On Thu, Jul 22, 2021 at 2:12 AM <lou...@ameritech.net> wrote: > > I've finally installed successfully ovirt 4.4.7 using the default > installation. I would like to change the passwords for the following > userids: postgres, engine database and data warehouse database. Can someone > provide me with information grading the files that contain the password to > these items? I would also like to know the best way to change the passwords.
I assume that you refer to the passwords of the PostgreSQL users, not OS level ones. 'postgres' OS use IIRC has no password by default, and we keep it that way. You can only su to it from root. 'postgres' PG user does not have a password either, by default, and we also keep this one that way. By default, which we don't change, you can only connect to it using OS user postgres - that's the following line in cat /var/lib/pgsql/data/pg_hba.conf : local all all peer (This is true since oVirt 3.3. In the distant past, I think until 3.1, we did create a password also for user postgres). So we are left with 2 DBs (engine and history) and 3 PG users (by default): 'engine', 'ovirt_engine_history' and 'ovirt_engine_history_grafana' (used for grafana, has only read-only access), and you want to change the passwords for these. First, let me note that the standard way to _affect_ them (not change in retrospect) is during engine-setup - when asked about DB credentials, reply either 'Remote' or 'Local'/'Manual', and then you can create and supply whatever you want. One way to change the passwords after engine-setup, using more-or-less fully-documented-and-supported tools, is with engine-backup. You can take a backup using engine-backup, run engine-cleanup, then create PG DBs/users as you wish, and then restore with the options --change-db-credentials and --change-dwh-db-credentials. Check 'engine-backup --help' or 'man engine-backup' for details. I am not sure how well this works with grafana, though - if you try that and it does not, please file a bug. Thanks. If you want to do this manually instead, doing the minimal amount of required changes, I do not think this is documented anywhere. Something like this probably works, but I didn't try it: 1. If it's a hosted-engine, set global maintenance. 2. Stop relevant services - ovirt-engine, ovirt-engine-dwhd, grafana-server. 3. Change the passwords using psql - something like this should work: # su - postgres $ psql postgres=# alter role USER with login encrypted password 'NEWPASSWORD'; Repeat this as needed, replacing USER and NEWPASSWORD as needed. Please note that the commands are also saved by default to /var/lib/pgsql/.psql_history - with access only to user postgres, by default. 4. Edit the relevant files/lines. You should be able to find all of them with something like: grep 'DB_PASSWORD=' /etc/ovirt-engine/engine.conf.d/*.conf /etc/ovirt-engine-dwh/ovirt-engine-dwhd.conf.d/*.conf grep 'password:' /etc/grafana/conf/provisioning/datasources/ovirt-dwh.yaml Please note that the passwords appear in more than one file - both engine and dwh need access to both DBs, so have them in their conf. Alternatively to editing the files in-place, you can add your own files to override the items you want, see README files in the respective directories. This is slightly more complex if you set up dwh on a separate machine, but in principle it's the same - just repeat this also on the dwh machine. 5. Start the services you stopped and verify that all looks ok. 6. Exit global maintenance if set. One thing I specifically do not know is if this is enough for grafana. If it's not, you have two options, mainly: 1. If you need the existing grafana DB (which includes mainly users and passwords), you'll have to search the net about how to update the password for its data sources. 2. Otherwise, you can stop grafana, remove/rename the db - in /var/lib/grafana/grafana.db - and start it. It should automatically provision a new DB. Also note that engine-setup keeps hashes of all the files it writes, so manually editing the files as above will make the relevant tools notice - engine-setup just logs in the log file, ovirt-engine-rename and engine-cleanup will also prompt. Best regards, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KIVMXLF3WVCLIGDEEZFYRQKF6N6GFNP7/