[Puppet Users] Providing SELECT rights to a PG DB

Wed, 19 Oct 2016 18:11:39 -0700 


I am having difficulty creating users with read-only access to all tables 
in a schema.


I am using the following in the manifest

  postgresql::server::grant {<Unique friendly name>:
    db          => <dbname>,
    object_name => <schema_name>,
    object_type => 'ALL TABLES IN SCHEMA',
    privilege   => 'SELECT',
    role        => <username>,
  }


In the puppet run, I get the following error:
Could not evaluate: Error evaluating 'unless' clause, returned pid 6933 
exit 1: 'ERROR: unrecognized privilege type: "SELECT ON ALL TABLES"


Yet looking at the manifest:

postgresql::server::grant
Manages grant-based access privileges for roles. See PostgreSQL documentation 
for grant for more information.

db - Specifies the database to which you are granting access.
object_type - Specifies the type of object to which you are granting 
privileges. Valid options: DATABASE, SCHEMA, SEQUENCE, ALL SEQUENCES IN SCHEMA, 
TABLE or ALL TABLES IN SCHEMA.
object_name - Specifies name of object_type to which to grant access.
port - Port to use when connecting. Default: undef, which generally defaults to 
port 5432 depending on your PostgreSQL packaging.
privilege - Specifies the privilege to grant. Valid options: ALL, ALL 
PRIVILEGES or object_type dependent string.
psql_db - Specifies the database to execute the grant against. This should not 
ordinarily be changed from the default, which is postgres.
psql_user - Sets the OS user to run psql. Default: the default user for the 
module, usually postgres.
role - Specifies the role or user whom you are granting access to.


Hunting down the 'privilege type':
privilege_type='${custom_privilege}'


$custom_privilege = $_privilege ? {
        'ALL'            => 'INSERT',
        'ALL PRIVILEGES' => 'INSERT',
        default          => $_privilege,
      }


And finally 
validate_string($_privilege,'SELECT','INSERT','UPDATE','DELETE','TRUNCATE','REFERENCES','TRIGGER','ALL','ALL
 
PRIVILEGES')


Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/08a62366-a887-4c58-926d-703fd3a75819%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to