update ldap2pg.yml into source
This commit is contained in:
parent
29a0c46bd2
commit
93151a593d
182
root/database/pgsql/ldap2pg.yml
Normal file
182
root/database/pgsql/ldap2pg.yml
Normal file
@ -0,0 +1,182 @@
|
||||
#
|
||||
#
|
||||
# L D A P 2 P G S A M P L E C O N F I G U R A T I O N
|
||||
#
|
||||
#
|
||||
# This is a starting point configuration file for ldap2pg.yml. Including static
|
||||
# roles, groups, privilege and LDAP search.
|
||||
#
|
||||
# This configuration assumes the following principles:
|
||||
#
|
||||
# - All LDAP users are grouped in `ldap_roles` group.
|
||||
# - Read privileges are granted to `readers` group.
|
||||
# - Write privileges are granted to `writers` group.
|
||||
# - DDL privileges are granted to `owners` group.
|
||||
# - We have one or more databases with public and maybe a schema.
|
||||
# - Grants are not specific to a schema. Once you're writer in a database, you
|
||||
# are writer to all schemas in it.
|
||||
#
|
||||
# The LDAP directory content is described in fixtures/openldap-data.ldif
|
||||
#
|
||||
# Adapt to your needs! See also full documentation on how to configure ldap2pg
|
||||
# at https://ldap2pg.readthedocs.io/en/latest/config/.
|
||||
#
|
||||
# Don't hesitate to suggest improvements for this starting configuration at
|
||||
# https://github.com/dalibo/ldap2pg/issues/new . Thanks for your contribution !
|
||||
#
|
||||
|
||||
#
|
||||
# File format version. Allows ldap2pg to check whether the file is supported.
|
||||
#
|
||||
version: 5
|
||||
|
||||
ldap:
|
||||
uri: ldaps://jcolebrand.info
|
||||
binddn: cn=postgres,ou=services,dc=jcolebrand,dc=info
|
||||
password: "*H9sHZughaS*Kqhm"
|
||||
|
||||
#
|
||||
# 1. P O S T G R E S I N S P E C T I O N
|
||||
#
|
||||
# See https://ldap2pg.readthedocs.io/en/latest/postgres/
|
||||
#
|
||||
|
||||
postgres:
|
||||
dsn: postgres://postgres@%2fvar%2frun%2fpostgresql:5432/
|
||||
databases_query: "SELECT datname FROM pg_catalog.pg_database;"
|
||||
# List of role names which can be dropped from cluster. Privileges on these
|
||||
# roles can be revoked.
|
||||
managed_roles_query: |
|
||||
SELECT ('public')
|
||||
UNION
|
||||
SELECT ('ldap_roles')
|
||||
UNION
|
||||
SELECT DISTINCT role.rolname
|
||||
FROM pg_roles AS role
|
||||
LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
|
||||
LEFT OUTER JOIN pg_roles AS ldap_roles
|
||||
ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
|
||||
WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners')
|
||||
OR ldap_roles.oid IS NOT NULL
|
||||
ORDER BY 1;
|
||||
# List of object owners that requires default privileges configuration. Since
|
||||
# readers/writer/owners groups are globals to cluster, we have a global
|
||||
# owners_query.
|
||||
owners_query: |
|
||||
SELECT DISTINCT role.rolname
|
||||
FROM pg_catalog.pg_roles AS role
|
||||
JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid
|
||||
JOIN pg_catalog.pg_roles AS owners
|
||||
ON owners.rolname = 'owners' AND owners.oid = ms.roleid
|
||||
ORDER BY 1;
|
||||
# Exclude information_schema, pg_catalog, pg_toast, and other system schemas
|
||||
# from privilege management.
|
||||
schemas_query: |
|
||||
SELECT nspname FROM pg_catalog.pg_namespace
|
||||
WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
|
||||
ORDER BY 1;
|
||||
#
|
||||
# 2. P R I V I L E G E S D E F I N I T I O N
|
||||
#
|
||||
# See https://ldap2pg.readthedocs.io/en/latest/privileges/. Privileges wrapped
|
||||
# in double underscores are well-known privileges built-in ldap2pg. See
|
||||
# https://ldap2pg.readthedocs.io/en/latest/wellknown/ for a documentation of
|
||||
# each of them.
|
||||
#
|
||||
|
||||
privileges:
|
||||
# Define `ro` privilege group with read-only grants
|
||||
ro:
|
||||
- __connect__
|
||||
- __select_on_tables__
|
||||
- __select_on_sequences__
|
||||
- __usage_on_schemas__
|
||||
- __usage_on_types__
|
||||
|
||||
# `rw` privilege group lists write-only grants
|
||||
rw:
|
||||
- __temporary__
|
||||
- __all_on_tables__
|
||||
- __all_on_sequences__
|
||||
|
||||
# `ddl` privilege group lists DDL only grants.
|
||||
ddl:
|
||||
- __create_on_schemas__
|
||||
|
||||
|
||||
#
|
||||
# 3. S Y N C H R O N I S A T I O N M A P
|
||||
#
|
||||
# This list contains rules to declare roles and grants. Each role or grant rule
|
||||
# can be templated with attributes from LDAP entries returned by a search
|
||||
# query.
|
||||
#
|
||||
# Any role found in cluster and not generated by sync_map will be dropped. Any
|
||||
# grant found in cluster and not generated by sync_map will be revoked.
|
||||
#
|
||||
|
||||
sync_map:
|
||||
- description: "Setup static roles and grants."
|
||||
roles:
|
||||
- names:
|
||||
- ldap_roles
|
||||
- readers
|
||||
options: NOLOGIN
|
||||
- name: writers
|
||||
# Grant reading to writers
|
||||
parent: readers
|
||||
options: NOLOGIN
|
||||
- name: owners
|
||||
# Grant read/write to owners
|
||||
parent: writers
|
||||
options: NOLOGIN
|
||||
|
||||
grant:
|
||||
- privilege: ro
|
||||
role: readers
|
||||
schemas: __all__
|
||||
- privilege: rw
|
||||
role: writers
|
||||
schema: __all__
|
||||
- privilege: ddl
|
||||
role: owners
|
||||
schema: __all__
|
||||
|
||||
- description: "Query LDAP to create superusers."
|
||||
ldapsearch:
|
||||
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||||
filter: "(cn=superuser)"
|
||||
role:
|
||||
# LDAP attribute member is a Distinguished Name. Use CN component of the
|
||||
# member value.
|
||||
name: '{member.cn}'
|
||||
options: LOGIN SUPERUSER
|
||||
parent:
|
||||
- ldap_roles
|
||||
- owners
|
||||
comment: "From LDAP group {dn}"
|
||||
|
||||
|
||||
- description: "Query LDAP to create writers."
|
||||
ldapsearch:
|
||||
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||||
filter: "(cn=writers)"
|
||||
on_unexpected_dn: warn
|
||||
role:
|
||||
name: '{member.cn}'
|
||||
options: LOGIN
|
||||
parent:
|
||||
- ldap_roles
|
||||
- writers
|
||||
comment: 'From LDAP groupe {dn}'
|
||||
|
||||
- description: "Query LDAP to create readers."
|
||||
ldapsearch:
|
||||
base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
|
||||
filter: "(cn=readers)"
|
||||
role:
|
||||
name: '{member.cn}'
|
||||
options: LOGIN
|
||||
parent:
|
||||
- ldap_roles
|
||||
- readers
|
Loading…
Reference in New Issue
Block a user