def test_encrypt_passwords(self): self.assertEqual( postgres._maybe_encrypt_password( 'foo', 'bar', False), 'bar') self.assertEqual( postgres._maybe_encrypt_password( 'foo', 'bar', True), 'md596948aad3fcae80c08a35c9b5958cd89')
def present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, replication=None, inherit=None, login=None, password=None, default_password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None): ''' Ensure that the named user is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the user to manage createdb Is the user allowed to create databases? createroles Is the user allowed to create other users? createuser Alias to create roles encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new user be a "superuser" replication Should the new user be allowed to initiate streaming replication password The user's password It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. default_passwoord The password used only when creating the user, unless password is set. .. versionadded:: Boron refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is None or False, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the user should be in user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default ''' ret = {'name': name, 'changes': {}, 'result': True, 'comment': 'User {0} is already present'.format(name)} if createuser: createroles = True # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if if not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) if default_password is not None: default_password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) db_args = { 'maintenance_db': maintenance_db, 'runas': user, 'host': db_host, 'user': db_user, 'port': db_port, 'password': db_password, } # check if user exists mode = 'create' user_attr = __salt__['postgres.role_get']( name, return_password=not refresh_password, **db_args) if user_attr is not None: mode = 'update' # The user is not present, make it! cret = None update = {} if mode == 'update': user_groups = user_attr.get('groups', []) if ( createdb is not None and user_attr['can create databases'] != createdb ): update['createdb'] = createdb if ( inherit is not None and user_attr['inherits privileges'] != inherit ): update['inherit'] = inherit if login is not None and user_attr['can login'] != login: update['login'] = login if ( createroles is not None and user_attr['can create roles'] != createroles ): update['createroles'] = createroles if ( replication is not None and user_attr['replication'] != replication ): update['replication'] = replication if superuser is not None and user_attr['superuser'] != superuser: update['superuser'] = superuser if password is not None and (refresh_password or user_attr['password'] != password): update['password'] = True if groups is not None: lgroups = groups if isinstance(groups, (six.string_types, six.text_type)): lgroups = lgroups.split(',') if isinstance(lgroups, list): missing_groups = [a for a in lgroups if a not in user_groups] if missing_groups: update['groups'] = missing_groups if mode == 'create' and password is None: password = default_password if mode == 'create' or (mode == 'update' and update): if __opts__['test']: if update: ret['changes'][name] = update ret['result'] = None ret['comment'] = 'User {0} is set to be {1}d'.format(name, mode) return ret cret = __salt__['postgres.user_{0}'.format(mode)]( username=name, createdb=createdb, createroles=createroles, encrypted=encrypted, superuser=superuser, login=login, inherit=inherit, replication=replication, rolepassword=password, groups=groups, **db_args) else: cret = None if cret: ret['comment'] = 'The user {0} has been {1}d'.format(name, mode) if update: ret['changes'][name] = update else: ret['changes'][name] = 'Present' elif cret is not None: ret['comment'] = 'Failed to create user {0}'.format(name) ret['result'] = False else: ret['result'] = True return ret
def present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, replication=None, inherit=None, login=None, password=None, default_password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None): ''' Ensure that the named user is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the system user to manage. createdb Is the user allowed to create databases? createroles Is the user allowed to create other users? createuser Alias to create roles encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new user be a "superuser" replication Should the new user be allowed to initiate streaming replication password The system user's password. It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. default_passwoord The password used only when creating the user, unless password is set. .. versionadded:: 2016.3.0 refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is ``True``, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the user should be in user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user Postres database username, if different from config or default. db_password Postgres user's password, if any password, for a specified db_user. db_host Postgres database host, if different from config or default. db_port Postgres database port, if different from config or default. ''' ret = {'name': name, 'changes': {}, 'result': True, 'comment': 'User {0} is already present'.format(name)} if createuser: createroles = True # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if if not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) if default_password is not None: default_password = postgres._maybe_encrypt_password(name, default_password, encrypted=encrypted) db_args = { 'maintenance_db': maintenance_db, 'runas': user, 'host': db_host, 'user': db_user, 'port': db_port, 'password': db_password, } # check if user exists mode = 'create' user_attr = __salt__['postgres.role_get']( name, return_password=not