Add support for host based authentication

This addresses #3
2016-10-03 10:32:54 +01:00 · 2016-10-03 10:32:54 +01:00 · 4f234f16ca
parent d7954de61a
commit 4f234f16ca
4 changed files with 37 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -37,6 +37,18 @@ The directories (usually one, but can be multiple) where PostgreSQL's socket wil

 Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.

+    postgresql_hba_entries:
+      - type: host # required; local, host, hostssl or hostnossl
+        database: exampledb # required
+        user: jdoe # required
+        address: 192.0.2.0/24 # either this or ip_address / ip_mask are required unless type is 'local'
+        ip_address: # alternative to 'address'
+        ip_mask: # alternative to 'address'
+        auth_method: # required
+        auth_options: # optional
+
+Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. 
+
    postgresql_locales:
      - 'en_US.UTF-8'

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,6 +13,13 @@ postgresql_global_config_options:
  - option: unix_socket_directories
    value: '{{ postgresql_unix_socket_directories | join(",") }}'

+# Host based authentication (hba) entries to be added to the pg_hba.conf.
+postgresql_hba_entries:
+  - type: local
+    database: all
+    user: all
+    auth_method: trust
+
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:
  - 'en_US.UTF-8'
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -8,6 +8,15 @@
  with_items: "{{ postgresql_global_config_options }}"
  notify: restart postgresql

+- name: Configure host based authentication.
+  template:
+    src: "templates/pg_hba.conf.j2"
+    dest: "{{ postgresql_config_path }}/pg_hba.conf"
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0600
+  notify: restart postgresql
+
 - name: Ensure PostgreSQL unix socket dirs exist.
  file:
    path: "{{ item }}"
--- a/templates/pg_hba.conf.j2
+++ b/templates/pg_hba.conf.j2
@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+
+{% for client in postgresql_hba_entries %}
+{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
+{% endfor %}