183 lines
5.1 KiB
YAML
183 lines
5.1 KiB
YAML
|
#
|
||
|
#
|
||
|
# L D A P 2 P G S A M P L E C O N F I G U R A T I O N
|
||
|
#
|
||
|
#
|
||
|
# This is a starting point configuration file for ldap2pg.yml. Including static
|
||
|
# roles, groups, privilege and LDAP search.
|
||
|
#
|
||
|
# This configuration assumes the following principles:
|
||
|
#
|
||
|
# - All LDAP users are grouped in `ldap_roles` group.
|
||
|
# - Read privileges are granted to `readers` group.
|
||
|
# - Write privileges are granted to `writers` group.
|
||
|
# - DDL privileges are granted to `owners` group.
|
||
|
# - We have one or more databases with public and maybe a schema.
|
||
|
# - Grants are not specific to a schema. Once you're writer in a database, you
|
||
|
# are writer to all schemas in it.
|
||
|
#
|
||
|
# The LDAP directory content is described in fixtures/openldap-data.ldif
|
||
|
#
|
||
|
# Adapt to your needs! See also full documentation on how to configure ldap2pg
|
||
|
# at https://ldap2pg.readthedocs.io/en/latest/config/.
|
||
|
#
|
||
|
# Don't hesitate to suggest improvements for this starting configuration at
|
||
|
# https://github.com/dalibo/ldap2pg/issues/new . Thanks for your contribution !
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# File format version. Allows ldap2pg to check whether the file is supported.
|
||
|
#
|
||
|
version: 5
|
||
|
|
||
|
ldap:
|
||
|
uri: ldaps://jcolebrand.info
|
||
|
binddn: cn=postgres,ou=services,dc=jcolebrand,dc=info
|
||
|
password: "*H9sHZughaS*Kqhm"
|
||
|
|
||
|
#
|
||
|
# 1. P O S T G R E S I N S P E C T I O N
|
||
|
#
|
||
|
# See https://ldap2pg.readthedocs.io/en/latest/postgres/
|
||
|
#
|
||
|
|
||
|
postgres:
|
||
|
dsn: postgres://postgres@%2fvar%2frun%2fpostgresql:5432/
|
||
|
databases_query: "SELECT datname FROM pg_catalog.pg_database;"
|
||
|
# List of role names which can be dropped from cluster. Privileges on these
|
||
|
# roles can be revoked.
|
||
|
managed_roles_query: |
|
||
|
SELECT ('public')
|
||
|
UNION
|
||
|
SELECT ('ldap_roles')
|
||
|
UNION
|
||
|
SELECT DISTINCT role.rolname
|
||
|
FROM pg_roles AS role
|
||
|
LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
|
||
|
LEFT OUTER JOIN pg_roles AS ldap_roles
|
||
|
ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
|
||
|
WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners')
|
||
|
OR ldap_roles.oid IS NOT NULL
|
||
|
ORDER BY 1;
|
||
|
# List of object owners that requires default privileges configuration. Since
|
||
|
# readers/writer/owners groups are globals to cluster, we have a global
|
||
|
# owners_query.
|
||
|
owners_query: |
|
||
|
SELECT DISTINCT role.rolname
|
||
|
FROM pg_catalog.pg_roles AS role
|
||
|
JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid
|
||
|
JOIN pg_catalog.pg_roles AS owners
|
||
|
ON owners.rolname = 'owners' AND owners.oid = ms.roleid
|
||
|
ORDER BY 1;
|
||
|
# Exclude information_schema, pg_catalog, pg_toast, and other system schemas
|
||
|
# from privilege management.
|
||
|
schemas_query: |
|
||
|
SELECT nspname FROM pg_catalog.pg_namespace
|
||
|
WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
|
||
|
ORDER BY 1;
|
||
|
#
|
||
|
# 2. P R I V I L E G E S D E F I N I T I O N
|
||
|
#
|
||
|
# See https://ldap2pg.readthedocs.io/en/latest/privileges/. Privileges wrapped
|
||
|
# in double underscores are well-known privileges built-in ldap2pg. See
|
||
|
# https://ldap2pg.readthedocs.io/en/latest/wellknown/ for a documentation of
|
||
|
# each of them.
|
||
|
#
|
||
|
|
||
|
privileges:
|
||
|
# Define `ro` privilege group with read-only grants
|
||
|
ro:
|
||
|
- __connect__
|
||
|
- __select_on_tables__
|
||
|
- __select_on_sequences__
|
||
|
- __usage_on_schemas__
|
||
|
- __usage_on_types__
|
||
|
|
||
|
# `rw` privilege group lists write-only grants
|
||
|
rw:
|
||
|
- __temporary__
|
||
|
- __all_on_tables__
|
||
|
- __all_on_sequences__
|
||
|
|
||
|
# `ddl` privilege group lists DDL only grants.
|
||
|
ddl:
|
||
|
- __create_on_schemas__
|
||
|
|
||
|
|
||
|
#
|
||
|
# 3. S Y N C H R O N I S A T I O N M A P
|
||
|
#
|
||
|
# This list contains rules to declare roles and grants. Each role or grant rule
|
||
|
# can be templated with attributes from LDAP entries returned by a search
|
||
|
# query.
|
||
|
#
|
||
|
# Any role found in cluster and not generated by sync_map will be dropped. Any
|
||
|
# grant found in cluster and not generated by sync_map will be revoked.
|
||
|
#
|
||
|
|
||
|
sync_map:
|
||
|
- description: "Setup static roles and grants."
|
||
|
roles:
|
||
|
- names:
|
||
|
- ldap_roles
|
||
|
- readers
|
||
|
options: NOLOGIN
|
||
|
- name: writers
|
||
|
# Grant reading to writers
|
||
|
parent: readers
|
||
|
options: NOLOGIN
|
||
|
- name: owners
|
||
|
# Grant read/write to owners
|
||
|
parent: writers
|
||
|
options: NOLOGIN
|
||
|
|
||
|
grant:
|
||
|
- privilege: ro
|
||
|
role: readers
|
||
|
schemas: __all__
|
||
|
- privilege: rw
|
||
|
role: writers
|
||
|
schema: __all__
|
||
|
- privilege: ddl
|
||
|
role: owners
|
||
|
schema: __all__
|
||
|
|
||
|
- description: "Query LDAP to create superusers."
|
||
|
ldapsearch:
|
||
|
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||
|
filter: "(cn=superuser)"
|
||
|
role:
|
||
|
# LDAP attribute member is a Distinguished Name. Use CN component of the
|
||
|
# member value.
|
||
|
name: '{member.cn}'
|
||
|
options: LOGIN SUPERUSER
|
||
|
parent:
|
||
|
- ldap_roles
|
||
|
- owners
|
||
|
comment: "From LDAP group {dn}"
|
||
|
|
||
|
|
||
|
- description: "Query LDAP to create writers."
|
||
|
ldapsearch:
|
||
|
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||
|
filter: "(cn=writers)"
|
||
|
on_unexpected_dn: warn
|
||
|
role:
|
||
|
name: '{member.cn}'
|
||
|
options: LOGIN
|
||
|
parent:
|
||
|
- ldap_roles
|
||
|
- writers
|
||
|
comment: 'From LDAP groupe {dn}'
|
||
|
|
||
|
- description: "Query LDAP to create readers."
|
||
|
ldapsearch:
|
||
|
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||
|
filter: "(cn=readers)"
|
||
|
role:
|
||
|
name: '{member.cn}'
|
||
|
options: LOGIN
|
||
|
parent:
|
||
|
- ldap_roles
|
||
|
- readers
|