diff --git a/REFERENCE.md b/REFERENCE.md
index f96f38e548..a0e6a924df 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -874,6 +874,7 @@ The following parameters are available in the `postgresql::server` class:
* [`manage_logdir`](#-postgresql--server--manage_logdir)
* [`manage_xlogdir`](#-postgresql--server--manage_xlogdir)
* [`password_encryption`](#-postgresql--server--password_encryption)
+* [`pg_hba_auth_password_encryption`](#-postgresql--server--pg_hba_auth_password_encryption)
* [`roles`](#-postgresql--server--roles)
* [`config_entries`](#-postgresql--server--config_entries)
* [`pg_hba_rules`](#-postgresql--server--pg_hba_rules)
@@ -1300,12 +1301,21 @@ Default value: `$postgresql::params::manage_xlogdir`
##### `password_encryption`
-Data type: `Optional[Postgresql::Pg_password_encryption]`
+Data type: `Postgresql::Pg_password_encryption`
Specify the type of encryption set for the password.
Default value: `$postgresql::params::password_encryption`
+##### `pg_hba_auth_password_encryption`
+
+Data type: `Optional[Postgresql::Pg_password_encryption]`
+
+Specify the type of encryption set for the password in pg_hba_conf,
+this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
+
+Default value: `undef`
+
##### `roles`
Data type: `Hash[String, Hash]`
@@ -2417,6 +2427,7 @@ The following parameters are available in the `postgresql::server::instance::con
* [`log_line_prefix`](#-postgresql--server--instance--config--log_line_prefix)
* [`timezone`](#-postgresql--server--instance--config--timezone)
* [`password_encryption`](#-postgresql--server--instance--config--password_encryption)
+* [`pg_hba_auth_password_encryption`](#-postgresql--server--instance--config--pg_hba_auth_password_encryption)
* [`extra_systemd_config`](#-postgresql--server--instance--config--extra_systemd_config)
##### `ip_mask_deny_postgres_user`
@@ -2633,12 +2644,21 @@ Default value: `$postgresql::server::timezone`
##### `password_encryption`
-Data type: `Optional[Postgresql::Pg_password_encryption]`
+Data type: `Postgresql::Pg_password_encryption`
Specify the type of encryption set for the password.
Default value: `$postgresql::server::password_encryption`
+##### `pg_hba_auth_password_encryption`
+
+Data type: `Optional[Postgresql::Pg_password_encryption]`
+
+Specify the type of encryption set for the password in pg_hba_conf,
+this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
+
+Default value: `$postgresql::server::pg_hba_auth_password_encryption`
+
##### `extra_systemd_config`
Data type: `Optional[String]`
@@ -4409,6 +4429,8 @@ Data type: `Optional[Optional[Postgresql::Pg_password_encryption]]`
Set type for password hash
+Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`.
+
##### `salt`
Data type: `Optional[Optional[Variant[String[1], Integer]]]`
diff --git a/lib/puppet/functions/postgresql/postgresql_password.rb b/lib/puppet/functions/postgresql/postgresql_password.rb
index 68be8b7374..ef899254da 100644
--- a/lib/puppet/functions/postgresql/postgresql_password.rb
+++ b/lib/puppet/functions/postgresql/postgresql_password.rb
@@ -13,6 +13,8 @@
# If the Postgresql-Passwordhash should be of Datatype Sensitive[String]
# @param hash
# Set type for password hash
+ #
+ # Default value comes from `postgresql::params::password_encryption` and changes based on the `postgresql::globals::version`.
# @param salt
# Use a specific salt value for scram-sha-256, default is username
#
@@ -27,7 +29,8 @@
return_type 'Variant[String, Sensitive[String]]'
end
- def default_impl(username, password, sensitive = false, hash = 'md5', salt = nil)
+ def default_impl(username, password, sensitive = false, hash = nil, salt = nil)
+ hash = call_function(:'postgresql::default', 'password_encryption') if hash.nil?
