Dynamize Postgres Auth Method Definition
The 8.0.0 version of the 'puppetlabs-postgresql' module uses 'md5' as the default authentication method. This value is hardcoded, making it impossible to set dynamically during bootstrap. The newest versions of 'puppetlabs-postgresql' have added a new parameter to set the authorization method dynamically. The proposed solution patches the current version using the same parameter name as in the newer versions to dynamically set the authorization method. This also allows a future update of the 'puppetlabs-postgresql' module to be done seamlessly. Test Plan: - PASS Fresh Install SX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). - PASS Fresh Install DX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * Host swact to controller-1 * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * collect logs (collect) * verify '/var/extra/database/' content - PASS Fresh Install DC env * Verify system status unlock/available * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). - PASS Upgrade SX - PASS Upgrade SX-rollback - PASS Upgrade DX - PASS Upgrade DX-rollback Partial-bug: 2069842 Change-Id: I74fff1715bf362fe5f7952bf2175984dc6a68f68 Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
This commit is contained in:
parent
528cb3d7fa
commit
1146d5f296
@ -0,0 +1,30 @@
|
||||
From 7954a4416c5605803df8f570148f948195bac267 Mon Sep 17 00:00:00 2001
|
||||
From: Jorge Saffe <jorge.saffe@windriver.com>
|
||||
Date: Thu, 19 Sep 2024 22:18:43 +0200
|
||||
Subject: [PATCH 6/6] Update Postgres Auth and Password Encryption
|
||||
|
||||
---
|
||||
manifests/db/postgresql.pp | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/manifests/db/postgresql.pp b/manifests/db/postgresql.pp
|
||||
index a7ddedf..adadfb5 100644
|
||||
--- a/manifests/db/postgresql.pp
|
||||
+++ b/manifests/db/postgresql.pp
|
||||
@@ -45,7 +45,12 @@ define openstacklib::db::postgresql (
|
||||
in a future release. Use password instead')
|
||||
$password_hash_real = $password_hash
|
||||
} elsif $password != undef {
|
||||
- $password_hash_real = postgresql::postgresql_password($user, $password)
|
||||
+ $password_hash_real = postgresql::postgresql_password(
|
||||
+ $user,
|
||||
+ $password,
|
||||
+ $password =~ Sensitive[String],
|
||||
+ $postgresql::server::password_encryption,
|
||||
+ )
|
||||
} else {
|
||||
fail('password should be set')
|
||||
}
|
||||
--
|
||||
2.39.2
|
||||
|
@ -3,3 +3,4 @@
|
||||
0003-Adjust-puppetlabs-postgresql-version-requirement.patch
|
||||
0004-Increase-timeout-from-40s-to-100s.patch
|
||||
0005-Fix-hiera_lookup-function-to-unescape-characters.patch
|
||||
0006-Update-Postgres-Auth-and-Password-Encryption.patch
|
||||
|
@ -0,0 +1,63 @@
|
||||
From 1e1e812c463132a354b74c611de464b3cdcb445a Mon Sep 17 00:00:00 2001
|
||||
From: Jorge Saffe <jorge.saffe@windriver.com>
|
||||
Date: Mon, 17 Jun 2024 19:15:28 +0300
|
||||
Subject: [PATCH 2/2] update-auth-encryption-method
|
||||
|
||||
---
|
||||
manifests/server.pp | 1 +
|
||||
manifests/server/config.pp | 7 ++++---
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/manifests/server.pp b/manifests/server.pp
|
||||
index 5b9af03..6a28736 100644
|
||||
--- a/manifests/server.pp
|
||||
+++ b/manifests/server.pp
|
||||
@@ -84,6 +84,7 @@
|
||||
#
|
||||
class postgresql::server (
|
||||
Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef,
|
||||
+ Optional[Variant[String[1], Sensitive[String[1]], Integer]] $pg_hba_auth_password_encryption = undef,
|
||||
|
||||
$package_name = $postgresql::params::server_package_name,
|
||||
$package_ensure = $postgresql::params::package_ensure,
|
||||
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
|
||||
index c3ca6b5..a07c27a 100644
|
||||
--- a/manifests/server/config.pp
|
||||
+++ b/manifests/server/config.pp
|
||||
@@ -27,6 +27,7 @@ class postgresql::server::config {
|
||||
$timezone = $postgresql::server::timezone
|
||||
$password_encryption = $postgresql::server::password_encryption
|
||||
$extra_systemd_config = $postgresql::server::extra_systemd_config
|
||||
+ $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption
|
||||
|
||||
if ($manage_pg_hba_conf == true) {
|
||||
# Prepare the main pg_hba file
|
||||
@@ -70,7 +71,7 @@ class postgresql::server::config {
|
||||
type => 'host',
|
||||
user => $user,
|
||||
address => '127.0.0.1/32',
|
||||
- auth_method => 'md5',
|
||||
+ auth_method => $pg_hba_auth_password_encryption,
|
||||
order => 3,
|
||||
;
|
||||
|
||||
@@ -85,14 +86,14 @@ class postgresql::server::config {
|
||||
'allow access to all users':
|
||||
type => 'host',
|
||||
address => $ip_mask_allow_all_users,
|
||||
- auth_method => 'md5',
|
||||
+ auth_method => $pg_hba_auth_password_encryption,
|
||||
order => 100,
|
||||
;
|
||||
|
||||
'allow access to ipv6 localhost':
|
||||
type => 'host',
|
||||
address => '::1/128',
|
||||
- auth_method => 'md5',
|
||||
+ auth_method => $pg_hba_auth_password_encryption,
|
||||
order => 101,
|
||||
;
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1 +1,2 @@
|
||||
0001-use-python3-psycopg2.patch
|
||||
0002-update-auth-encryption-method.patch
|
||||
|
Loading…
Reference in New Issue
Block a user