Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ALTER ROLE query always runs #216

Closed
lieutdan13 opened this issue Jul 22, 2013 · 2 comments
Closed

ALTER ROLE query always runs #216

lieutdan13 opened this issue Jul 22, 2013 · 2 comments
Labels
bugfix

Comments

@lieutdan13
Copy link

This issue stems from puppetlabs/puppetlabs-puppetdb#72

Every time I run postgresql::db class with a password, the "ALTER ROLE" query always runs. Per a comment by @jtopjian in the issue in the puppetdb project puppetlabs/puppetlabs-puppetdb#72 (comment) :

See line 82 of postgresql/manifests/role.pp:

The unless is trying to verify user puppetdb exists with a passwd of $password_hash. $password_hash is simply the unhashed password passed down by the puppetdb module -- no hashing is ever done.

If the unless query is modified to:

unless => "SELECT usename FROM pg_shadow WHERE usename='${username}' and passwd = 'md5' || md5('${password_hash}' || '${username}')"

Then everything works.
@lieutdan13 lieutdan13 mentioned this issue Jul 22, 2013
Closed
mlehner616 added a commit to mlehner616/puppetlabs-postgresql that referenced this issue Jul 25, 2013
@mlehner616
$password_hash was not being encrypted which caused an ALTER ROLE to …
13223ac 
…be run every time the puppet agent runs. This should fix that. Fixes puppetlabs#216
@mlehner616 mlehner616 mentioned this issue Jul 25, 2013
Closed
@lieutdan13 lieutdan13 mentioned this issue Jul 26, 2013
Closed
kbarber added a commit to kbarber/puppetlabs-postgresql that referenced this issue Aug 1, 2013
@kbarber
(puppetlabsGH-216) Alter role call not idempotent with cleartext pass…
9c2dab9 
…words

The postgresql::role defined type was not idempotent when passed cleartext
passwords. This is because we were comparing it with its md5 equivalent in
the db.

This patch converts any cleartext passwords to md5 before comparison, but
only if they are cleartext (ie. not starting with md5).

I also bumped the version of rspec-system-puppet to get use of the refresh
method, plus did some cleanup because the old tests were a bit dusty, again
taking advantage of refresh plus changing some matchers for clarity.

Signed-off-by: Ken Barber <ken@bob.sh>
@kbarber
Copy link
Contributor

kbarber commented Aug 1, 2013

The PR in #225 adapts @mlehner616's approach instead moving the md5 process to puppet. It also only hashes for comparison if the string seems not to be md5.

This keeps the code backwards compatible, but fixes the issue at the same time.

apenney pushed a commit that referenced this issue Aug 1, 2013
Merge pull request #225 from kbarber/ticket/master/GH-216-alter-role-…
a1b9728 
…not-idempotent

(GH-216) Alter role call not idempotent with cleartext passwords
@kbarber
Copy link
Contributor

kbarber commented Aug 1, 2013

Fixed with #225.

@kbarber kbarber closed this as completed Aug 1, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kbarber @lieutdan13