file assemblies instead of a template to compose the pg_hba.conf file. I've provided a function that interprets the old ip4|6acl arrays and converts them to this new format for backwards compatibility as well. I slightly reformatted our documentation to allow for better documentation of defined resources in 'Usage' as well, and provided examples of how to use this new resource. This hopefully should go a long way to solving the PR's related to lack of full functionality for pg_hba.conf. Signed-off-by: Ken Barber <[email protected]>
While this worked fine in Ubuntu, it failed silently in Centos. The script is really designed to be ran as root, so removing the user property. This was failing our new pg_hba_rule tests without it. Signed-off-by: Ken Barber <[email protected]>
Provide new defined resources for managing pg_hba.conf
4 participants
This patch provides a more advanced way of managing pg_hba rules, by providing a
defined resource to manage a pg_hba file, and a defined resource for managing
rules within such a file (pg_hba_rule).
These new resources are wrappers around ripinaar-concat, and utilise file
assemblies instead of a template to compose the pg_hba.conf file.
I've provided a function that interprets the old ip4|6acl arrays and converts
them to this new format for backwards compatibility as well.
I slightly reformatted our documentation to allow for better documentation of
defined resources in 'Usage' as well, and provided examples of how to use this
new resource.
This hopefully should go a long way to solving the PR's related to lack of full
functionality for pg_hba.conf.
Signed-off-by: Ken Barber [email protected]