diff --git a/manifests/params.pp b/manifests/params.pp index a6d3d6f370..3a64384fe9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef } + $password_encryption = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' } $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true diff --git a/manifests/server.pp b/manifests/server.pp index fcd31bfce7..89d45fb7d5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -96,7 +96,9 @@ # @param manage_logdir Set to false if you have file{ $logdir: } already defined # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined # @param password_encryption Specify the type of encryption set for the password. -# +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param roles Specifies a hash from which to generate postgresql::server::role resources. # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources. # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources. @@ -178,7 +180,8 @@ Boolean $manage_datadir = $postgresql::params::manage_datadir, Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = undef, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 4b049a8a00..f801d89e36 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -42,6 +42,9 @@ # @param log_line_prefix PostgreSQL log line prefix # @param timezone Set timezone for the PostgreSQL instance # @param password_encryption Specify the type of encryption set for the password. +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param extra_systemd_config # Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string define postgresql::server::instance::config ( @@ -70,9 +73,16 @@ Boolean $service_enable = $postgresql::server::service_enable, Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { + if $pg_hba_auth_password_encryption { + $override_pg_hba_auth_password_encryption = $pg_hba_auth_password_encryption + } else { + $override_pg_hba_auth_password_encryption = $password_encryption + } + if ($manage_pg_hba_conf == true) { # Prepare the main pg_hba file concat { $pg_hba_conf_path: @@ -105,7 +115,7 @@ type => 'host', user => $user, address => '127.0.0.1/32', - auth_method => 'md5', + auth_method => $password_encryption, order => 3; "deny access to postgresql user for instance ${name}": @@ -118,13 +128,13 @@ "allow access to all users for instance ${name}": type => 'host', address => $ip_mask_allow_all_users, - auth_method => 'md5', + auth_method => $password_encryption, order => 100; "allow access to ipv6 localhost for instance ${name}": type => 'host', address => '::1/128', - auth_method => 'md5', + auth_method => $password_encryption, order => 101; } } diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 74695a49e2..eef9563fbb 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -11,6 +11,7 @@ let(:pp) do <<-MANIFEST + $auth_method = $facts['os']['release']['major'] ? { '7' => 'md5', default => 'scram-sha-256'} class { 'postgresql::server': roles => { 'testusername' => { @@ -26,7 +27,7 @@ class { 'postgresql::server': type => 'host', database => 'mydb', user => 'myuser', - auth_method => 'md5', + auth_method => $auth_method, address => '192.0.2.100/32', }, },