From eb69def46c78cd41b6b657db793d061de965956d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 17 Oct 2016 19:22:41 +0000 Subject: First stab at autogenerating replication ips for pg_hba --- inventory/inventory | 6 ++ roles/postgresql_server_bdr/files/pg_hba.conf | 82 ------------------- roles/postgresql_server_bdr/tasks/main.yml | 2 +- roles/postgresql_server_bdr/templates/pg_hba.conf | 96 +++++++++++++++++++++++ 4 files changed, 103 insertions(+), 83 deletions(-) delete mode 100644 roles/postgresql_server_bdr/files/pg_hba.conf create mode 100644 roles/postgresql_server_bdr/templates/pg_hba.conf diff --git a/inventory/inventory b/inventory/inventory index 3680b8c9c..ef8669b0b 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -273,6 +273,12 @@ db-qastg01.qa.fedoraproject.org db-fas01.stg.phx2.fedoraproject.org db01.stg.phx2.fedoraproject.org db03.stg.phx2.fedoraproject.org + +# postgresql bidirectional replication servers +[pgbdr] + +# postgresql bidirectional replication servers (stg) +[pgbdr-stg] db-koji01.stg.phx2.fedoraproject.org db-koji02.stg.phx2.fedoraproject.org pgbdr01.stg.phx2.fedoraproject.org diff --git a/roles/postgresql_server_bdr/files/pg_hba.conf b/roles/postgresql_server_bdr/files/pg_hba.conf deleted file mode 100644 index 665546f9d..000000000 --- a/roles/postgresql_server_bdr/files/pg_hba.conf +++ /dev/null @@ -1,82 +0,0 @@ -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the PostgreSQL Administrator's Guide, chapter "Client -# Authentication" for a complete description. A short synopsis -# follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTION] -# host DATABASE USER CIDR-ADDRESS METHOD [OPTION] -# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] -# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain socket, -# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an -# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. -# -# DATABASE can be "all", "sameuser", "samerole", a database name, or -# a comma-separated list thereof. -# -# USER can be "all", a user name, a group name prefixed with "+", or -# a comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names from -# a separate file. -# -# CIDR-ADDRESS specifies the set of hosts the record matches. -# It is made up of an IP address and a CIDR mask that is an integer -# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies -# the number of significant bits in the mask. Alternatively, you can write -# an IP address and netmask in separate columns to specify the set of hosts. -# -# METHOD can be "trust", "reject", "md5", "crypt", "password", -# "krb5", "ident", or "pam". Note that "password" sends passwords -# in clear text; "md5" is preferred since it sends encrypted passwords. -# -# OPTION is the ident map or the name of the PAM service, depending on METHOD. -# -# Database and user names containing spaces, commas, quotes and other special -# characters must be quoted. Quoting one of the keywords "all", "sameuser" or -# "samerole" makes the name lose its special character, and just match a -# database or username with that name. -# -# This file is read on server startup and when the postmaster receives -# a SIGHUP signal. If you edit the file on a running system, you have -# to SIGHUP the postmaster for the changes to take effect. You can use -# "pg_ctl reload" to do that. - -# Put your actual configuration here -# ---------------------------------- -# -# If you want to allow non-local connections, you need to add more -# "host" records. In that case you will also need to make PostgreSQL listen -# on a non-local interface via the listen_addresses configuration parameter, -# or via the -i or -h command line switches. -# - -#@authcomment@ - -# TYPE DATABASE USER CIDR-ADDRESS METHOD - -#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only -#@remove-line-for-nolocal@local all all @authmethod@ -# IPv4 local connections: -#host all all 127.0.0.1/32 @authmethod@ -# IPv6 local connections: -#host all all ::1/128 @authmethod@ - -local all all ident -host koji koji 10.5.126.61 255.255.255.255 md5 -host all all 0.0.0.0 0.0.0.0 md5 -# Note, I can't think of a reason to make this more restrictive than ipv4 but -# only fakefas needs it so far -host all all ::1/128 md5 -host all all 10.5.126.188/32 trust -host all all 10.5.126.189/32 trust -host replication all 10.5.126.188/32 trust -host replication all 10.5.126.189/32 trust diff --git a/roles/postgresql_server_bdr/tasks/main.yml b/roles/postgresql_server_bdr/tasks/main.yml index 5a1f32427..ed6ce36f5 100644 --- a/roles/postgresql_server_bdr/tasks/main.yml +++ b/roles/postgresql_server_bdr/tasks/main.yml @@ -51,7 +51,7 @@ - postgresql - name: Add our postgres config file. - copy: > + template: > src={{ item }} dest=/var/lib/pgsql/9.4-bdr/data/{{ item }} owner=postgres diff --git a/roles/postgresql_server_bdr/templates/pg_hba.conf b/roles/postgresql_server_bdr/templates/pg_hba.conf new file mode 100644 index 000000000..fb5cdfe1e --- /dev/null +++ b/roles/postgresql_server_bdr/templates/pg_hba.conf @@ -0,0 +1,96 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTION] +# host DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain socket, +# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an +# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", a database name, or +# a comma-separated list thereof. +# +# USER can be "all", a user name, a group name prefixed with "+", or +# a comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names from +# a separate file. +# +# CIDR-ADDRESS specifies the set of hosts the record matches. +# It is made up of an IP address and a CIDR mask that is an integer +# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies +# the number of significant bits in the mask. Alternatively, you can write +# an IP address and netmask in separate columns to specify the set of hosts. +# +# METHOD can be "trust", "reject", "md5", "crypt", "password", +# "krb5", "ident", or "pam". Note that "password" sends passwords +# in clear text; "md5" is preferred since it sends encrypted passwords. +# +# OPTION is the ident map or the name of the PAM service, depending on METHOD. +# +# Database and user names containing spaces, commas, quotes and other special +# characters must be quoted. Quoting one of the keywords "all", "sameuser" or +# "samerole" makes the name lose its special character, and just match a +# database or username with that name. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can use +# "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL listen +# on a non-local interface via the listen_addresses configuration parameter, +# or via the -i or -h command line switches. +# + +#@authcomment@ + +# TYPE DATABASE USER CIDR-ADDRESS METHOD + +#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only +#@remove-line-for-nolocal@local all all @authmethod@ +# IPv4 local connections: +#host all all 127.0.0.1/32 @authmethod@ +# IPv6 local connections: +#host all all ::1/128 @authmethod@ + +local all all ident +host koji koji 10.5.126.61 255.255.255.255 md5 +host all all 0.0.0.0 0.0.0.0 md5 +# Note, I can't think of a reason to make this more restrictive than ipv4 but +# only fakefas needs it so far +host all all ::1/128 md5 +{% for host in groups['pgbdr-stg']|sort %} +# staging replication hosts +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +host replication all {{ hostvars[host]['eth0_ip'] }} md5 +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +{% for host in groups['pgbdr']|sort %} +# production replication hosts +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +host replication all {{ hostvars[host]['eth0_ip'] }} md5 +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +host all all 10.5.126.188/32 trust +host all all 10.5.126.189/32 trust +host replication all 10.5.126.188/32 trust +host replication all 10.5.126.189/32 trust -- cgit