863a4b80de
Discussed in https://tickets.puppetlabs.com/browse/MODULES-1869 It seems env variables passed via `exec`'s `environment` parameter must not be single-quoted, otherwise the single-quotes are interpreted literally in the command strings in `command` and `unless`. For a postgres password of `foobar` this leads to the `unless` code trying to use literally `'foobar'` as password, and the `psql` line in `command` setting literally `'$$foobar$$'` as password.
36 lines
1.6 KiB
Puppet
36 lines
1.6 KiB
Puppet
# PRIVATE CLASS: do not call directly
|
|
class postgresql::server::passwd {
|
|
$postgres_password = $postgresql::server::postgres_password
|
|
$user = $postgresql::server::user
|
|
$group = $postgresql::server::group
|
|
$psql_path = $postgresql::server::psql_path
|
|
$port = $postgresql::server::port
|
|
|
|
if ($postgres_password != undef) {
|
|
# NOTE: this password-setting logic relies on the pg_hba.conf being
|
|
# configured to allow the postgres system user to connect via psql
|
|
# without specifying a password ('ident' or 'trust' security). This is
|
|
# the default for pg_hba.conf.
|
|
$escaped = postgresql_escape($postgres_password)
|
|
exec { 'set_postgres_postgrespw':
|
|
# This command works w/no password because we run it as postgres system
|
|
# user
|
|
command => "${psql_path} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
|
|
user => $user,
|
|
group => $group,
|
|
logoutput => true,
|
|
cwd => '/tmp',
|
|
environment => [
|
|
"PGPASSWORD=${postgres_password}",
|
|
"NEWPASSWD_ESCAPED=${escaped}",
|
|
],
|
|
# With this command we're passing -h to force TCP authentication, which
|
|
# does require a password. We specify the password via the PGPASSWORD
|
|
# environment variable. If the password is correct (current), this
|
|
# command will exit with an exit code of 0, which will prevent the main
|
|
# command from running.
|
|
unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
|
|
path => '/usr/bin:/usr/local/bin:/bin',
|
|
}
|
|
}
|
|
}
|