[MediaWiki-commits] [Gerrit] operations/puppet[production]: postgresql: Only set user password if different
Gehel has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/329328 ) Change subject: postgresql: Only set user password if different .. postgresql: Only set user password if different Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1 --- M modules/postgresql/manifests/user.pp 1 file changed, 4 insertions(+), 7 deletions(-) Approvals: Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified Gehel: Looks good to me, approved diff --git a/modules/postgresql/manifests/user.pp b/modules/postgresql/manifests/user.pp index ab6e75a..d704f59 100644 --- a/modules/postgresql/manifests/user.pp +++ b/modules/postgresql/manifests/user.pp @@ -58,18 +58,15 @@ user=> 'postgres', unless => $userexists, } -# This will set the password and attributes on every puppet run. We explicitly dont -# depend on anything to ensure consistency with configuration and that -# password is always the one defined -# NOTE: This has the potential of the password leaking by process -# listing tools like ps. Need to investigate better ways of setting the -# password .e.g. hashed with md5 in the manifest + # This will not be run on a slave as it is read-only if $master { +$password_md5 = md5("${password}${user}") + exec { "pass_set-${name}": command => $pass_set, user => 'postgres', -onlyif=> $userexists, +onlyif=> "/usr/bin/test -n \"\$(/usr/bin/psql -Atc \"SELECT 1 FROM pg_shadow WHERE usename = '${user}' AND passwd <> 'md5${password_md5}';\")\"", subscribe => Exec["create_user-${name}"], } } -- To view, visit https://gerrit.wikimedia.org/r/329328 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1 Gerrit-PatchSet: 5 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim LandscheidtGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Gehel Gerrit-Reviewer: MaxSem Gerrit-Reviewer: Tim Landscheidt Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: postgresql: Only set user password if different
Hello Alexandros Kosiaris, I'd like you to do a code review. Please visit https://gerrit.wikimedia.org/r/329328 to review the following change. Change subject: postgresql: Only set user password if different .. postgresql: Only set user password if different Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1 --- M modules/postgresql/manifests/user.pp 1 file changed, 4 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/28/329328/1 diff --git a/modules/postgresql/manifests/user.pp b/modules/postgresql/manifests/user.pp index 327fb74..10bcd14 100644 --- a/modules/postgresql/manifests/user.pp +++ b/modules/postgresql/manifests/user.pp @@ -58,18 +58,15 @@ user=> 'postgres', unless => $userexists, } -# This will set the password and attributes on every puppet run. We explicitly dont -# depend on anything to ensure consistency with configuration and that -# password is always the one defined -# NOTE: This has the potential of the password leaking by process -# listing tools like ps. Need to investigate better ways of setting the -# password .e.g. hashed with md5 in the manifest + # This will not be run on a slave as it is read-only if $master { +$password_md5 = md5("${password}${user}") + exec { "pass_set-${name}": command => $pass_set, user => 'postgres', -onlyif=> $userexists, +onlyif=> "/usr/bin/test -n \"\$(/usr/bin/psql -Atc \"SELECT 1 FROM pg_shadow WHERE usename = '${user}' AND passwd <> 'md5${password_md5}';\")\"", subscribe => Exec["create_user-${name}"], } } -- To view, visit https://gerrit.wikimedia.org/r/329328 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7c74cca5e978ab9d6073e1d2d5c028e7c072d3d1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim LandscheidtGerrit-Reviewer: Alexandros Kosiaris ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits