Dynamize Postgres Auth Method Definition

The 8.0.0 version of the 'puppetlabs-postgresql'
module uses 'md5' as the default authentication
method. This value is hardcoded, making it impossible
to set dynamically during bootstrap. The newest
versions of 'puppetlabs-postgresql' have added a new
parameter to set the authorization method dynamically.

The proposed solution patches the current version
using the same parameter name as in the newer versions
to dynamically set the authorization method. This also
allows a future update of the 'puppetlabs-postgresql'
module to be done seamlessly.

Test Plan:
- PASS Fresh Install SX env
   * Verify system status unlock/available

   * Login as admin user in psql
     (psql -U admin -h 127.0.0.1 -d sysinv)
   * Check postgres authorization configuration
     (SELECT * from pg_hba_file_rules;)
   * Check postgres password encryption configuration
     (SELECT rolname, rolpassword
      FROM pg_authid WHERE rolpassword IS NOT NULL;).

- PASS Fresh Install DX env
   * Verify system status unlock/available

   * Login as admin user in psql
     (psql -U admin -h 127.0.0.1 -d sysinv)
   * Check postgres authorization configuration
     (SELECT * from pg_hba_file_rules;)
   * Check postgres password encryption configuration
     (SELECT rolname, rolpassword
      FROM pg_authid WHERE rolpassword IS NOT NULL;).

   * Host swact to controller-1

   * Login as admin user in psql
     (psql -U admin -h 127.0.0.1 -d sysinv)
   * Check postgres authorization configuration
     (SELECT * from pg_hba_file_rules;)
   * Check postgres password encryption configuration
     (SELECT rolname, rolpassword
      FROM pg_authid WHERE rolpassword IS NOT NULL;).

   * collect logs (collect)
   * verify '/var/extra/database/' content

- PASS Fresh Install DC env
   * Verify system status unlock/available
   * Check postgres authorization configuration
     (SELECT * from pg_hba_file_rules;)
   * Check postgres password encryption configuration
     (SELECT rolname, rolpassword
      FROM pg_authid WHERE rolpassword IS NOT NULL;).

- PASS Upgrade SX
- PASS Upgrade SX-rollback
- PASS Upgrade DX
- PASS Upgrade DX-rollback

Partial-bug: 2069842

Change-Id: I74fff1715bf362fe5f7952bf2175984dc6a68f68
Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
This commit is contained in:
Jorge Saffe 2024-09-26 19:53:54 +02:00
parent 528cb3d7fa
commit 1146d5f296
4 changed files with 95 additions and 0 deletions

View File

@ -0,0 +1,30 @@
From 7954a4416c5605803df8f570148f948195bac267 Mon Sep 17 00:00:00 2001
From: Jorge Saffe <jorge.saffe@windriver.com>
Date: Thu, 19 Sep 2024 22:18:43 +0200
Subject: [PATCH 6/6] Update Postgres Auth and Password Encryption
---
manifests/db/postgresql.pp | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/manifests/db/postgresql.pp b/manifests/db/postgresql.pp
index a7ddedf..adadfb5 100644
--- a/manifests/db/postgresql.pp
+++ b/manifests/db/postgresql.pp
@@ -45,7 +45,12 @@ define openstacklib::db::postgresql (
in a future release. Use password instead')
$password_hash_real = $password_hash
} elsif $password != undef {
- $password_hash_real = postgresql::postgresql_password($user, $password)
+ $password_hash_real = postgresql::postgresql_password(
+ $user,
+ $password,
+ $password =~ Sensitive[String],
+ $postgresql::server::password_encryption,
+ )
} else {
fail('password should be set')
}
--
2.39.2

View File

@ -3,3 +3,4 @@
0003-Adjust-puppetlabs-postgresql-version-requirement.patch 0003-Adjust-puppetlabs-postgresql-version-requirement.patch
0004-Increase-timeout-from-40s-to-100s.patch 0004-Increase-timeout-from-40s-to-100s.patch
0005-Fix-hiera_lookup-function-to-unescape-characters.patch 0005-Fix-hiera_lookup-function-to-unescape-characters.patch
0006-Update-Postgres-Auth-and-Password-Encryption.patch

View File

@ -0,0 +1,63 @@
From 1e1e812c463132a354b74c611de464b3cdcb445a Mon Sep 17 00:00:00 2001
From: Jorge Saffe <jorge.saffe@windriver.com>
Date: Mon, 17 Jun 2024 19:15:28 +0300
Subject: [PATCH 2/2] update-auth-encryption-method
---
manifests/server.pp | 1 +
manifests/server/config.pp | 7 ++++---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/manifests/server.pp b/manifests/server.pp
index 5b9af03..6a28736 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -84,6 +84,7 @@
#
class postgresql::server (
Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef,
+ Optional[Variant[String[1], Sensitive[String[1]], Integer]] $pg_hba_auth_password_encryption = undef,
$package_name = $postgresql::params::server_package_name,
$package_ensure = $postgresql::params::package_ensure,
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index c3ca6b5..a07c27a 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -27,6 +27,7 @@ class postgresql::server::config {
$timezone = $postgresql::server::timezone
$password_encryption = $postgresql::server::password_encryption
$extra_systemd_config = $postgresql::server::extra_systemd_config
+ $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file
@@ -70,7 +71,7 @@ class postgresql::server::config {
type => 'host',
user => $user,
address => '127.0.0.1/32',
- auth_method => 'md5',
+ auth_method => $pg_hba_auth_password_encryption,
order => 3,
;
@@ -85,14 +86,14 @@ class postgresql::server::config {
'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
- auth_method => 'md5',
+ auth_method => $pg_hba_auth_password_encryption,
order => 100,
;
'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
- auth_method => 'md5',
+ auth_method => $pg_hba_auth_password_encryption,
order => 101,
;
}
--
2.34.1

View File

@ -1 +1,2 @@
0001-use-python3-psycopg2.patch 0001-use-python3-psycopg2.patch
0002-update-auth-encryption-method.patch