(maint) Add read-only user.

Author: Filipovici-Andrei

README.md

@@ -606,25 +606,26 @@ Which database backend to use for the read database. Only supports
 `postgres` (default). This option is supported in PuppetDB >= 1.6.
 
 #### `read_database_host`
-*This parameter must be set to enable the PuppetDB read-database.*
+*This parameter must be set to use another PuppetDB instance for queries.*
 
-The hostname or IP address of the read database server. Defaults to `undef`.
-The default is to use the regular database for reads and writes. This option is
+The hostname or IP address of the read database server. If set to `undef`, 
+it will use the value of the `database_host` parameter. This option is
 supported in PuppetDB >= 1.6.
 
 #### `read_database_port`
 
-The port that the read database server listens on. Defaults to `5432`. This
+The port that the read database server listens on. If `read_database_host`
+is set to `undef`, it will use the value of the `database_port` parameter. This
 option is supported in PuppetDB >= 1.6.
 
 #### `read_database_username`
 
-The name of the read database user to connect as. Defaults to `puppetdb`. This
+The name of the read database user to connect as. Defaults to `puppetdb-read`. This
 option is supported in PuppetDB >= 1.6.
 
 #### `read_database_password`
 
-The password for the read database user. Defaults to `puppetdb`. This option is
+The password for the read database user. Defaults to `puppetdb-read`. This option is
 supported in PuppetDB >= 1.6.
 
 #### `manage_read_db_password`
@@ -635,7 +636,8 @@ Defaults to `true`
 
 #### `read_database_name`
 
-The name of the read database instance to connect to. Defaults to `puppetdb`.
+The name of the read database instance to connect to. If `read_database_host`
+is set to `undef`, it will use the value of the `database_name` parameter.
 This option is supported in PuppetDB >= 1.6.
 
 #### `read_log_slow_statements`

manifests/database/default_read_grant.pp

@@ -0,0 +1,59 @@
+# Private class. Grant read permissions to $database_read_only_username by default, for new tables created by
+# $database_username.
+define puppetdb::database::default_read_grant(
+  String $database_name,
+  String $schema,
+  String $database_username,
+  String $database_read_only_username,
+) {
+  postgresql_psql {"grant default select permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT SELECT ON TABLES
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=r/${database_username}\\\".*'
+                AND nspname = '${schema}'",
+  }
+
+  postgresql_psql {"grant default usage permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT USAGE ON SEQUENCES
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=U/${database_username}\\\".*'
+                AND nspname = '${schema}'",
+  }
+
+  postgresql_psql {"grant default execute permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "ALTER DEFAULT PRIVILEGES
+                  FOR USER \"${database_username}\"
+                  IN SCHEMA \"${schema}\"
+                GRANT EXECUTE ON FUNCTIONS
+                  TO \"${database_read_only_username}\"",
+    unless  => "SELECT
+                  ns.nspname,
+                  acl.defaclobjtype,
+                  acl.defaclacl
+                FROM pg_default_acl acl
+                JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
+                WHERE acl.defaclacl::text ~ '.*\\\\\"${database_read_only_username}\\\\\"=X/${database_username}\\\".*'
+                AND nspname = '${schema}'",
+  }
+}

manifests/database/postgresql.pp

@@ -1,6 +1,6 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
-class puppetdb::database::postgresql(
+class puppetdb::database::postgresql (
   $listen_addresses            = $puppetdb::params::database_host,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
   $database_name               = $puppetdb::params::database_name,
@@ -14,7 +14,9 @@
   $postgresql_ssl_on           = $puppetdb::params::postgresql_ssl_on,
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
-  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
+  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
+  $read_database_username      = $puppetdb::params::read_database_username,
+  $read_database_password      = $puppetdb::params::read_database_password
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -35,6 +37,7 @@
       class { 'puppetdb::database::ssl_configuration':
         database_name               => $database_name,
         database_username           => $database_username,
+        read_database_username      => $read_database_username,
         puppetdb_server             => $puppetdb_server,
         postgresql_ssl_key_path     => $postgresql_ssl_key_path,
         postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
@@ -62,5 +65,28 @@
       password => $database_password,
       grant    => 'all',
     }
+
+    -> postgresql_psql { 'revoke all access on public schema':
+      db      => $database_name,
+      command => 'REVOKE CREATE ON SCHEMA public FROM public',
+      unless  => "SELECT * FROM
+                  (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
+                WHERE privs.can_create=false",
+    }
+
+    -> postgresql_psql { "grant all permissions to ${database_username}":
+      db      => $database_name,
+      command => "GRANT CREATE ON SCHEMA public TO \"${database_username}\"",
+      unless  => "SELECT * FROM
+                  (SELECT has_schema_privilege('${database_username}', 'public', 'create') can_create) privs
+                WHERE privs.can_create=true",
+    }
+
+    -> puppetdb::database::read_only_user { $read_database_username:
+      read_database_username => $read_database_username,
+      database_name          => $database_name,
+      password_hash          => postgresql::postgresql_password($read_database_username, $read_database_password),
+      database_owner         => $database_username
+    }
   }
-}
+}

