[MediaWiki-commits] [Gerrit] operations/puppet[production]: postgresql: Only set user password if different
Gehel has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/329328 )
Change subject: postgresql: Only set user password if different
..
postgresql: Only set user password if different
Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
---
M modules/postgresql/manifests/user.pp
1 file changed, 4 insertions(+), 7 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, but someone else must approve
jenkins-bot: Verified
Gehel: Looks good to me, approved
diff --git a/modules/postgresql/manifests/user.pp
b/modules/postgresql/manifests/user.pp
index ab6e75a..d704f59 100644
--- a/modules/postgresql/manifests/user.pp
+++ b/modules/postgresql/manifests/user.pp
@@ -58,18 +58,15 @@
user=> 'postgres',
unless => $userexists,
}
-# This will set the password and attributes on every puppet run. We
explicitly dont
-# depend on anything to ensure consistency with configuration and that
-# password is always the one defined
-# NOTE: This has the potential of the password leaking by process
-# listing tools like ps. Need to investigate better ways of setting the
-# password .e.g. hashed with md5 in the manifest
+
# This will not be run on a slave as it is read-only
if $master {
+$password_md5 = md5("${password}${user}")
+
exec { "pass_set-${name}":
command => $pass_set,
user => 'postgres',
-onlyif=> $userexists,
+onlyif=> "/usr/bin/test -n \"\$(/usr/bin/psql -Atc
\"SELECT 1 FROM pg_shadow WHERE usename = '${user}' AND passwd <>
'md5${password_md5}';\")\"",
subscribe => Exec["create_user-${name}"],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/329328
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt
Gerrit-Reviewer: Alexandros Kosiaris
Gerrit-Reviewer: Filippo Giunchedi
Gerrit-Reviewer: Gehel
Gerrit-Reviewer: MaxSem
Gerrit-Reviewer: Tim Landscheidt
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: postgresql: Only set user password if different
Hello Alexandros Kosiaris,
I'd like you to do a code review. Please visit
https://gerrit.wikimedia.org/r/329328
to review the following change.
Change subject: postgresql: Only set user password if different
..
postgresql: Only set user password if different
Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
---
M modules/postgresql/manifests/user.pp
1 file changed, 4 insertions(+), 7 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/28/329328/1
diff --git a/modules/postgresql/manifests/user.pp
b/modules/postgresql/manifests/user.pp
index 327fb74..10bcd14 100644
--- a/modules/postgresql/manifests/user.pp
+++ b/modules/postgresql/manifests/user.pp
@@ -58,18 +58,15 @@
user=> 'postgres',
unless => $userexists,
}
-# This will set the password and attributes on every puppet run. We
explicitly dont
-# depend on anything to ensure consistency with configuration and that
-# password is always the one defined
-# NOTE: This has the potential of the password leaking by process
-# listing tools like ps. Need to investigate better ways of setting the
-# password .e.g. hashed with md5 in the manifest
+
# This will not be run on a slave as it is read-only
if $master {
+$password_md5 = md5("${password}${user}")
+
exec { "pass_set-${name}":
command => $pass_set,
user => 'postgres',
-onlyif=> $userexists,
+onlyif=> "/usr/bin/test -n \"\$(/usr/bin/psql -Atc
\"SELECT 1 FROM pg_shadow WHERE usename = '${user}' AND passwd <>
'md5${password_md5}';\")\"",
subscribe => Exec["create_user-${name}"],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/329328
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt
Gerrit-Reviewer: Alexandros Kosiaris
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
