Allow merging of acls from multiple pillar files

jerrykan · jerrykan · commit ecba3d9dd388 · 2017-01-28T00:41:06.000+11:00
It would be useful to be able to define acls in multiple different
pillar files. This is not possible using a list because lists can not be
merged. If we use a dict then salt can merge all the acls together. The
key name for the lists is only used for sorting the groupings of acls.

For backwards compatibility we check to see if postgres:acls is a list
and handle it properly.
diff --git a/pillar.example b/pillar.example
@@ -34,19 +34,23 @@ postgres:
   # databases they can access. Records take one of these forms:
   #
   #acls:
-  #  - ['local', 'DATABASE',  'USER',  'METHOD']
-  #  - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
-  #  - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
-  #  - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #  group:
+  #    - ['local', 'DATABASE',  'USER',  'METHOD']
+  #    - ['host', 'DATABASE',  'USER',  'ADDRESS', 'METHOD']
+  #    - ['hostssl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
+  #    - ['hostnossl', 'DATABASE', 'USER', 'ADDRESS', 'METHOD']
   #
   # The uppercase items must be replaced by actual values.
   # METHOD could be omitted, 'md5' will be appended by default.
   #
-  # If ``acls`` item value is empty ('', [], null), then the contents of
+  # If ``acls`` item value is empty ('', {}, [], null), then the contents of
   # ``pg_hba.conf`` file will not be touched at all.
   acls:
-    - ['local', 'db1', 'localUser']
-    - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
+    db1:
+      - ['local', 'db1', 'localUser']
+      - ['host', 'db1', 'localUser', '127.0.0.1/32']
+    db2:
+      - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
 
   # PostgreSQL service name
   service: postgresql
diff --git a/postgres/templates/pg_hba.conf.j2 b/postgres/templates/pg_hba.conf.j2
@@ -20,21 +20,26 @@ local   all             postgres                                peer
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
-{%- for acl in acls %}
-  {%- if acl|first() == 'local' %}
+{%- if acls is list %}
+  {%- set acls = {'_all': acls} %}
+{%- endif %}
+{%- for _, entry in acls|dictsort %}
+  {%- for acl in entry %}
+    {%- if acl|first() == 'local' %}
 
-    {%- if acl|length() == 3 %}
-      {%- do acl.extend(['', 'md5']) %}
-    {%- elif acl|length() == 4 %}
-      {%- do acl.insert(3, '') %}
-    {%- endif %}
+      {%- if acl|length() == 3 %}
+        {%- do acl.extend(['', 'md5']) %}
+      {%- elif acl|length() == 4 %}
+        {%- do acl.insert(3, '') %}
+      {%- endif %}
 
-  {%- else %}
+    {%- else %}
 
-    {%- if acl|length() == 4 %}
-      {%- do acl.append('md5') %}
-    {%- endif %}
+      {%- if acl|length() == 4 %}
+        {%- do acl.append('md5') %}
+      {%- endif %}
 
-  {%- endif %}
+    {%- endif %}
 {{ '{0:<7} {1:<15} {2:<15} {3:<23} {4}'.format(*acl) -}}
+  {%- endfor -%}
 {% endfor %}
