From b30abbdfb476117053fc023bcf1f9a46f47b259f Mon Sep 17 00:00:00 2001 From: Jorge Saffe Date: Wed, 19 Jun 2024 19:17:33 +0300 Subject: [PATCH] Dynamize Postgres Auth Method Definition The 8.0.0 version of the 'puppetlabs-postgresql' module uses 'md5' as the default authentication method. This value is hardcoded, making it impossible to set dynamically during bootstrap. The newest versions of 'puppetlabs-postgresql' have added a new parameter to set the authorization method dynamically. The proposed solution patches the current version using the same parameter name as in the newer versions to dynamically set the authorization method. This also allows a future update of the 'puppetlabs-postgresql' module to be done seamlessly. Test Plan: - PASS Fresh Install SX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). - PASS Fresh Install DX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * Host swact to controller-1 * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * collect logs (collect) * verify '/var/extra/database/' content - PASS Upgrade SX - PASS Upgrade SX-rollback - PASS Upgrade DX - PASS Upgrade DX-rollback Partial-bug: 2069842 Change-Id: I2660149a40be890e52b6781be294547e2acde55b Signed-off-by: Jorge Saffe --- .../0002-update-auth-encryption-method.patch | 63 +++++++++++++++++++ .../debian/deb_folder/patches/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch diff --git a/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch new file mode 100644 index 000000000..8baab49ea --- /dev/null +++ b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch @@ -0,0 +1,63 @@ +From 1e1e812c463132a354b74c611de464b3cdcb445a Mon Sep 17 00:00:00 2001 +From: Jorge Saffe +Date: Mon, 17 Jun 2024 19:15:28 +0300 +Subject: [PATCH 2/2] update-auth-encryption-method + +--- + manifests/server.pp | 1 + + manifests/server/config.pp | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/manifests/server.pp b/manifests/server.pp +index 5b9af03..6a28736 100644 +--- a/manifests/server.pp ++++ b/manifests/server.pp +@@ -84,6 +84,7 @@ + # + class postgresql::server ( + Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef, ++ Optional[Variant[String[1], Sensitive[String[1]], Integer]] $pg_hba_auth_password_encryption = undef, + + $package_name = $postgresql::params::server_package_name, + $package_ensure = $postgresql::params::package_ensure, +diff --git a/manifests/server/config.pp b/manifests/server/config.pp +index c3ca6b5..a07c27a 100644 +--- a/manifests/server/config.pp ++++ b/manifests/server/config.pp +@@ -27,6 +27,7 @@ class postgresql::server::config { + $timezone = $postgresql::server::timezone + $password_encryption = $postgresql::server::password_encryption + $extra_systemd_config = $postgresql::server::extra_systemd_config ++ $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption + + if ($manage_pg_hba_conf == true) { + # Prepare the main pg_hba file +@@ -70,7 +71,7 @@ class postgresql::server::config { + type => 'host', + user => $user, + address => '127.0.0.1/32', +- auth_method => 'md5', ++ auth_method => $pg_hba_auth_password_encryption, + order => 3, + ; + +@@ -85,14 +86,14 @@ class postgresql::server::config { + 'allow access to all users': + type => 'host', + address => $ip_mask_allow_all_users, +- auth_method => 'md5', ++ auth_method => $pg_hba_auth_password_encryption, + order => 100, + ; + + 'allow access to ipv6 localhost': + type => 'host', + address => '::1/128', +- auth_method => 'md5', ++ auth_method => $pg_hba_auth_password_encryption, + order => 101, + ; + } +-- +2.34.1 + diff --git a/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series index f1fff2f91..e5b394248 100644 --- a/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series +++ b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series @@ -1 +1,2 @@ 0001-use-python3-psycopg2.patch +0002-update-auth-encryption-method.patch