Merge branch '17-hba-defaults'

README.md

@@ -38,16 +38,23 @@ The directories (usually one, but can be multiple) where PostgreSQL's socket wil
 Global configuration options that will be set in `postgresql.conf`. Note that for RHEL/CentOS 6 (or very old versions of PostgreSQL), you need to at least override this variable and set the `option` to `unix_socket_directory`.
 
     postgresql_hba_entries:
-      - type: host # required; local, host, hostssl or hostnossl
-        database: exampledb # required
-        user: jdoe # required
-        address: 192.0.2.0/24 # either this or ip_address / ip_mask are required unless type is 'local'
-        ip_address: # alternative to 'address'
-        ip_mask: # alternative to 'address'
-        auth_method: # required
-        auth_options: # optional
+      - { type: local, database: all, user: postgres, auth_method: peer }
+      - { type: local, database: all, user: all, auth_method: peer }
+      - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
+      - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
 
-Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. 
+Configure [host based authentication](https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html) entries to be set in the `pg_hba.conf`. Options for entries include:
+
+  - `type` (required)
+  - `database` (required)
+  - `user` (required)
+  - `address` (one of this or the following two are required)
+  - `ip_address`
+  - `ip_mask`
+  - `auth_method` (required)
+  - `auth_options` (optional)
+
+If overriding, make sure you copy all of the existing entries from `defaults/main.yml` if you need to preserve existing entries.
 
     postgresql_locales:
       - 'en_US.UTF-8'

defaults/main.yml

@@ -13,12 +13,13 @@ postgresql_global_config_options:
   - option: unix_socket_directories
     value: '{{ postgresql_unix_socket_directories | join(",") }}'
 
-# Host based authentication (hba) entries to be added to the pg_hba.conf.
+# Host based authentication (hba) entries to be added to the pg_hba.conf. This
+# variable's defaults reflect the defaults that come with a fresh installation.
 postgresql_hba_entries:
-  - type: local
-    database: all
-    user: all
-    auth_method: trust
+  - { type: local, database: all, user: postgres, auth_method: peer }
+  - { type: local, database: all, user: all, auth_method: peer }
+  - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
+  - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
 
 # Debian only. Used to generate the locales used by PostgreSQL databases.
 postgresql_locales:

tasks/configure.yml

@@ -8,7 +8,7 @@
   with_items: "{{ postgresql_global_config_options }}"
   notify: restart postgresql
 
-- name: Configure host based authentication.
+- name: Configure host based authentication (if entries are configured).
   template:
     src: "templates/pg_hba.conf.j2"
     dest: "{{ postgresql_config_path }}/pg_hba.conf"
@@ -16,6 +16,7 @@
     group: "{{ postgresql_group }}"
     mode: 0600
   notify: restart postgresql
+  when: postgresql_hba_entries
 
 - name: Ensure PostgreSQL unix socket dirs exist.
   file:

tests/test.yml

@@ -12,8 +12,9 @@
       apt: update_cache=yes cache_valid_time=600
       when: ansible_os_family == 'Debian'
 
-    - name: Set custom variable name for old CentOS 6 PostgreSQL install.
+    - name: Set custom variables for old CentOS 6 PostgreSQL install.
       set_fact:
+        postgresql_hba_entries: []
         postgresql_global_config_options:
           - option: unix_socket_directory
             value: '{{ postgresql_unix_socket_directories[0] }}'