manifests/database/postgresql_ssl_rules.pp

@@ -0,0 +1,34 @@
+# Private class for configuring the pg_ident.conf and pg_hba.conf files
+define puppetdb::database::postgresql_ssl_rules (
+  String $database_name,
+  String $database_username,
+  String $puppetdb_server,
+) {
+  $identity_map_key = "${database_name}-${database_username}-map"
+
+  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
+    type        => 'hostssl',
+    database    => $database_name,
+    user        => $database_username,
+    address     => '0.0.0.0/0',
+    auth_method => 'cert',
+    order       => 0,
+    auth_option => "map=${identity_map_key} clientcert=1"
+  }
+
+  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
+    type        => 'hostssl',
+    database    => $database_name,
+    user        => $database_username,
+    address     => '::0/0',
+    auth_method => 'cert',
+    order       => 0,
+    auth_option => "map=${identity_map_key} clientcert=1"
+  }
+
+  postgresql::server::pg_ident_rule { "Map the SSL certificate of the server as a ${database_username} user":
+    map_name          => $identity_map_key,
+    system_username   => $puppetdb_server,
+    database_username => $database_username,
+  }
+}

manifests/database/read_grant.pp

@@ -0,0 +1,50 @@
+# Private class. Grant read-only permissions to $database_read_only_username for all objects in $schema of
+# $database_name
+define puppetdb::database::read_grant (
+  String $database_name,
+  String $schema,
+  String $database_read_only_username,
+) {
+  postgresql_psql { "grant select permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT SELECT
+                ON ALL TABLES IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_tables
+                  WHERE schemaname='public'
+                    AND has_table_privilege('${database_read_only_username}', schemaname || '.' || tablename, 'SELECT')=false
+                ) x
+                WHERE x.count=0",
+  }
+
+  postgresql_psql { "grant usage permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT USAGE
+                ON ALL SEQUENCES IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM information_schema.sequences
+                  WHERE sequence_schema='public'
+                    AND has_sequence_privilege('${database_read_only_username}', sequence_schema || '.' || sequence_name, 'USAGE')=false
+                ) x
+                WHERE x.count=0",
+  }
+
+  postgresql_psql { "grant execution permission for ${database_read_only_username}":
+    db      => $database_name,
+    command => "GRANT EXECUTE
+                ON ALL FUNCTIONS IN SCHEMA \"${schema}\"
+                TO \"${database_read_only_username}\"",
+    unless  => "SELECT * FROM (
+                  SELECT COUNT(*)
+                  FROM pg_catalog.pg_proc p
+                  LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+                  WHERE n.nspname='public'
+                    AND has_function_privilege('${database_read_only_username}', p.oid, 'EXECUTE')=false
+                ) x
+                WHERE x.count=0",
+  }
+}