refresh_password, **db_args) if user_attr is not None: mode = 'update' # The user is not present, make it! cret = None update = {} if mode == 'update': user_groups = user_attr.get('groups', []) if ( createdb is not None and user_attr['can create databases'] != createdb ): update['createdb'] = createdb if ( inherit is not None and user_attr['inherits privileges'] != inherit ): update['inherit'] = inherit if login is not None and user_attr['can login'] != login: update['login'] = login if ( createroles is not None and user_attr['can create roles'] != createroles ): update['createroles'] = createroles if ( replication is not None and user_attr['replication'] != replication ): update['replication'] = replication if superuser is not None and user_attr['superuser'] != superuser: update['superuser'] = superuser if password is not None and (refresh_password or user_attr['password'] != password): update['password'] = True if groups is not None: lgroups = groups if isinstance(groups, (six.string_types, six.text_type)): lgroups = lgroups.split(',') if isinstance(lgroups, list): missing_groups = [a for a in lgroups if a not in user_groups] if missing_groups: update['groups'] = missing_groups if mode == 'create' and password is None: password = default_password if mode == 'create' or (mode == 'update' and update): if __opts__['test']: if update: ret['changes'][name] = update ret['result'] = None ret['comment'] = 'User {0} is set to be {1}d'.format(name, mode) return ret cret = __salt__['postgres.user_{0}'.format(mode)]( username=name, createdb=createdb, createroles=createroles, encrypted=encrypted, superuser=superuser, login=login, inherit=inherit, replication=replication, rolepassword=password, groups=groups, **db_args) else: cret = None if cret: ret['comment'] = 'The user {0} has been {1}d'.format(name, mode) if update: ret['changes'][name] = update else: ret['changes'][name] = 'Present' elif cret is not None: ret['comment'] = 'Failed to create user {0}'.format(name) ret['result'] = False else: ret['result'] = True return ret
def present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, inherit=None, login=None, replication=None, password=None, refresh_password=None, groups=None, runas=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None): ''' Ensure that the named group is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the group to manage createdb Is the group allowed to create databases? createroles Is the group allowed to create other roles/users createuser Alias to create roles, and history problem, in pgsql normally createuser == superuser encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new group be a "superuser" replication Should the new group be allowed to initiate streaming replication password The Group's password It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is None or False, the password will be automatically updated without extra password change check. This behaviour allows to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the group should be in runas System user all operations should be performed on behalf of .. deprecated:: 0.17.0 user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user database username if different from config or defaul db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default ''' ret = {'name': name, 'changes': {}, 'result': True, 'comment': 'Group {0} is already present'.format(name)} salt.utils.warn_until( 'Lithium', 'Please remove \'runas\' support at this stage. \'user\' support was ' 'added in 0.17.0', _dont_call_warnings=True ) if createuser: createroles = True # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if if not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) if runas: # Warn users about the deprecation ret.setdefault('warnings', []).append( 'The \'runas\' argument is being deprecated in favor of \'user\', ' 'please update your state files.' ) if user is not None and runas is not None: # user wins over runas but let warn about the deprecation. ret.setdefault('warnings', []).append( 'Passed both the \'runas\' and \'user\' arguments. Please don\'t. ' '\'runas\' is being ignored in favor of \'user\'.' ) runas = None elif runas is not None: # Support old runas usage user = runas runas = None db_args = { 'maintenance_db': maintenance_db, 'runas': user, 'host': db_host, 'user': db_user, 'port': db_port, 'password': db_password, } # check if group exists mode = 'create' group_attr = __salt__['postgres.role_get']( name, return_password=not refresh_password, **db_args) if group_attr is not None: mode = 'update' # The user is not present, make it! cret = None update = {} if mode == 'update': if ( createdb is not None and group_attr['can create databases'] != createdb ): update['createdb'] = createdb if ( inherit is not None and group_attr['inherits privileges'] != inherit ): update['inherit'] = inherit if login is not None and group_attr['can login'] != login: update['login'] = login if ( createroles is not None and group_attr['can create roles'] != createroles ): update['createroles'] = createroles if ( replication is not None and group_attr['replication'] != replication ): update['replication'] = replication if superuser is not None and group_attr['superuser'] != superuser: update['superuser'] = superuser if password is not None and (refresh_password or group_attr['password'] != password): update['password'] = True if mode == 'create' or (mode == 'update' and update): if __opts__['test']: if update: ret['changes'][name] = update ret['result'] = None ret['comment'] = 'Group {0} is set to be {1}d'.format(name, mode) return ret cret = __salt__['postgres.group_{0}'.format(mode)]( groupname=name, createdb=createdb, createroles=createroles, encrypted=encrypted, login=login, inherit=inherit, superuser=superuser, replication=replication, rolepassword=password, groups=groups, **db_args) else: cret = None if cret: ret['comment'] = 'The group {0} has been {1}d'.format(name, mode) if update: ret['changes'][name] = update elif cret is not None: ret['comment'] = 'Failed to create group {0}'.format(name) ret['result'] = False else: ret['result'] = True return ret
