(maint) Add read-only user.

Author: Filipovici-Andrei

manifests/database/default_read_grant.pp

@@ -0,0 +1,59 @@
+# Grant read permissions to $database_read_only_username by default, for new tables created by
+# $database_username.
+define puppetdb::database::default_read_grant(
+  String $database_name,
+  String $schema,
+  String $database_username,
+  String $database_read_only_username,
+) {
+  postgresql_psql {"grant default select permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT SELECT ON TABLES
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=r/\\\\\"${database_username}\\\\\".*'
+                AND nspname = '${schema}'",
+  }
+
+  postgresql_psql {"grant default usage permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT USAGE ON SEQUENCES
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=U/\\\\\"${database_username}\\\\\".*'
+                AND nspname = '${schema}'",
+  }
+
+  postgresql_psql {"grant default execute permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT EXECUTE ON FUNCTIONS
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=X/\\\\\"${database_username}\\\\\".*'
+                AND nspname = '${schema}'",
+  }
+}

manifests/database/postgresql.pp

@@ -1,6 +1,6 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
-class puppetdb::database::postgresql(
+class puppetdb::database::postgresql (
   $listen_addresses            = $puppetdb::params::database_host,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
   $database_name               = $puppetdb::params::database_name,
@@ -14,7 +14,9 @@
   $postgresql_ssl_on           = $puppetdb::params::postgresql_ssl_on,
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
-  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
+  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $read_database_username      = $puppetdb::params::read_database_username,
+  $read_database_password      = $puppetdb::params::read_database_password
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -61,6 +63,29 @@
       user     => $database_username,
       password => $database_password,
       grant    => 'all',
+    } ->
+
+    postgresql_psql { "revoke all access on public schema":
+      db      => $database_name,
+      command => "REVOKE CREATE ON SCHEMA public FROM public",
+      unless  => "SELECT * FROM
+                  (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
+                WHERE privs.can_create=false",
+    } ->
+
+    postgresql_psql { "grant all permissions to ${database_username}":
+      db      => $database_name,
+      command => "GRANT CREATE ON SCHEMA public TO \"${database_username}\"",
+      unless  => "SELECT * FROM
+                  (SELECT has_schema_privilege('${database_username}', 'public', 'create') can_create) privs
+                WHERE privs.can_create=true",
+    } ->
+
+    puppetdb::database::read_only_user { $read_database_username:
+      read_database_username => $read_database_username,
+      database_name          => $database_name,
+      password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
+      database_owner         => $database_username
     }
   }
-}
+}

manifests/database/postgresql_ssl_rules.pp

@@ -0,0 +1,36 @@
+# Private class for configuring the pg_ident.conf and pg_hba.conf files
+define puppetdb::database::postgresql_ssl_rules (
+  String $database_name,
+  String $database_username,
+  String $puppetdb_server,
+) {
+  $identity_map_key = "${database_name}-${database_username}-map"
+
+  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username}
+     (ipv4)":
+    type        => 'hostssl',
+    database    => $database_name,
+    user        => $database_username,
+    address     => '0.0.0.0/0',
+    auth_method => 'cert',
+    order       => 0,
+    auth_option => "map=${identity_map_key} clientcert=1"
+  }
+
+  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username}
+     (ipv6)":
+    type        => 'hostssl',
+    database    => $database_name,
+    user        => $database_username,
+    address     => '::0/0',
+    auth_method => 'cert',
+    order       => 0,
+    auth_option => "map=${identity_map_key} clientcert=1"
+  }
+
+  postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":
+    map_name          => $identity_map_key,
+    system_username   => $puppetdb_server,
+    database_username => $database_username,
+  }
+}

manifests/database/read_grant.pp

@@ -0,0 +1,51 @@
+# Grant read-only permissions to $database_read_only_username for all objects in $schema of
+# $database_name
+
+define puppetdb::database::read_grant (
+  String $database_name,
+  String $schema,
+  String $database_read_only_username,
+) {
+  postgresql_psql { "grant select permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT SELECT
+                ON ALL TABLES IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_tables
+                  WHERE schemaname='public'
+                    AND has_table_privilege('${database_read_only_username}', schemaname || '.' || tablename, 'SELECT')=false
+                ) x
+                WHERE x.count=0",
+  }
+
+  postgresql_psql { "grant usage permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT USAGE
+                ON ALL SEQUENCES IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM information_schema.sequences
+                  WHERE sequence_schema='public'
+                    AND has_sequence_privilege('${database_read_only_username}', sequence_schema || '.' || sequence_name, 'USAGE')=false
+                ) x
+                WHERE x.count=0",
+  }
+
+  postgresql_psql { "grant execution permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT EXECUTE
+                ON ALL FUNCTIONS IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_catalog.pg_proc p
+                  LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+                  WHERE n.nspname='public'
+                    AND has_function_privilege('${database_read_only_username}', p.oid, 'EXECUTE')=false
+                ) x
+                WHERE x.count=0",
+  }
+}

