Skip to content

Commit 3db204c

Browse files
authored
Merge pull request #400 from deric/scram-sha
Support scram-sha-256 password_encryption method
2 parents 13585ee + e3c0f4d commit 3db204c

File tree

6 files changed

+40
-4
lines changed

6 files changed

+40
-4
lines changed

manifests/database/postgresql.pp

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,11 @@
6565
# `manage_database` is set to `true`, it will use the value of the `database_host`
6666
# parameter. This option is supported in PuppetDB >= 1.6.
6767
#
68+
# @param password_sensitive
69+
# Whether password should be of Datatype Sensitive[String]
70+
# @param password_encryption
71+
# PostgreSQL password authentication method, either `md5` or `scram-sha-256`
72+
#
6873
class puppetdb::database::postgresql (
6974
$listen_addresses = $puppetdb::params::database_host,
7075
$puppetdb_server = $puppetdb::params::puppetdb_server,
@@ -82,7 +87,9 @@
8287
$postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
8388
$read_database_username = $puppetdb::params::read_database_username,
8489
$read_database_password = $puppetdb::params::read_database_password,
85-
$read_database_host = $puppetdb::params::read_database_host
90+
$read_database_host = $puppetdb::params::read_database_host,
91+
Boolean $password_sensitive = false,
92+
Postgresql::Pg_password_encryption $password_encryption = $puppetdb::params::password_encryption,
8693
) inherits puppetdb::params {
8794
$port = scanf($database_port, '%i')[0]
8895

@@ -96,6 +103,7 @@
96103
ip_mask_allow_all_users => '0.0.0.0/0',
97104
listen_addresses => $listen_addresses,
98105
port => $port,
106+
password_encryption => $password_encryption,
99107
}
100108

101109
# We need to create the ssl connection for the read user, when
@@ -166,9 +174,11 @@
166174
-> puppetdb::database::read_only_user { $read_database_username:
167175
read_database_username => $read_database_username,
168176
database_name => $database_name,
169-
password_hash => postgresql::postgresql_password($read_database_username, $read_database_password),
177+
password_hash => postgresql::postgresql_password(
178+
$read_database_username, $read_database_password, $password_sensitive, $password_encryption),
170179
database_owner => $database_username,
171180
database_port => $port,
181+
password_encryption => $password_encryption,
172182
}
173183

174184
-> postgresql_psql { "grant ${read_database_username} role to ${database_username}":

manifests/database/read_only_user.pp

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,18 +13,22 @@
1313
# The user which owns the database (i.e. the migration user for the database).
1414
# @param password_hash
1515
# The value of $_database_password in app_database.
16+
# @param password_encryption
17+
# The hash method for postgresql password, since PostgreSQL 14 default is `scram-sha-256`.
1618
#
1719
# @api private
1820
define puppetdb::database::read_only_user (
1921
String $read_database_username,
2022
String $database_name,
2123
String $database_owner,
22-
Variant[String, Boolean] $password_hash = false,
24+
Variant[String, Boolean, Sensitive[String]] $password_hash = false,
2325
Optional[Stdlib::Port] $database_port = undef,
26+
Optional[Postgresql::Pg_password_encryption] $password_encryption = undef,
2427
) {
2528
postgresql::server::role { $read_database_username:
2629
password_hash => $password_hash,
2730
port => $database_port,
31+
hash => $password_encryption,
2832
}
2933

3034
-> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}":

manifests/init.pp

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -342,6 +342,9 @@
342342
# @param java_bin
343343
# java binary path for PuppetDB. If undef, default will be used.
344344
#
345+
# @param postgresql_password_encryption
346+
# PostgreSQL password authentication method, either `md5` or `scram-sha-256`
347+
#
345348
class puppetdb (
346349
$listen_address = $puppetdb::params::listen_address,
347350
$listen_port = $puppetdb::params::listen_port,
@@ -424,6 +427,7 @@
424427
Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup,
425428
String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval,
426429
Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age,
430+
Postgresql::Pg_password_encryption $postgresql_password_encryption = $puppetdb::params::password_encryption,
427431
Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin,
428432
) inherits puppetdb::params {
429433
class { 'puppetdb::server':
@@ -528,6 +532,7 @@
528532
read_database_username => $read_database_username,
529533
read_database_password => $read_database_password,
530534
read_database_host => $read_database_host,
535+
password_encryption => $postgresql_password_encryption,
531536
before => $database_before,
532537
}
533538
}

manifests/params.pp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@
4242
$database_validate = true
4343
$database_max_pool_size = undef
4444
$puppetdb_server = fact('networking.fqdn')
45+
$password_encryption = 'scram-sha-256'
4546

4647
# These settings manage the various auto-deactivation and auto-purge settings
4748
$node_ttl = '7d'

metadata.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
},
1515
{
1616
"name": "puppetlabs/postgresql",
17-
"version_requirement": ">= 6.5.0 < 11.0.0"
17+
"version_requirement": ">= 9.2.0 < 11.0.0"
1818
},
1919
{
2020
"name": "puppetlabs/firewall",

spec/unit/classes/init_spec.rb

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,22 @@ class { 'postgresql::server':
6767
end
6868
end
6969

70+
context 'with password encryption' do
71+
let :params do
72+
{
73+
postgresql_password_encryption: 'md5',
74+
}
75+
end
76+
77+
it do
78+
is_expected.to contain_postgresql__server__pg_hba_rule('allow access to all users for instance main')
79+
.with_type('host')
80+
.with_database('all')
81+
.with_user('all')
82+
.with_auth_method('md5')
83+
end
84+
end
85+
7086
context 'when using ssl certificates' do
7187
let(:params) do
7288
{

0 commit comments

Comments
 (0)