On 08/28/2012 03:52 PM, John Eckersberg wrote: > Mo Morsi <[email protected]> writes: >> --- >> recipes/aeolus/files/pg_hba-ssl.conf | 7 ------- >> recipes/aeolus/files/pg_hba.conf | 4 ---- >> recipes/aeolus/manifests/conductor.pp | 23 ++++++++--------------- >> recipes/postgres/manifests/server.pp | 4 +--- >> recipes/postgres/manifests/user.pp | 12 ++++++------ >> 5 files changed, 15 insertions(+), 35 deletions(-) >> delete mode 100644 recipes/aeolus/files/pg_hba-ssl.conf >> delete mode 100644 recipes/aeolus/files/pg_hba.conf >> >> diff --git a/recipes/aeolus/files/pg_hba-ssl.conf >> b/recipes/aeolus/files/pg_hba-ssl.conf >> deleted file mode 100644 >> index 722867b..0000000 >> --- a/recipes/aeolus/files/pg_hba-ssl.conf >> +++ /dev/null >> @@ -1,7 +0,0 @@ >> -# we are still leaving Unix-domain sockets open, if we want to disable >> -# make sure to append "sslmode=require" and "-h localhost" to all psql >> -# commands >> -local all all trust >> -hostssl all all 127.0.0.1/32 md5 >> -hostssl all all ::1/128 md5 >> - >> diff --git a/recipes/aeolus/files/pg_hba.conf >> b/recipes/aeolus/files/pg_hba.conf >> deleted file mode 100644 >> index ef3f6f5..0000000 >> --- a/recipes/aeolus/files/pg_hba.conf >> +++ /dev/null >> @@ -1,4 +0,0 @@ >> -local all all trust >> -host all all 127.0.0.1 255.255.255.255 md5 >> -host all all ::1/128 md5 >> - >> diff --git a/recipes/aeolus/manifests/conductor.pp >> b/recipes/aeolus/manifests/conductor.pp >> index 30882c3..9fb8a66 100644 >> --- a/recipes/aeolus/manifests/conductor.pp >> +++ b/recipes/aeolus/manifests/conductor.pp >> @@ -96,37 +96,30 @@ class aeolus::conductor inherits aeolus { >> owner => 'postgres', >> group => 'postgres', >> notify => Service['postgresql'] } >> - file { "/var/lib/pgsql/data/pg_hba.conf": >> - source => "puppet:///modules/aeolus/pg_hba-ssl.conf", >> - require => Exec["pginitdb"], >> - owner => 'postgres', >> - group => 'postgres', >> - notify => Service['postgresql']} >> file { "/var/lib/pgsql/data/postgresql.conf": >> source => "puppet:///modules/aeolus/postgresql.conf", >> require => Exec["pginitdb"], >> owner => 'postgres', >> group => 'postgres', >> notify => Service['postgresql']} >> - } else { >> - file { "/var/lib/pgsql/data/pg_hba.conf": >> - source => "puppet:///modules/aeolus/pg_hba.conf", >> - require => Exec["pginitdb"], >> - owner => 'postgres', >> - group => 'postgres', >> - notify => Service['postgresql']} >> + } >> + exec{ "pgauthuser": >> + command => "/usr/bin/sed -i s/ident/md5/ >> /var/lib/pgsql/data/pg_hba.conf", >> + onlyif => '/bin/grep -q ident /var/lib/pgsql/data/pg_hba.conf', >> + require => Exec["pginitdb"], >> + notify => Service["postgresql"] >> } >> postgres::user{"aeolus": >> password => "v23zj59an", >> roles => "CREATEDB", >> - require => [Service["postgresql"], >> File["/var/lib/pgsql/data/pg_hba.conf"]] } >> + require => Service["postgresql"] } >> >> >> # Create aeolus database >> aeolus::rails::create::db{"create_aeolus_database": >> cwd => "/usr/share/aeolus-conductor", >> rails_env => "production", >> - require => [Postgres::User[aeolus], >> Package['aeolus-conductor']] } >> + require => [Postgres::User[aeolus], Exec['pgauthuser'], >> Package['aeolus-conductor']] } >> aeolus::rails::migrate::db{"migrate_aeolus_database": >> cwd => "/usr/share/aeolus-conductor", >> rails_env => "production", >> diff --git a/recipes/postgres/manifests/server.pp >> b/recipes/postgres/manifests/server.pp >> index 09ea6d7..1bd4b28 100644 >> --- a/recipes/postgres/manifests/server.pp >> +++ b/recipes/postgres/manifests/server.pp >> @@ -24,9 +24,7 @@ class postgres::server inherits postgres { >> } >> >> exec { "pginitdb": >> - command => "/usr/bin/initdb --pgdata='/var/lib/pgsql/data' >> -E UTF8", >> - user => "postgres", >> - group => "postgres", >> + command => "/usr/bin/postgresql-setup initdb", >> creates => "/var/lib/pgsql/data/PG_VERSION", >> require => Package["postgresql-server"], >> notify => Service["postgresql"], >> diff --git a/recipes/postgres/manifests/user.pp >> b/recipes/postgres/manifests/user.pp >> index a910a2e..e767e1d 100644 >> --- a/recipes/postgres/manifests/user.pp >> +++ b/recipes/postgres/manifests/user.pp >> @@ -2,13 +2,13 @@ define postgres::user($ensure='created', $password="", >> $roles=""){ >> case $ensure { >> 'created': { >> exec{"create_${name}_postgres_user": >> - unless => "/usr/bin/test `psql postgres postgres -P >> tuples_only -c \"select count(*) from pg_user where usename='${name}';\"` = >> \"1\"", >> - command => "/usr/bin/psql postgres postgres -c \ >> - \"CREATE USER ${name} WITH PASSWORD '${password}' >> ${roles}\""}} >> + unless => "/usr/bin/test `/usr/bin/su postgres -c \"psql >> postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where >> usename='${name}';\\\"\"` = \"1\"", >> + command => "/usr/bin/su postgres -c \"/usr/bin/psql postgres >> postgres -c \ >> + \\\"CREATE USER ${name} WITH PASSWORD >> '${password}' ${roles}\\\"\""}} >> 'dropped': { >> exec{"drop_${name}_postgres_user": >> - onlyif => "/usr/bin/test `psql postgres postgres -P >> tuples_only -c \"select count(*) from pg_user where usename='${name}';\"` = >> \"1\"", >> - command => "/usr/bin/psql postgres postgres -c \ >> - \"DROP USER ${name}\""}} >> + onlyif => "/usr/bin/test `/usr/bin/su postgres -c \"psql >> postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where >> usename='${name}';\\\"\"` = \"1\"", >> + command => "/usr/bin/su postgres -c \"/usr/bin/psql postgres >> postgres -c \ >> + \\\"DROP USER ${name}\\\"\""}} >> } >> } >> -- >> 1.7.10.2 > On existing installs, running aeolus-configure after applying this patch > does not fix the existing problem. In this case, the existing > pg_hba.conf stays in place (as laid down by previous run(s) of > configure) and that file still contains the 'local all all trust' bit. > > On a clean installation, this works as described. > > I don't know if the intention is to try and retroactively fix "bad" > installs or not. If not, then ACK, as this works fine in the clean > install case.
Pushed this patch and just sent a follow up adding another hba modification tightening up any instances of 'trust'. This should take care of both the new / old cases. If you had the cycles to look at it, I would appreciate it. -Mo