manifests/database/read_only_user.pp

@@ -0,0 +1,43 @@
+# A define type to manage the creation of a read-only postgres users.
+# In particular, it manages the necessary grants to enable such a user
+# to have read-only access to any existing objects as well as changes
+# the default access privileges so read-only access is maintained when
+# new objects are created by the $database_owner
+#
+# @param database_read_only_username [String] The name of the postgres read only user.
+# @param database [String] The name of the database to grant access to.
+# @param database_owner [String] The user which owns the database (i.e. the migration user
+#        for the database).
+# @param password_hash [String] The value of $_database_password in app_database.
+
+define puppetdb::database::read_only_user (
+  String $read_database_username,
+  String $database_name,
+  String $database_owner,
+  Variant[String, Boolean] $password_hash = false,
+) {
+  postgresql::server::role { $read_database_username:
+    password_hash => $password_hash,
+  } ->
+
+  postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":
+    privilege => 'CONNECT',
+    db        => $database_name,
+    role      => $read_database_username,
+  } ->
+
+  puppetdb::database::default_read_grant {
+    "${database_name} grant read permission on new objects from ${database_owner} to ${read_database_username}":
+      database_username           => $database_owner,
+      database_read_only_username => $read_database_username,
+      database_name               => $database_name,
+      schema                      => 'public',
+  } ->
+
+  puppetdb::database::read_grant {
+    "${database_name} grant read-only permission on existing objects to ${read_database_username}":
+      database_read_only_username => $read_database_username,
+      database_name               => $database_name,
+      schema                      => 'public',
+  }
+}

manifests/database/ssl_configuration.pp

@@ -1,15 +1,16 @@
 # Class for configuring SSL connection for the PuppetDB postgresql database. See README.md for more
 # information.
-class puppetdb::database::ssl_configuration(
+class puppetdb::database::ssl_configuration (
   $database_name               = $puppetdb::params::database_name,
   $database_username           = $puppetdb::params::database_username,
+  $read_database_username      = $puppetdb::params::read_database_username,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
 ) inherits puppetdb::params {
 
-  file {'postgres private key':
+  file { 'postgres private key':
     ensure  => present,
     path    => "${postgresql::server::datadir}/server.key",
     source  => $postgresql_ssl_key_path,
@@ -18,7 +19,7 @@
     require => Package['postgresql-server'],
   }
 
-  file {'postgres public key':
+  file { 'postgres public key':
     ensure  => present,
     path    => "${postgresql::server::datadir}/server.crt",
     source  => $postgresql_ssl_cert_path,
@@ -27,55 +28,39 @@
     require => Package['postgresql-server'],
   }
 
-  postgresql::server::config_entry {'ssl':
+  postgresql::server::config_entry { 'ssl':
     ensure  => present,
     value   => 'on',
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_cert_file':
+  postgresql::server::config_entry { 'ssl_cert_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.crt",
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_key_file':
+  postgresql::server::config_entry { 'ssl_key_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.key",
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_ca_file':
+  postgresql::server::config_entry { 'ssl_ca_file':
     ensure  => present,
     value   => $postgresql_ssl_ca_cert_path,
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  $identity_map_key = "${database_name}-${database_username}-map"
-
-  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
-    type        => 'hostssl',
-    database    => $database_name,
-    user        => $database_username,
-    address     => '0.0.0.0/0',
-    auth_method => 'cert',
-    order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
-  }
-
-  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
-    type        => 'hostssl',
-    database    => $database_name,
-    user        => $database_username,
-    address     => '::0/0',
-    auth_method => 'cert',
-    order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+  puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for $database_username":
+    database_name     => $database_name,
+    database_username => $database_username,
+    puppetdb_server   => $puppetdb_server,
   }
 
-  postgresql::server::pg_ident_rule {"Map the SSL certificate of the server as a ${database_username} user":
-    map_name          => $identity_map_key,
-    system_username   => $puppetdb_server,
-    database_username => $database_username,
+  puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for $read_database_username":
+    database_name     => $database_name,
+    database_username => $read_database_username,
+    puppetdb_server   => $puppetdb_server,
   }
 }

manifests/init.pp

@@ -183,18 +183,23 @@
     }
 
     class { '::puppetdb::database::postgresql':
-      listen_addresses    => $database_listen_address,
-      database_name       => $database_name,
-      puppetdb_server     => $puppetdb_server,
-      database_username   => $database_username,
-      database_password   => $database_password,
-      database_port       => $database_port,
-      manage_server       => $manage_dbserver,
-      manage_database     => $manage_database,
-      manage_package_repo => $manage_package_repo,
-      postgres_version    => $postgres_version,
-      postgresql_ssl_on   => $postgresql_ssl_on,
-      before              => $database_before
+      listen_addresses            => $database_listen_address,
+      database_name               => $database_name,
+      puppetdb_server             => $puppetdb_server,
+      database_username           => $database_username,
+      database_password           => $database_password,
+      database_port               => $database_port,
+      manage_server               => $manage_dbserver,
+      manage_database             => $manage_database,
+      manage_package_repo         => $manage_package_repo,
+      postgres_version            => $postgres_version,
+      postgresql_ssl_on           => $postgresql_ssl_on,
+      postgresql_ssl_key_path     => $postgresql_ssl_key_path,
+      postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
+      postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
+      read_database_username      => $read_database_username,
+      read_database_password      => $read_database_password,
+      before                      => $database_before
     }
   }
 }

manifests/params.pp

@@ -61,8 +61,8 @@
   $read_database_host                = undef
   $read_database_port                = '5432'
   $read_database_name                = 'puppetdb'
-  $read_database_username            = 'puppetdb'
-  $read_database_password            = 'puppetdb'
+  $read_database_username            = 'puppetdb-read'
+  $read_database_password            = 'puppetdb-read'
   $manage_read_db_password           = true
   $read_database_jdbc_ssl_properties = ''
   $read_database_validate            = true