Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mdd psql user aws fix #23988

Merged
merged 9 commits into from
Jul 7, 2017
Merged

Mdd psql user aws fix #23988

merged 9 commits into from
Jul 7, 2017

Conversation

michael-dev2rights
Copy link

SUMMARY

This is an attempt to fix Ansible Bug #18933 - make postgresql user creation work on Amazon RDS instances. It has worked on our internal branch based off Ansible stable 2.3 and has been cherry picked to devel for upstream inclusion into the project.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

posgresql_user module

ANSIBLE VERSION
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/mikedd/dev/ansible/ansible-add-modules/library']
  ansible python module location = /home/mikedd/dev/ansible/ansible-add-modules/lib/ansible
  executable location = /home/mikedd/dev/ansible/ansible-add-modules/bin/ansible
  python version = 2.7.12 (default, Jul  1 2016, 15:12:24) [GCC 5.4.0 20160609]
ADDITIONAL INFORMATION

Not yet nearly fully tested.

@ansibot
Copy link
Contributor

ansibot commented Apr 25, 2017

The test ansible-test sanity --test pep8 failed with the following error:

test/sanity/pep8/legacy-files.txt:406:1: A201 Remove "lib/ansible/modules/database/postgresql/postgresql_user.py" since it passes the current rule set

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Apr 25, 2017

cc @nerzhul
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 bugfix_pull_request ci_verified Changes made in this PR are causing tests to fail. module This issue/PR relates to a module. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. needs_triage Needs a first human triage before being processed. labels Apr 25, 2017
@michael-dev2rights michael-dev2rights mentioned this pull request Apr 25, 2017
Closed
@ansibot ansibot added test_pull_requests and removed ci_verified Changes made in this PR are causing tests to fail. labels Apr 25, 2017
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 25, 2017
@gundalow gundalow removed the needs_triage Needs a first human triage before being processed. label Apr 26, 2017
@gundalow
Copy link
Contributor

You wrote:

Not yet nearly fully tested.
What other testing needs to be done?

@michael-dev2rights
Copy link
Author

@gundalow

  1. someone should run the existing integration tests; probably after ensuring that they include user creation by this module and database changes via another module using that user.
  2. preferably, someone should write an integration test case which
  • creates an Amazon RDS with a database set up on it;
  • creates a user on that database via this module
  • does something to the database
  • changes the user's password
  • does something to the database with the new password (also fails with old??)
  • repeats the operation that changed the password with the same password (expected state on RDS is changed even though password won't actualy have changed)
  • does something to the database

@michael-dev2rights
Copy link
Author

Beyond that it would be nice to have unit test cases but the refactoring I started should be continued with extreme prejudice, including converting all SQL string statements to prepared statements.

@nerzhul
Copy link
Contributor

nerzhul commented Apr 27, 2017

Hello,
Warning if you refactor i have a pending PR on the module which adds IN_ROLE support (i use it at work to create nested developers groups on schemas)

nerzhul
nerzhul suggested changes Apr 27, 2017
View reviewed changes
lib/ansible/modules/database/postgresql/postgresql_user.py Outdated
# different
return True

if password == current_role_attrs['rolpassword']:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just return password != current_role_attrs['rolpassword']

lib/ansible/modules/database/postgresql/postgresql_user.py Outdated
if encrypted == 'ENCRYPTED' and not password.startswith('md5'):
try:
from passlib.hash import postgres_md5 as pm
if pm.encrypt(password, user) == current_role_attrs['rolpassword']:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just return pm.encrypt(password, user) != current_role_attrs['rolpassword']:

lib/ansible/modules/database/postgresql/postgresql_user.py Outdated

if encrypted == 'ENCRYPTED' and not password.startswith('md5'):
try:
from passlib.hash import postgres_md5 as pm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please don't import here, import globally

lib/ansible/modules/database/postgresql/postgresql_user.py Outdated
# Do we actually need to do anything?

if encrypted == 'ENCRYPTED' and password.startswith('md5'):
if password == current_role_attrs['rolpassword']:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as others, return directly test

pilou-
pilou- reviewed Apr 27, 2017
View reviewed changes
Copy link
Contributor

@pilou- pilou- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, update the description of 'no_password_changes'.

lib/ansible/modules/database/postgresql/postgresql_user.py Outdated
# apparently port is automagically handled below; comment out to relieve
# flake8 error; delete when tests verify
#
# port = module.params["port"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the whole unused line (and the comments).

