feat: manage grafana pgsql db

- add pgsql backend capabilities for grafana
- create/manage pgsql database for grafana
- fix psql_is_slave fact to work on all current patroni clusters
- fix extra } in resources
- fix unless in psql grant commands
- fix add database owner
- fix disabled schema permissions, the unless didnt work
This commit is contained in:
2025-06-29 18:28:12 +10:00
parent d1e63ad18b
commit d6ccb8aafe
8 changed files with 75 additions and 50 deletions
+1 -1
View File
@@ -88,8 +88,8 @@ class profiles::sql::patroni (
if ! $facts['psql_is_slave'] {
# collect exported resources
$tag = "${cluster_name}-${facts['country']}-${facts['region']}-${facts['environment']}"
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
Profiles::Sql::Postgres::User <<| tag == $tag |>> {}
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {}
}
+2 -2
View File
@@ -1,9 +1,9 @@
define profiles::sql::postgres::db (
String $dbname,
String $owner,
) {
postgresql_psql { "create_database_${dbname}":
command => "CREATE DATABASE \"${dbname}\"",
command => "CREATE DATABASE \"${dbname}\" OWNER \"${owner}\"",
unless => "SELECT 1 FROM pg_database WHERE datname = '${dbname}'",
}
}
+5 -12
View File
@@ -1,11 +1,10 @@
define profiles::sql::postgres::grant (
String $username,
String $privilege,
Enum['SCHEMA', 'DATABASE'] $type = 'DATABASE',
Optional[String] $dbname = undef,
Optional[String] $schema = undef,
String $privilege = 'ALL PRIVILEGES',
) {
# Validate parameters based on type
if $type == 'DATABASE' and $dbname == undef {
fail('The dbname parameter must be provided when type is DATABASE')
}
@@ -14,25 +13,19 @@ define profiles::sql::postgres::grant (
fail('Both dbname and schema parameters must be provided when type is SCHEMA')
}
# Determine the appropriate SQL command and unless condition
$command = $type ? {
'DATABASE' => "GRANT ${privilege} ON DATABASE ${dbname} TO ${username}",
'SCHEMA' => "GRANT ${privilege} ON SCHEMA ${schema} TO ${username}",
}
$unless = $type ? {
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', 'CONNECT')", # lint:ignore:140chars
'SCHEMA' => "SELECT 1 FROM pg_namespace n JOIN pg_roles r ON r.oid = n.nspowner WHERE nspname = '${schema}' AND r.rolname = '${username}'", # lint:ignore:140chars
}
# Ensure the db parameter is set correctly when type is SCHEMA
$effective_dbname = $type ? {
'SCHEMA' => $dbname,
'DATABASE' => $dbname,
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', '${privilege}')", # lint:ignore:140chars
'SCHEMA' => undef,
}
postgresql_psql { "grant_${privilege}_on_${type}_${effective_dbname}_${schema}_to_${username}":
postgresql_psql { "grant_${privilege}_on_${type}_${dbname}_${schema}_to_${username}":
command => $command,
unless => $unless,
db => $effective_dbname,
db => $dbname,
}
}
+21 -16
View File
@@ -4,8 +4,8 @@ class profiles::sql::postgresdb (
String $dbpass,
String $cluster_name,
Boolean $create_host_users = false,
Boolean $members_lookup = false,
String $members_role = undef,
Boolean $members_lookup = true,
String $members_role = $facts['enc_role'],
Array $servers = [],
){
@@ -33,6 +33,7 @@ class profiles::sql::postgresdb (
# manage the postgres db
@@profiles::sql::postgres::db { "${facts['networking']['fqdn']}_db_${dbname}":
dbname => $dbname,
owner => $dbuser,
tag => $tag,
}
@@ -42,21 +43,25 @@ class profiles::sql::postgresdb (
tag => $tag,
}
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbuser}_${dbuser}}":
dbname => $dbname,
username => $dbuser,
type => 'DATABASE',
privilege => 'ALL PRIVILEGES',
tag => $tag,
['CONNECT', 'CREATE', 'TEMPORARY'].each |$priv| {
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbname}_${dbuser}_${priv}":
dbname => $dbname,
username => $dbuser,
type => 'DATABASE',
privilege => $priv,
tag => $tag,
}
}
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbuser}_${dbuser}}":
dbname => $dbname,
username => $dbuser,
type => 'SCHEMA',
schema => 'public',
privilege => 'ALL PRIVILEGES',
tag => $tag,
}
#['USAGE', 'CREATE'].each |$priv| {
# @@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbname}_${dbuser}_${priv}":
# dbname => $dbname,
# username => $dbuser,
# type => 'SCHEMA',
# schema => 'public',
# privilege => $priv,
# tag => $tag,
# }
#}
}
}