Alexandros Kosiaris has submitted this change and it was merged. Change subject: postgres: Allow to not set password for users if not on master ......................................................................
postgres: Allow to not set password for users if not on master That way we can use postgres::user on a slave. Use that in puppetdb Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300 --- M hieradata/common/puppetmaster/puppetdb.yaml M modules/postgresql/manifests/user.pp M modules/puppetmaster/manifests/puppetdb/database.pp 3 files changed, 17 insertions(+), 7 deletions(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/hieradata/common/puppetmaster/puppetdb.yaml b/hieradata/common/puppetmaster/puppetdb.yaml index 2c64fd1..973588f 100644 --- a/hieradata/common/puppetmaster/puppetdb.yaml +++ b/hieradata/common/puppetmaster/puppetdb.yaml @@ -4,13 +4,11 @@ database: all password: "%{::puppetmaster::puppetdb::database::replication_pass}" cidr: 10.192.16.184/32 - pgversion: 9.4 attrs: REPLICATION puppetdb@nihal-v4: user: puppetdb database: puppetdb password: "%{::puppetmaster::puppetdb::database::puppetdb_pass}" cidr: 10.192.16.184/32 - pgversion: 9.4 master: nitrogen.eqiad.wmnet slaves: [nihal.codfw.wmnet] diff --git a/modules/postgresql/manifests/user.pp b/modules/postgresql/manifests/user.pp index 1877235..b72948f 100644 --- a/modules/postgresql/manifests/user.pp +++ b/modules/postgresql/manifests/user.pp @@ -37,6 +37,7 @@ trusty => '9.3', }, $attrs = '', + $master = true, $ensure = 'present' ) { @@ -64,10 +65,13 @@ # NOTE: This has the potential of the password leaking by process # listing tools like ps. Need to investigate better ways of setting the # password .e.g. hashed with md5 in the manifest - exec { "pass_set-${name}": - command => $pass_set, - user => 'postgres', - onlyif => $userexists, + # This will not be run on a slave as it is read-only + if $master { + exec { "pass_set-${name}": + command => $pass_set, + user => 'postgres', + onlyif => $userexists, + } } $changes = [ diff --git a/modules/puppetmaster/manifests/puppetdb/database.pp b/modules/puppetmaster/manifests/puppetdb/database.pp index 2f6264b..139d5b4 100644 --- a/modules/puppetmaster/manifests/puppetdb/database.pp +++ b/modules/puppetmaster/manifests/puppetdb/database.pp @@ -13,6 +13,7 @@ root_dir => '/srv/postgres', use_ssl => true, } + $on_master = true } else { $require_class = 'postgresql::slave' class { 'postgresql::slave': @@ -22,11 +23,17 @@ replication_pass => $replication_pass, use_ssl => true, } + $on_master = false } # Postgres replication and users $postgres_users = hiera('puppetmaster::puppetdb::postgres_users', undef) if $postgres_users { - create_resources(postgresql::user, $postgres_users) + $postgres_users_defaults = { + pgversion => 9.4, + master => $on_master + } + create_resources(postgresql::user, $postgres_users, + $postgres_users_defaults) } # Create the puppetdb user for localhost # This works on every server and is used for read-only db lookups @@ -37,6 +44,7 @@ password => $puppetdb_pass, cidr => "${::main_ipaddress}/32", pgversion => '9.4', + master => $on_master, } # Create the database -- To view, visit https://gerrit.wikimedia.org/r/311969 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I87a3d13eaacbbb7f1ce6c9c65fb7b4a6d8bda300 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits