[MediaWiki-commits] [Gerrit] operations/puppet[production]: postgresql: Only set user password if different

Wed, 22 Mar 2017 02:43:52 -0700 

Gehel has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/329328 )

Change subject: postgresql: Only set user password if different
......................................................................


postgresql: Only set user password if different

Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
---
M modules/postgresql/manifests/user.pp
1 file changed, 4 insertions(+), 7 deletions(-)

Approvals:
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Gehel: Looks good to me, approved



diff --git a/modules/postgresql/manifests/user.pp 
b/modules/postgresql/manifests/user.pp
index ab6e75a..d704f59 100644
--- a/modules/postgresql/manifests/user.pp
+++ b/modules/postgresql/manifests/user.pp
@@ -58,18 +58,15 @@
             user    => 'postgres',
             unless  => $userexists,
         }
-        # This will set the password and attributes on every puppet run. We 
explicitly dont
-        # depend on anything to ensure consistency with configuration and that
-        # password is always the one defined
-        # NOTE: This has the potential of the password leaking by process
-        # listing tools like ps. Need to investigate better ways of setting the
-        # password .e.g. hashed with md5 in the manifest
+
         # This will not be run on a slave as it is read-only
         if $master {
+            $password_md5 = md5("${password}${user}")
+
             exec { "pass_set-${name}":
                 command   => $pass_set,
                 user      => 'postgres',
-                onlyif    => $userexists,
+                onlyif    => "/usr/bin/test -n \"\$(/usr/bin/psql -Atc 
\"SELECT 1 FROM pg_shadow WHERE usename = '${user}' AND passwd <> 
'md5${password_md5}';\")\"",
                 subscribe => Exec["create_user-${name}"],
             }
         }

-- 
To view, visit https://gerrit.wikimedia.org/r/329328
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Gehel <guillaume.leder...@wikimedia.org>
Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com>
Gerrit-Reviewer: Tim Landscheidt <t...@tim-landscheidt.de>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to