password = password.unwrap if password.respond_to?(:unwrap)
if password.is_a?(String) && password.match?(%r{^(md5[0-9a-f]{32}$|SCRAM-SHA-256\$)})
return Puppet::Pops::Types::PSensitiveType::Sensitive.new(password) if sensitive
diff --git a/manifests/params.pp b/manifests/params.pp
index a6d3d6f370..3a64384fe9 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -25,7 +25,7 @@
$manage_selinux = pick($manage_selinux, false)
$package_ensure = 'present'
$module_workdir = pick($module_workdir,'/tmp')
- $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
+ $password_encryption = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' }
$extra_systemd_config = undef
$manage_datadir = true
$manage_logdir = true
diff --git a/manifests/server.pp b/manifests/server.pp
index fcd31bfce7..89d45fb7d5 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -96,7 +96,9 @@
# @param manage_logdir Set to false if you have file{ $logdir: } already defined
# @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined
# @param password_encryption Specify the type of encryption set for the password.
-#
+# @param pg_hba_auth_password_encryption
+# Specify the type of encryption set for the password in pg_hba_conf,
+# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
# @param roles Specifies a hash from which to generate postgresql::server::role resources.
# @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources.
# @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
@@ -178,7 +180,8 @@
Boolean $manage_datadir = $postgresql::params::manage_datadir,
Boolean $manage_logdir = $postgresql::params::manage_logdir,
Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir,
- Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption,
+ Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption,
+ Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = undef,
Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config,
Hash[String, Hash] $roles = {},
diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp
index 4b049a8a00..c35928163a 100644
--- a/manifests/server/instance/config.pp
+++ b/manifests/server/instance/config.pp
@@ -42,6 +42,9 @@
# @param log_line_prefix PostgreSQL log line prefix
# @param timezone Set timezone for the PostgreSQL instance
# @param password_encryption Specify the type of encryption set for the password.
+# @param pg_hba_auth_password_encryption
+# Specify the type of encryption set for the password in pg_hba_conf,
+# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time.
# @param extra_systemd_config
# Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string
define postgresql::server::instance::config (
@@ -70,9 +73,12 @@
Boolean $service_enable = $postgresql::server::service_enable,
Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix,
Optional[String[1]] $timezone = $postgresql::server::timezone,
- Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption,
+ Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption,
+ Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption,
Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config,
) {
+ $_pg_hba_auth_password_encryption = pick($pg_hba_auth_password_encryption,$password_encryption)
+
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file
concat { $pg_hba_conf_path:
@@ -105,7 +111,7 @@
type => 'host',
user => $user,
address => '127.0.0.1/32',
- auth_method => 'md5',
+ auth_method => $_pg_hba_auth_password_encryption,
order => 3;
"deny access to postgresql user for instance ${name}":
@@ -118,13 +124,13 @@
"allow access to all users for instance ${name}":
type => 'host',
address => $ip_mask_allow_all_users,
- auth_method => 'md5',
+ auth_method => $_pg_hba_auth_password_encryption,
order => 100;
"allow access to ipv6 localhost for instance ${name}":
type => 'host',
address => '::1/128',
- auth_method => 'md5',
+ auth_method => $_pg_hba_auth_password_encryption,
order => 101;
}
}
diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb
index 74695a49e2..225f5c7a78 100644
--- a/spec/acceptance/overridden_settings_spec.rb
+++ b/spec/acceptance/overridden_settings_spec.rb
@@ -26,7 +26,7 @@ class { 'postgresql::server':
type => 'host',
database => 'mydb',
user => 'myuser',
- auth_method => 'md5',
+ auth_method => postgresql::default('password_encryption'),
address => '192.0.2.100/32',
},
},
diff --git a/spec/functions/postgresql_password_spec.rb b/spec/functions/postgresql_password_spec.rb
index 0cd765d6b8..1c75c9b6f8 100644
--- a/spec/functions/postgresql_password_spec.rb
+++ b/spec/functions/postgresql_password_spec.rb
@@ -3,5 +3,7 @@
require 'spec_helper'
describe 'postgresql_password' do
+ include_examples 'Ubuntu 18.04'
+
it_behaves_like 'postgresql_password function'
end
diff --git a/spec/functions/postgresql_postgresql_password_spec.rb b/spec/functions/postgresql_postgresql_password_spec.rb
index d70feaf15b..d66e5afea9 100644
--- a/spec/functions/postgresql_postgresql_password_spec.rb
+++ b/spec/functions/postgresql_postgresql_password_spec.rb
@@ -3,5 +3,7 @@
require 'spec_helper'
describe 'postgresql::postgresql_password' do
+ include_examples 'Ubuntu 18.04'
+
it_behaves_like 'postgresql_password function'
end