On 08/28/2012 03:52 PM, John Eckersberg wrote:
Mo Morsi <mmorsi(a)redhat.com> writes:
> ---
> recipes/aeolus/files/pg_hba-ssl.conf | 7 -------
> recipes/aeolus/files/pg_hba.conf | 4 ----
> recipes/aeolus/manifests/conductor.pp | 23 ++++++++---------------
> recipes/postgres/manifests/server.pp | 4 +---
> recipes/postgres/manifests/user.pp | 12 ++++++------
> 5 files changed, 15 insertions(+), 35 deletions(-)
> delete mode 100644 recipes/aeolus/files/pg_hba-ssl.conf
> delete mode 100644 recipes/aeolus/files/pg_hba.conf
>
> diff --git a/recipes/aeolus/files/pg_hba-ssl.conf
b/recipes/aeolus/files/pg_hba-ssl.conf
> deleted file mode 100644
> index 722867b..0000000
> --- a/recipes/aeolus/files/pg_hba-ssl.conf
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -# we are still leaving Unix-domain sockets open, if we want to disable
> -# make sure to append "sslmode=require" and "-h localhost" to
all psql
> -# commands
> -local all all trust
> -hostssl all all 127.0.0.1/32 md5
> -hostssl all all ::1/128 md5
> -
> diff --git a/recipes/aeolus/files/pg_hba.conf b/recipes/aeolus/files/pg_hba.conf
> deleted file mode 100644
> index ef3f6f5..0000000
> --- a/recipes/aeolus/files/pg_hba.conf
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -local all all trust
> -host all all 127.0.0.1 255.255.255.255 md5
> -host all all ::1/128 md5
> -
> diff --git a/recipes/aeolus/manifests/conductor.pp
b/recipes/aeolus/manifests/conductor.pp
> index 30882c3..9fb8a66 100644
> --- a/recipes/aeolus/manifests/conductor.pp
> +++ b/recipes/aeolus/manifests/conductor.pp
> @@ -96,37 +96,30 @@ class aeolus::conductor inherits aeolus {
> owner => 'postgres',
> group => 'postgres',
> notify => Service['postgresql'] }
> - file { "/var/lib/pgsql/data/pg_hba.conf":
> - source => "puppet:///modules/aeolus/pg_hba-ssl.conf",
> - require => Exec["pginitdb"],
> - owner => 'postgres',
> - group => 'postgres',
> - notify => Service['postgresql']}
> file { "/var/lib/pgsql/data/postgresql.conf":
> source => "puppet:///modules/aeolus/postgresql.conf",
> require => Exec["pginitdb"],
> owner => 'postgres',
> group => 'postgres',
> notify => Service['postgresql']}
> - } else {
> - file { "/var/lib/pgsql/data/pg_hba.conf":
> - source => "puppet:///modules/aeolus/pg_hba.conf",
> - require => Exec["pginitdb"],
> - owner => 'postgres',
> - group => 'postgres',
> - notify => Service['postgresql']}
> + }
> + exec{ "pgauthuser":
> + command => "/usr/bin/sed -i s/ident/md5/
/var/lib/pgsql/data/pg_hba.conf",
> + onlyif => '/bin/grep -q ident
/var/lib/pgsql/data/pg_hba.conf',
> + require => Exec["pginitdb"],
> + notify => Service["postgresql"]
> }
> postgres::user{"aeolus":
> password => "v23zj59an",
> roles => "CREATEDB",
> - require => [Service["postgresql"],
File["/var/lib/pgsql/data/pg_hba.conf"]] }
> + require => Service["postgresql"] }
>
>
> # Create aeolus database
> aeolus::rails::create::db{"create_aeolus_database":
> cwd => "/usr/share/aeolus-conductor",
> rails_env => "production",
> - require => [Postgres::User[aeolus],
Package['aeolus-conductor']] }
> + require => [Postgres::User[aeolus],
Exec['pgauthuser'], Package['aeolus-conductor']] }
> aeolus::rails::migrate::db{"migrate_aeolus_database":
> cwd => "/usr/share/aeolus-conductor",
> rails_env => "production",
> diff --git a/recipes/postgres/manifests/server.pp
b/recipes/postgres/manifests/server.pp
> index 09ea6d7..1bd4b28 100644
> --- a/recipes/postgres/manifests/server.pp
> +++ b/recipes/postgres/manifests/server.pp
> @@ -24,9 +24,7 @@ class postgres::server inherits postgres {
> }
>
> exec { "pginitdb":
> - command => "/usr/bin/initdb
--pgdata='/var/lib/pgsql/data' -E UTF8",
> - user => "postgres",
> - group => "postgres",
> + command => "/usr/bin/postgresql-setup initdb",
> creates => "/var/lib/pgsql/data/PG_VERSION",
> require => Package["postgresql-server"],
> notify => Service["postgresql"],
> diff --git a/recipes/postgres/manifests/user.pp b/recipes/postgres/manifests/user.pp
> index a910a2e..e767e1d 100644
> --- a/recipes/postgres/manifests/user.pp
> +++ b/recipes/postgres/manifests/user.pp
> @@ -2,13 +2,13 @@ define postgres::user($ensure='created',
$password="", $roles=""){
> case $ensure {
> 'created': {
> exec{"create_${name}_postgres_user":
> - unless => "/usr/bin/test `psql postgres postgres -P
tuples_only -c \"select count(*) from pg_user where
usename='${name}';\"` = \"1\"",
> - command => "/usr/bin/psql postgres postgres -c \
> - \"CREATE USER ${name} WITH PASSWORD
'${password}' ${roles}\""}}
> + unless => "/usr/bin/test `/usr/bin/su postgres -c \"psql
postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where
usename='${name}';\\\"\"` = \"1\"",
> + command => "/usr/bin/su postgres -c \"/usr/bin/psql
postgres postgres -c \
> + \\\"CREATE USER ${name} WITH PASSWORD
'${password}' ${roles}\\\"\""}}
> 'dropped': {
> exec{"drop_${name}_postgres_user":
> - onlyif => "/usr/bin/test `psql postgres postgres -P
tuples_only -c \"select count(*) from pg_user where
usename='${name}';\"` = \"1\"",
> - command => "/usr/bin/psql postgres postgres -c \
> - \"DROP USER ${name}\""}}
> + onlyif => "/usr/bin/test `/usr/bin/su postgres -c \"psql
postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where
usename='${name}';\\\"\"` = \"1\"",
> + command => "/usr/bin/su postgres -c \"/usr/bin/psql
postgres postgres -c \
> + \\\"DROP USER ${name}\\\"\""}}
> }
> }
> --
> 1.7.10.2
On existing installs, running aeolus-configure after applying this patch
does not fix the existing problem. In this case, the existing
pg_hba.conf stays in place (as laid down by previous run(s) of
configure) and that file still contains the 'local all all trust' bit.
On a clean installation, this works as described.
I don't know if the intention is to try and retroactively fix "bad"
installs or not. If not, then ACK, as this works fine in the clean
install case.
Pushed this patch and just sent a follow up adding another hba
modification tightening up any instances of 'trust'. This should take
care of both the new / old cases.
If you had the cycles to look at it, I would appreciate it.
-Mo