def present(name, createdb=None, createroles=None, createuser=None, encrypted=None, superuser=None, inherit=None, login=None, replication=None, password=None, groups=None, runas=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None): ''' Ensure that the named group is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the group to manage createdb Is the group allowed to create databases? createroles Is the group allowed to create other roles/users createuser Alias to create roles, and history problem, in pgsql normally createuser == superuser encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new group be a "superuser" replication Should the new group be allowed to initiate streaming replication password The Group's password It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. groups A string of comma separated groups the group should be in runas System user all operations should be performed on behalf of .. deprecated:: 0.17.0 user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user database username if different from config or defaul db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default ''' ret = { 'name': name, 'changes': {}, 'result': True, 'comment': 'Group {0} is already present'.format(name) } salt.utils.warn_until( 'Lithium', 'Please remove \'runas\' support at this stage. \'user\' support was ' 'added in 0.17.0', _dont_call_warnings=True) if createuser: createroles = True # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if if not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) if runas: # Warn users about the deprecation ret.setdefault('warnings', []).append( 'The \'runas\' argument is being deprecated in favor of \'user\', ' 'please update your state files.') if user is not None and runas is not None: # user wins over runas but let warn about the deprecation. ret.setdefault('warnings', []).append( 'Passed both the \'runas\' and \'user\' arguments. Please don\'t. ' '\'runas\' is being ignored in favor of \'user\'.') runas = None elif runas is not None: # Support old runas usage user = runas runas = None db_args = { 'maintenance_db': maintenance_db, 'runas': user, 'host': db_host, 'user': db_user, 'port': db_port, 'password': db_password, } # check if group exists mode = 'create' group_attr = __salt__['postgres.role_get'](name, return_password=True, **db_args) if group_attr is not None: mode = 'update' # The user is not present, make it! cret = None update = {} if mode == 'update': if (createdb is not None and group_attr['can create databases'] != createdb): update['createdb'] = createdb if (inherit is not None and group_attr['inherits privileges'] != inherit): update['inherit'] = inherit if login is not None and group_attr['can login'] != login: update['login'] = login if (createroles is not None and group_attr['can create roles'] != createroles): update['createroles'] = createroles if (replication is not None and group_attr['replication'] != replication): update['replication'] = replication if superuser is not None and group_attr['superuser'] != superuser: update['superuser'] = superuser if password is not None and group_attr['password'] != password: update['password'] = True if mode == 'create' or (mode == 'update' and update): if __opts__['test']: if update: ret['changes'][name] = update ret['result'] = None ret['comment'] = 'Group {0} is set to be {1}d'.format(name, mode) return ret cret = __salt__['postgres.group_{0}'.format(mode)]( groupname=name, createdb=createdb, createroles=createroles, encrypted=encrypted, login=login, inherit=inherit, superuser=superuser, replication=replication, rolepassword=password, groups=groups, **db_args) else: cret = None if cret: ret['comment'] = 'The group {0} has been {1}d'.format(name, mode) if update: ret['changes'][name] = update elif cret is not None: ret['comment'] = 'Failed to create group {0}'.format(name) ret['result'] = False else: ret['result'] = True return ret
def present( name, createdb=None, createroles=None, encrypted=None, superuser=None, replication=None, inherit=None, login=None, password=None, default_password=None, refresh_password=None, valid_until=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None, ): """ Ensure that the named user is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seens as roles with the LOGIN privilege and groups the others. name The name of the system user to manage. createdb Is the user allowed to create databases? createroles Is the user allowed to create other users? encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new user be a "superuser" replication Should the new user be allowed to initiate streaming replication password The system user's password. It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is None or True, the password will be automatically encrypted to the previous format if it is not already done. default_password The password used only when creating the user, unless password is set. .. versionadded:: 2016.3.0 refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is ``True``, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL valid_until A date and time after which the role's password is no longer valid. groups A string of comma separated groups the user should be in user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user Postgres database username, if different from config or default. db_password Postgres user's password, if any password, for a specified db_user. db_host Postgres database