manifests/database/read_only_user.pp

@@ -0,0 +1,44 @@
+# Private class
+# A define type to manage the creation of a read-only postgres users.
+# In particular, it manages the necessary grants to enable such a user
+# to have read-only access to any existing objects as well as changes
+# the default access privileges so read-only access is maintained when
+# new objects are created by the $database_owner
+#
+# @param database_read_only_username [String] The name of the postgres read only user.
+# @param database [String] The name of the database to grant access to.
+# @param database_owner [String] The user which owns the database (i.e. the migration user
+#        for the database).
+# @param password_hash [String] The value of $_database_password in app_database.
+
+define puppetdb::database::read_only_user (
+  String $read_database_username,
+  String $database_name,
+  String $database_owner,
+  Variant[String, Boolean] $password_hash = false,
+) {
+  postgresql::server::role { $read_database_username:
+    password_hash => $password_hash,
+  }
+
+  -> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":
+    privilege => 'CONNECT',
+    db        => $database_name,
+    role      => $read_database_username,
+  }
+
+  -> puppetdb::database::default_read_grant {
+    "${database_name} grant read permission on new objects from ${database_owner} to ${read_database_username}":
+      database_username           => $database_owner,
+      database_read_only_username => $read_database_username,
+      database_name               => $database_name,
+      schema                      => 'public',
+  }
+
+  -> puppetdb::database::read_grant {
+    "${database_name} grant read-only permission on existing objects to ${read_database_username}":
+      database_read_only_username => $read_database_username,
+      database_name               => $database_name,
+      schema                      => 'public',
+  }
+}

manifests/database/ssl_configuration.pp

@@ -1,81 +1,64 @@
 # Class for configuring SSL connection for the PuppetDB postgresql database. See README.md for more
 # information.
-class puppetdb::database::ssl_configuration(
+class puppetdb::database::ssl_configuration (
   $database_name               = $puppetdb::params::database_name,
   $database_username           = $puppetdb::params::database_username,
+  $read_database_username      = $puppetdb::params::read_database_username,
   $puppetdb_server             = $puppetdb::params::puppetdb_server,
   $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
   $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
   $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
 ) inherits puppetdb::params {
-
-  file {'postgres private key':
+  File {
     ensure  => present,
-    path    => "${postgresql::server::datadir}/server.key",
-    source  => $postgresql_ssl_key_path,
     owner   => 'postgres',
     mode    => '0600',
     require => Package['postgresql-server'],
   }
 
-  file {'postgres public key':
-    ensure  => present,
-    path    => "${postgresql::server::datadir}/server.crt",
-    source  => $postgresql_ssl_cert_path,
-    owner   => 'postgres',
-    mode    => '0600',
-    require => Package['postgresql-server'],
+  file { 'postgres private key':
+    path   => "${postgresql::server::datadir}/server.key",
+    source => $postgresql_ssl_key_path,
+  }
+
+  file { 'postgres public key':
+    path   => "${postgresql::server::datadir}/server.crt",
+    source => $postgresql_ssl_cert_path,
   }
 
-  postgresql::server::config_entry {'ssl':
+  postgresql::server::config_entry { 'ssl':
     ensure  => present,
     value   => 'on',
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_cert_file':
+  postgresql::server::config_entry { 'ssl_cert_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.crt",
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_key_file':
+  postgresql::server::config_entry { 'ssl_key_file':
     ensure  => present,
     value   => "${postgresql::server::datadir}/server.key",
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  postgresql::server::config_entry {'ssl_ca_file':
+  postgresql::server::config_entry { 'ssl_ca_file':
     ensure  => present,
     value   => $postgresql_ssl_ca_cert_path,
     require => [File['postgres private key'], File['postgres public key']]
   }
 
-  $identity_map_key = "${database_name}-${database_username}-map"
-
-  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv4)":
-    type        => 'hostssl',
-    database    => $database_name,
-    user        => $database_username,
-    address     => '0.0.0.0/0',
-    auth_method => 'cert',
-    order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
-  }
-
-  postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as ${database_username} (ipv6)":
-    type        => 'hostssl',
-    database    => $database_name,
-    user        => $database_username,
-    address     => '::0/0',
-    auth_method => 'cert',
-    order       => 0,
-    auth_option => "map=${identity_map_key} clientcert=1"
+  puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${database_username}":
+    database_name     => $database_name,
+    database_username => $database_username,
+    puppetdb_server   => $puppetdb_server,
   }
 
-  postgresql::server::pg_ident_rule {"Map the SSL certificate of the server as a ${database_username} user":
-    map_name          => $identity_map_key,
-    system_username   => $puppetdb_server,
-    database_username => $database_username,
+  puppetdb::database::postgresql_ssl_rules { "Configure postgresql ssl rules for ${read_database_username}":
+    database_name     => $database_name,
+    database_username => $read_database_username,
+    puppetdb_server   => $puppetdb_server,
   }
 }