pg role

Overview

This type allows you to manage a role/user in a Postgres database. Here is an example:

pg_role { role_name@instance:
  password  => 'verysecret',
  login     => true,
  create_db => true,
}

The pg_role type recognises all of the options you also have when using SQL to create a user or a role.

Attributes

Attribute Name Short Description
bypass specified if the role bypasses every row level security policy.
create_db specified if the role can create databases
   
create_only The attributes from pg_user you only want to manage when you create a user.
create_role specified if the role can create more roles
   
disable_corrective_change Disable the modification of a resource when Puppet decides it is a corrective change.
disable_corrective_ensure Disable the creation or removal of a resource when Puppet decides is a corrective change.
ensure The basic property that the resource should be in.
inherit specified if the role automatically inherits privileges of roles it is a member of
   
instance Postgres instance to connect to.
login specified if the role can log in.
max_connections For roles that can log in, this sets maximum number of concurrent connections this role can make.
name The user name.
oid The ID of role
   
password The user’s password.
provider resource.
replication specified if the role is a replication role.
role_name The role name.
super_user specified if the role has superuser privileges
   
valid_until specified password expiry time (only used for password authentication)
   

bypass

specified if the role bypasses every row level security policy.

Valid values are true, false.

Back to overview of pg_role

create_db

specified if the role can create databases

Valid values are true, false.

Back to overview of pg_role

create_only

The attributes from pg_user you only want to manage when you create a user. This is usefull when defining postgres role for REAL users. Users that are supposed to change the password and the account expirery. Here is an example:

pg_role {'scott':
  password    => 'secret',
  create_only => ['password'],
}

When user scott doesn’t exists, it will be created. After the first run the property password is not updated anymore. Even when there is a difference between the manifest and reality.

Back to overview of pg_role

create_role

specified if the role can create more roles

Valid values are true, false.

Back to overview of pg_role

disable_corrective_change

Disable the modification of a resource when Puppet decides it is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ...
  disable_corrective_change => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:

    Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)

Back to overview of pg_role

disable_corrective_ensure

Disable the creation or removal of a resource when Puppet decides is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ensure                    => 'present',
  ...
  disable_corrective_ensure => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:

    Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)

Back to overview of pg_role

ensure

The basic property that the resource should be in.

Valid values are present, absent.

Back to overview of pg_role

inherit

specified if the role automatically inherits privileges of roles it is a member of

Valid values are true, false.

Back to overview of pg_role

instance

Postgres instance to connect to.

All types have a name like resource@instance.

Back to overview of pg_role

login

specified if the role can log in. That is, this role can be given as the initial session authorization identifier

Valid values are true, false.

Back to overview of pg_role

max_connections

For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit.

Back to overview of pg_role

name

The user name.

Back to overview of pg_role

oid

The ID of role

Back to overview of pg_role

password

The user’s password.

Back to overview of pg_role

provider

The specific backend to use for this pg_role resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:

simple
Manage Postgres roles in an Postgres Database via regular SQL

Back to overview of pg_role

replication

specified if the role is a replication role. A replication role can initiate replication connections and create and drop replication slots.

Valid values are true, false.

Back to overview of pg_role

role_name

The role name.

Back to overview of pg_role

super_user

specified if the role has superuser privileges

Valid values are true, false.

Back to overview of pg_role

valid_until

specified password expiry time (only used for password authentication)

Back to overview of pg_role