host, if different from config or default. db_port Postgres database port, if different from config or default. """ ret = { "name": name, "changes": {}, "result": True, "comment": "User {0} is already present".format(name), } # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if it's not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) if default_password is not None: default_password = postgres._maybe_encrypt_password( name, default_password, encrypted=encrypted ) db_args = { "maintenance_db": maintenance_db, "runas": user, "host": db_host, "user": db_user, "port": db_port, "password": db_password, } # check if user exists mode = "create" user_attr = __salt__["postgres.role_get"]( name, return_password=not refresh_password, **db_args ) if user_attr is not None: mode = "update" cret = None update = {} if mode == "update": user_groups = user_attr.get("groups", []) if createdb is not None and user_attr["can create databases"] != createdb: update["createdb"] = createdb if inherit is not None and user_attr["inherits privileges"] != inherit: update["inherit"] = inherit if login is not None and user_attr["can login"] != login: update["login"] = login if createroles is not None and user_attr["can create roles"] != createroles: update["createroles"] = createroles if replication is not None and user_attr["replication"] != replication: update["replication"] = replication if superuser is not None and user_attr["superuser"] != superuser: update["superuser"] = superuser if password is not None and ( refresh_password or user_attr["password"] != password ): update["password"] = True if valid_until is not None: valid_until_dt = __salt__["postgres.psql_query"]( "SELECT '{0}'::timestamp(0) as dt;".format( valid_until.replace("'", "''") ), **db_args )[0]["dt"] try: valid_until_dt = datetime.datetime.strptime( valid_until_dt, "%Y-%m-%d %H:%M:%S" ) except ValueError: valid_until_dt = None if valid_until_dt != user_attr["expiry time"]: update["valid_until"] = valid_until if groups is not None: lgroups = groups if isinstance(groups, (six.string_types, six.text_type)): lgroups = lgroups.split(",") if isinstance(lgroups, list): missing_groups = [a for a in lgroups if a not in user_groups] if missing_groups: update["groups"] = missing_groups if mode == "create" and password is None: password = default_password if mode == "create" or (mode == "update" and update): if __opts__["test"]: if update: ret["changes"][name] = update ret["result"] = None ret["comment"] = "User {0} is set to be {1}d".format(name, mode) return ret cret = __salt__["postgres.user_{0}".format(mode)]( username=name, createdb=createdb, createroles=createroles, encrypted=encrypted, superuser=superuser, login=login, inherit=inherit, replication=replication, rolepassword=password, valid_until=valid_until, groups=groups, **db_args ) else: cret = None if cret: ret["comment"] = "The user {0} has been {1}d".format(name, mode) if update: ret["changes"][name] = update else: ret["changes"][name] = "Present" elif cret is not None: ret["comment"] = "Failed to create user {0}".format(name) ret["result"] = False else: ret["result"] = True return ret
def present( name, createdb=None, createroles=None, encrypted=None, superuser=None, inherit=None, login=None, replication=None, password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None, ): """ Ensure that the named group is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seen as roles with the ``LOGIN`` privilege and groups the others. name The name of the group to manage createdb Is the group allowed to create databases? createroles Is the group allowed to create other roles/users encrypted How the password should be stored. If encrypted is ``None``, ``True``, or ``md5``, it will use PostgreSQL's MD5 algorithm. If encrypted is ``False``, it will be stored in plaintext. If encrypted is ``scram-sha-256``, it will use the algorithm described in RFC 7677. .. versionchanged:: 3003 Prior versions only supported ``True`` and ``False`` login Should the group have login perm inherit Should the group inherit permissions superuser Should the new group be a "superuser" replication Should the new group be allowed to initiate streaming replication password The group's password. It can be either a plain string or a pre-hashed password:: 'md5{MD5OF({password}{role}}' 'SCRAM-SHA-256${iterations}:{salt}${stored_key}:{server_key}' If encrypted is not ``False``, then the password will be converted to the appropriate format above, if not already. As a consequence, passwords that start with "md5" or "SCRAM-SHA-256" cannot be used. refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is ``True``, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the group should be in user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default """ ret = { "name": name, "changes": {}, "result": True, "comment": "Group {} is already present".format(name), } # default to encrypted passwords if encrypted is None: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION db_args = { "maintenance_db": maintenance_db, "runas": user, "host": db_host, "user": db_user, "port": db_port, "password": db_password, } # check if group exists mode = "create" group_attr = __salt__["postgres.role_get"]( name, return_password=not refresh_password, **db_args) if group_attr is not None: mode = "update" if password is not None: if (mode == "update" and not refresh_password and postgres._verify_password( name, password, group_attr["password"], encrypted)): # if password already matches then don't touch it password = None else: # encrypt password if necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) # The user is not present, make it! update = {} if mode == "update": role_groups = group_attr.get("groups", []) if createdb is not None and group_attr[ "can create databases"] != createdb: update["createdb"] = createdb if inherit is not None and group_attr["inherits privileges"] != inherit: update["inherit"] = inherit if login is not None and group_attr["can login"] != login: update["login"] = login if createroles is not None and group_attr[ "can create roles"] != createroles: update["createroles"] = createroles if replication is not None and group_attr["replication"] != replication: update["replication"] = replication if superuser is not None and group_attr["superuser"] != superuser: update["superuser"] = superuser if password is not None: update["password"] = True if groups is not None: lgroups = groups if isinstance(groups, str): lgroups = lgroups.split(",") if isinstance(lgroups, list): missing_groups = [a for a in lgroups if a not in role_groups] if missing_groups: update["groups"] = missing_groups if mode == "create" or (mode == "update" and update): if __opts__["test"]: if update: ret["changes"][name] = update ret["result"] = None ret["comment"] = "Group {} is set to be {}d".format(name, mode) return ret cret = __salt__["postgres.group_{}".format(mode)]( groupname=name, createdb=createdb, createroles=createroles, encrypted=encrypted, login=login, inherit=inherit, superuser=superuser, replication=replication, rolepassword=password, groups=groups, **db_args) else: cret = None if cret: ret["comment"] = "The group {} has been {}d".format(name, mode) if update: ret["changes"][name] = update else: ret["changes"][name] = "Present" elif cret is not None: ret["comment"] = "Failed to {} group {}".format(mode, name) ret["result"] = False else: ret["result"] = True return ret
def present( name, createdb=None, createroles=None, encrypted=None, superuser=None, inherit=None, login=None, replication=None, password=None, refresh_password=None, groups=None, user=None, maintenance_db=None, db_password=None, db_host=None, db_port=None, db_user=None, ): """ Ensure that the named group is present with the specified privileges Please note that the user/group notion in postgresql is just abstract, we have roles, where users can be seen as roles with the ``LOGIN`` privilege and groups the others. name The name of the group to manage createdb Is the group allowed to create databases? createroles Is the group allowed to create other roles/users encrypted Should the password be encrypted in the system catalog? login Should the group have login perm inherit Should the group inherit permissions superuser Should the new group be a "superuser" replication Should the new group be allowed to initiate streaming replication password The group's password It can be either a plain string or a md5 postgresql hashed password:: 'md5{MD5OF({password}{role}}' If encrypted is ``None`` or ``True``, the password will be automatically encrypted to the previous format if it is not already done. refresh_password Password refresh flag Boolean attribute to specify whether to password comparison check should be performed. If refresh_password is ``True``, the password will be automatically updated without extra password change check. This behaviour makes it possible to execute in environments without superuser access available, e.g. Amazon RDS for PostgreSQL groups A string of comma separated groups the group should be in user System user all operations should be performed on behalf of .. versionadded:: 0.17.0 db_user database username if different from config or default db_password user password if any password for a specified user db_host Database host if different from config or default db_port Database port if different from config or default """ ret = { "name": name, "changes": {}, "result": True, "comment": "Group {0} is already present".format(name), } # default to encrypted passwords if encrypted is not False: encrypted = postgres._DEFAULT_PASSWORDS_ENCRYPTION # maybe encrypt if it's not already and necessary password = postgres._maybe_encrypt_password(name, password, encrypted=encrypted) db_args = { "maintenance_db": maintenance_db, "runas": user, "host": db_host, "user": db_user, "port": db_port, "password": db_password, } # check if group exists mode = "create" group_attr = __salt__["postgres.role_get"]( name, return_password=not refresh_password, **db_args ) if group_attr is not None: mode = "update" # The user is not present, make it! cret = None update = {} if mode == "update": if createdb is not None and group_attr["can create databases"] != createdb: update["createdb"] = createdb if inherit is not None and group_attr["inherits privileges"] != inherit: update["inherit"] = inherit if login is not None and group_attr["can login"] != login: update["login"] = login if createroles is not None and group_attr["can create roles"] != createroles: update["createroles"] = createroles if replication is not None and group_attr["replication"] != replication: update["replication"] = replication if superuser is not None and group_attr["superuser"] != superuser: update["superuser"] = superuser if password is not None and ( refresh_password or group_attr["password"] != password ): update["password"] = True if mode == "create" or (mode == "update" and update): if __opts__["test"]: if update: ret["changes"][name] = update ret["result"] = None ret["comment"] = "Group {0} is set to be {1}d".format(name, mode) return ret cret = __salt__["postgres.group_{0}".format(mode)]( groupname=name, createdb=createdb, createroles=createroles, encrypted=encrypted, login=login, inherit=inherit, superuser=superuser, replication=replication, rolepassword=password, groups=groups, **db_args ) else: cret = None if cret: ret["comment"] = "The group {0} has been {1}d".format(name, mode) if update: ret["changes"][name] = update elif cret is not None: ret["comment"] = "Failed to create group {0}".format(name) ret["result"] = False else: ret["result"] = True return ret