Allow merging of acls from multiple pillar files

It would be useful to be able to define acls in multiple different pillar files. This is not possible using a list because lists can not be merged. If we use a dict then salt can merge all the acls together. The key name for the lists is only used for sorting the groupings of acls. For backwards compatibility we check to see if postgres:acls is a list and handle it properly.
saltstack-formulas · Mar 27, 2024 · ba1cb99 · ba1cb99
1 parent 7529300
commit ba1cb99
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 21 deletions.
diff --git a/pillar.example b/pillar.example
@@ -68,10 +68,11 @@ postgres:
   # databases they can access. Records take one of these forms:
   #
   # acls:
-  #  - ['local', 'DATABASE',  'USER',  'METHOD']
-  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
-  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
-  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #   group:
+  #     - ['local', 'DATABASE',  'USER',  'METHOD']
+  #     - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #     - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #     - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
   #
   # The uppercase items must be replaced by actual values.
   # METHOD could be omitted, 'md5' will be appended by default.
@@ -81,10 +82,13 @@ postgres:
   # If ``acls`` item value is empty ('', [], null), then the contents of
   # ``pg_hba.conf`` file will not be touched at all.
   acls:
-    - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
-    - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
+    db1:
+      - ['local', 'db0', 'connuser', 'peer map=users_as_appuser']
+      - ['local', 'db1', 'localUser']
+    db2:
+      - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
+    all:
+      - ['host', 'all', 'all', '127.0.0.1/32', 'md5']
 
   identity_map:
     - ['users_as_appuser', 'jdoe', 'connuser']

diff --git a/postgres/templates/pg_hba.conf.j2 b/postgres/templates/pg_hba.conf.j2
@@ -20,21 +20,26 @@ local   all             postgres                                peer
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
-{% for acl in acls %}
-  {%- if acl|first() == 'local' %}
+{%- if acls is list -%}
+  {%- set acls = {'_all': acls} %}
+{%- endif %}
+{%- for _, group in acls|dictsort %}
+  {%- for acl in group %}
+    {%- if acl|first() == 'local' %}
 
-    {%- if acl|length() == 3 %}
-      {%- do acl.extend(['', 'md5']) %}
-    {%- elif acl|length() == 4 %}
-      {%- do acl.insert(3, '') %}
-    {%- endif %}
+      {%- if acl|length() == 3 %}
+        {%- do acl.extend(['', 'md5']) %}
+      {%- elif acl|length() == 4 %}
+        {%- do acl.insert(3, '') %}
+      {%- endif %}
 
-  {%- else %}
+    {%- else %}
 
-    {%- if acl|length() == 4 %}
-      {%- do acl.append('md5') %}
-    {%- endif %}
+      {%- if acl|length() == 4 %}
+        {%- do acl.append('md5') %}
+      {%- endif %}
 
-  {%- endif %}
+    {%- endif %}
 {{ '{0:<7} {1:<15} {2:<15} {3:<23} {4}'.format(*acl) }}
-{% endfor %}
+  {%- endfor %}
+{%- endfor %}