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Apr 27, 2017
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label May 11, 2017
@ansibot
Copy link
Contributor

ansibot commented Jun 13, 2017

cc @matburt
click here for bot help

@ansibot ansibot removed the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Jun 15, 2017
@ansibot
Copy link
Contributor

ansibot commented Jun 15, 2017

The test ansible-test sanity --test pep8 failed with the following errors:

lib/ansible/modules/database/postgresql/postgresql_user.py:241:1: E303 too many blank lines (4)
lib/ansible/modules/database/postgresql/postgresql_user.py:676:1: E303 too many blank lines (3)

click here for bot help

@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Jun 15, 2017
@ansibot ansibot added the support:community This issue/PR relates to code supported by the Ansible community. label Jun 29, 2017
abadger
abadger reviewed Jun 30, 2017
View reviewed changes
lib/ansible/modules/database/postgresql/postgresql_user.py Outdated
except ImportError:
passlib_hash_found = False
else:
passlib_hash_found = True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple style note, usually we import from stdlib, then from 3rd party libs, and then from ansible libs.

For setting whether passlib is found, you can do it like this to save a line:

try:
    from passlib.hash import postgres_md5 as pm
    passlib_hash_found = True
except ImportError:
    passlib_hash_found = False

Since passlib_hash_found is a toplevel constant, style-wise it should be all uppercase:
PASSLIB_HASH_FOUND

@abadger
Copy link
Contributor

abadger commented Jun 30, 2017

I found some style things but nothing important.

@nerzhul and @pilou- Does this change look good to you now? I'll merge when you think it's ready.

Also I see that #22613 currently needs to be rebased. Perhaps after this goes in, @nerzhul would rebase that and then @michael-dev2rights would care to review it. And then, when it's ready, one of you can ping me to merge that one too?

@ansibot ansibot added the stale_review Updates were made after the last review and the last review is more than 7 days old. label Jul 3, 2017
@pilou-
Copy link
Contributor

pilou- commented Jul 5, 2017
edited
Loading

@abadger I discussed about this PR with @michael-dev2rights during ansible fest (see), there is a problem (due to a complex rebase): passlib.hash import postgres_md5 must not be reintroduced, passlib.hash import postgres_md5 is sufficient.

@pilou-
Copy link
Contributor

pilou- commented Jul 6, 2017
edited
Loading

I added 2 commits (on a branch based on this one):

  • the first commit (pilou-@67193cb) adds a test, I checked the test fails on devel and succeed on this branch
  • the second one (pilou-@ec27231) contains some fixes

@abadger could you update this pull-request adding these two commits and then merge ?

mikedlr and others added 9 commits July 7, 2017 11:53
@mikedlr
postgresql_user - PEP8 and style fixes to make debugging easier
355cff9
@mikedlr
postgresql_user - move password changing logic to separate function
0039859
@mikedlr
postgresql_user - trap failure in case where there is no access to pg…
450e606 
…_authid
@mikedlr
postgresql_user module - transaction logic hacks to allow recovery fr…
9e28589 
…om failed select
@mikedlr
postgresql_user - further PEP8 fixes
0492abe
@mikedlr
postgresql_user - Simplify password change logic and improve imports …
ca05598 
…according to suggestions from PR review
@mikedlr
postgresql_user - Eliminate pep8/blank line errors introduced in merge
211ee55
@pilou- @mikedlr
Check behaviour when pg_authid relation isn't readable
46c0c0a 
TASK [postgresql : Normal user isn't allowed to access pg_authid relation:
      password comparison will fail, password will be updated] ***
An exception occurred during task execution. To see the full traceback,
use -vvv. The error was: psycopg2.ProgrammingError: permission denied
for relation pg_authid
@pilou- @mikedlr
Don't reintroduce passlib, remove useless query
103b0d9
@ansibot ansibot added support:core This issue/PR relates to code supported by the Ansible Engineering Team. and removed module This issue/PR relates to a module. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Jul 7, 2017
@michael-dev2rights
Copy link
Author

@pilou- I merged your changes into this branch. Thanks.

@abadger I think we should merge this PR soon since it's a proper bug fix and now includes useful tests.

@nerzhul any objections?

@abadger abadger merged commit 3c4db1e into ansible:devel Jul 7, 2017
@abadger
Copy link
Contributor

abadger commented Jul 7, 2017

I've merged to devel (for 2.4.0). If @nerzhul pokes me on IRC we can decide whether to backport to 2.3.x as well.

@ansibot ansibot added bug This issue/PR relates to a bug. and removed bugfix_pull_request labels Mar 6, 2018
@dagwieers dagwieers added the postgresql PostgreSQL community label Jan 28, 2019
@dagwieers dagwieers added the database Database category label Feb 13, 2019
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@abadger abadger abadger left review comments

@pilou- pilou- pilou- left review comments

@nerzhul nerzhul nerzhul requested changes

Assignees
No one assigned
Labels
affects_2.4 This issue/PR affects Ansible v2.4 bug This issue/PR relates to a bug. database Database category needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. postgresql PostgreSQL community support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@michael-dev2rights @ansibot @gundalow @nerzhul @pilou- @abadger @dagwieers @mikedlr