Dynamize Postgres Auth Method Definition

The 8.0.0 version of the 'puppetlabs-postgresql' module uses 'md5' as the default authentication method. This value is hardcoded, making it impossible to set dynamically during bootstrap. The newest versions of 'puppetlabs-postgresql' have added a new parameter to set the authorization method dynamically. The proposed solution patches the current version using the same parameter name as in the newer versions to dynamically set the authorization method. This also allows a future update of the 'puppetlabs-postgresql' module to be done seamlessly. Test Plan: - PASS Fresh Install SX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). - PASS Fresh Install DX env * Verify system status unlock/available * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * Host swact to controller-1 * Login as admin user in psql (psql -U admin -h 127.0.0.1 -d sysinv) * Check postgres authorization configuration (SELECT * from pg_hba_file_rules;) * Check postgres password encryption configuration (SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword IS NOT NULL;). * collect logs (collect) * verify '/var/extra/database/' content - PASS Upgrade SX - PASS Upgrade SX-rollback - PASS Upgrade DX - PASS Upgrade DX-rollback Partial-bug: 2069842 Change-Id: I2660149a40be890e52b6781be294547e2acde55b Signed-off-by: Jorge Saffe <jorge.saffe@windriver.com>
2024-06-19 19:17:33 +03:00 · 2024-06-19 19:17:33 +03:00 · b30abbdfb4
commit b30abbdfb4
parent bcfb26840b
2 changed files with 64 additions and 0 deletions
--- a/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch
+++ b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/0002-update-auth-encryption-method.patch
@ -0,0 +1,63 @@
+From 1e1e812c463132a354b74c611de464b3cdcb445a Mon Sep 17 00:00:00 2001
+From: Jorge Saffe <jorge.saffe@windriver.com>
+Date: Mon, 17 Jun 2024 19:15:28 +0300
+Subject: [PATCH 2/2] update-auth-encryption-method
+
+---
+ manifests/server.pp        | 1 +
+ manifests/server/config.pp | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/manifests/server.pp b/manifests/server.pp
+index 5b9af03..6a28736 100644
+--- a/manifests/server.pp
+++ b/manifests/server.pp
+@@ -84,6 +84,7 @@
+ #
+ class postgresql::server (
+   Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef,
+  Optional[Variant[String[1], Sensitive[String[1]], Integer]] $pg_hba_auth_password_encryption = undef,
+ 
+   $package_name                                    = $postgresql::params::server_package_name,
+   $package_ensure                                  = $postgresql::params::package_ensure,
+diff --git a/manifests/server/config.pp b/manifests/server/config.pp
+index c3ca6b5..a07c27a 100644
+--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
+@@ -27,6 +27,7 @@ class postgresql::server::config {
+   $timezone                     = $postgresql::server::timezone
+   $password_encryption          = $postgresql::server::password_encryption
+   $extra_systemd_config         = $postgresql::server::extra_systemd_config
+  $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption
+ 
+   if ($manage_pg_hba_conf == true) {
+     # Prepare the main pg_hba file
+@@ -70,7 +71,7 @@ class postgresql::server::config {
+             type        => 'host',
+             user        => $user,
+             address     => '127.0.0.1/32',
+-            auth_method => 'md5',
+            auth_method => $pg_hba_auth_password_encryption,
+             order       => 3,
+         ;
+ 
+@@ -85,14 +86,14 @@ class postgresql::server::config {
+         'allow access to all users':
+             type        => 'host',
+             address     => $ip_mask_allow_all_users,
+-            auth_method => 'md5',
+            auth_method => $pg_hba_auth_password_encryption,
+             order       => 100,
+         ;
+ 
+         'allow access to ipv6 localhost':
+             type        => 'host',
+             address     => '::1/128',
+-            auth_method => 'md5',
+            auth_method => $pg_hba_auth_password_encryption,
+             order       => 101,
+         ;
+       }
+-- 
+2.34.1
+
--- a/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series
+++ b/config/puppet-modules/puppetlabs-postgresql-8.0.0/debian/deb_folder/patches/series
@ -1 +1,2 @@
 0001-use-python3-psycopg2.patch
+0002-update-auth-encryption-method.patch