Add support for host based authentication

This addresses geerlingguy#3
llou · Oct 3, 2016 · 4f234f1 · 4f234f1
1 parent d7954de
commit 4f234f1
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,18 @@ The directories (usually one, but can be multiple) where PostgreSQL's socket wil
 
 Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.
 
+    postgresql_hba_entries:
+      - type: host # required; local, host, hostssl or hostnossl
+        database: exampledb # required
+        user: jdoe # required
+        address: 192.0.2.0/24 # either this or ip_address / ip_mask are required unless type is 'local'
+        ip_address: # alternative to 'address'
+        ip_mask: # alternative to 'address'
+        auth_method: # required
+        auth_options: # optional
+
+Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. 
+
     postgresql_locales:
       - 'en_US.UTF-8'
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,6 +13,13 @@ postgresql_global_config_options:
   - option: unix_socket_directories
     value: '{{ postgresql_unix_socket_directories | join(",") }}'
 
+# Host based authentication (hba) entries to be added to the pg_hba.conf.
+postgresql_hba_entries:
+  - type: local
+    database: all
+    user: all
+    auth_method: trust
+
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:
   - 'en_US.UTF-8'

diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -8,6 +8,15 @@
   with_items: "{{ postgresql_global_config_options }}"
   notify: restart postgresql
 
+- name: Configure host based authentication.
+  template:
+    src: "templates/pg_hba.conf.j2"
+    dest: "{{ postgresql_config_path }}/pg_hba.conf"
+    owner: "{{ postgresql_user }}"
+    group: "{{ postgresql_group }}"
+    mode: 0600
+  notify: restart postgresql
+
 - name: Ensure PostgreSQL unix socket dirs exist.
   file:
     path: "{{ item }}"

diff --git a/templates/pg_hba.conf.j2 b/templates/pg_hba.conf.j2
@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+
+{% for client in postgresql_hba_entries %}
+{{ client.type }} {{ client.database }} {{ client.user }} {{ client.address|default('') }} {{ client.ip_address|default('') }} {{ client.ip_mask|default('') }} {{ client.auth_method }} {{ client.auth_options|default("") }}
+{% endfor %}