Generate password hash from password
Currently openstacklib only accepts password_hash instead of password
for db credentials, thus we should implement hashing process in each
modules, with including puppet-mysql and puppet-postgresql.
This patch migrates that hash generation to puppet-openstacklib, so
that all logics related to db is gathered in one module.
In addition, because postgresql_password function was deprecated in
favor of postgresql::postgresql_password in puppet-postgresql
6.5.0[1], this patch also deals with that deprecation.
[1] 700d2c5bb5
Change-Id: I898d31e88188bfd3476412a37f48fc918122a98a
This commit is contained in:
parent
79c976c98e
commit
e4b68e9ad6
@ -4,8 +4,8 @@
|
||||
#
|
||||
# == Parameters:
|
||||
#
|
||||
# [*password_hash*]
|
||||
# Password hash to use for the database user for this service;
|
||||
# [*password*]
|
||||
# Password to use for the database user for this service;
|
||||
# string; required
|
||||
#
|
||||
# [*plugin*]
|
||||
@ -54,8 +54,14 @@
|
||||
# The TLS options that the user will have
|
||||
# Defaults to ['NONE']
|
||||
#
|
||||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*password_hash*]
|
||||
# Password hash to use for the database user for this service;
|
||||
# string; optional; default to undef
|
||||
#
|
||||
define openstacklib::db::mysql (
|
||||
$password_hash,
|
||||
$password = undef,
|
||||
$plugin = undef,
|
||||
$dbname = $title,
|
||||
$user = $title,
|
||||
@ -67,11 +73,23 @@ define openstacklib::db::mysql (
|
||||
$create_user = true,
|
||||
$create_grant = true,
|
||||
$tls_options = ['NONE'],
|
||||
# DEPRECATED PARAMETER
|
||||
$password_hash = undef,
|
||||
) {
|
||||
|
||||
include mysql::server
|
||||
include mysql::client
|
||||
|
||||
if $password_hash != undef {
|
||||
warning('The password_hash parameter was deprecated and will be removed
|
||||
in a future release. Use password instead')
|
||||
$password_hash_real = $password_hash
|
||||
} elsif $password != undef {
|
||||
$password_hash_real = mysql::password($password)
|
||||
} else {
|
||||
fail('password should be set')
|
||||
}
|
||||
|
||||
mysql_database { $dbname:
|
||||
ensure => present,
|
||||
charset => $charset,
|
||||
@ -88,7 +106,7 @@ define openstacklib::db::mysql (
|
||||
openstacklib::db::mysql::host_access { $real_allowed_hosts:
|
||||
user => $user,
|
||||
plugin => $plugin,
|
||||
password_hash => $password_hash,
|
||||
password_hash => $password_hash_real,
|
||||
database => $dbname,
|
||||
privileges => $privileges,
|
||||
create_user => $create_user,
|
||||
|
@ -4,8 +4,8 @@
|
||||
#
|
||||
# == Parameters:
|
||||
#
|
||||
# [*password_hash*]
|
||||
# Password hash to use for the database user for this service;
|
||||
# [*password*]
|
||||
# Password to use for the database user for this service;
|
||||
# string; required
|
||||
#
|
||||
# [*dbname*]
|
||||
@ -23,18 +23,36 @@
|
||||
# [*privileges*]
|
||||
# Privileges given to the database user;
|
||||
# string or array of strings; optional; default to 'ALL'
|
||||
|
||||
#
|
||||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*password_hash*]
|
||||
# Password hash to use for the database user for this service;
|
||||
# string; required
|
||||
#
|
||||
define openstacklib::db::postgresql (
|
||||
$password_hash,
|
||||
$dbname = $title,
|
||||
$user = $title,
|
||||
$encoding = undef,
|
||||
$privileges = 'ALL',
|
||||
$password = undef,
|
||||
$dbname = $title,
|
||||
$user = $title,
|
||||
$encoding = undef,
|
||||
$privileges = 'ALL',
|
||||
# DEPRECATED PARAMETERS
|
||||
$password_hash = undef,
|
||||
){
|
||||
|
||||
if $password_hash != undef {
|
||||
warning('The password_hash parameter was deprecated and will be removed
|
||||
in a future release. Use password instead')
|
||||
$password_hash_real = $password_hash
|
||||
} elsif $password != undef {
|
||||
$password_hash_real = postgresql::postgresql_password($user, $password)
|
||||
} else {
|
||||
fail('password should be set')
|
||||
}
|
||||
|
||||
postgresql::server::db { $dbname:
|
||||
user => $user,
|
||||
password => $password_hash,
|
||||
password => $password_hash_real,
|
||||
encoding => $encoding,
|
||||
grant => $privileges,
|
||||
}
|
||||
|
@ -23,7 +23,7 @@
|
||||
},
|
||||
{
|
||||
"name": "puppetlabs/postgresql",
|
||||
"version_requirement": ">=5.10.0 <6.0.0"
|
||||
"version_requirement": ">=6.4.0 <7.0.0"
|
||||
}
|
||||
],
|
||||
"description": "Puppet module library to expose common functionality between OpenStack modules.",
|
||||
|
10
releasenotes/notes/db-password_hash-1045114a36b6f292.yaml
Normal file
10
releasenotes/notes/db-password_hash-1045114a36b6f292.yaml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
deprecations:
|
||||
- |
|
||||
The ``password_hash`` parameter in ``openstacklib::db::mysql`` and
|
||||
``openstacklib::db::postgresql`` were deprecated and will be removed in
|
||||
a future release. Use the ``password`` parameter instead, so that password
|
||||
hash is generated from given user and password in puppet-openstacklib.
|
||||
upgrade:
|
||||
- |
|
||||
Now this module requires puppetlabs-postgresql >= 6.4.0 .
|
@ -9,7 +9,7 @@ describe 'openstacklib::db::mysql' do
|
||||
|
||||
let :required_params do
|
||||
{
|
||||
:password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
|
||||
:password => 'fooboozoo_default_password',
|
||||
}
|
||||
end
|
||||
|
||||
@ -90,7 +90,7 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
|
||||
:user => title,
|
||||
:plugin => params[:plugin],
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title,
|
||||
:privileges => 'ALL',
|
||||
:create_user => true,
|
||||
@ -107,7 +107,7 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_mysql_database(title).with_charset(params[:charset]) }
|
||||
end
|
||||
|
||||
context 'when omitting the required parameter password_hash' do
|
||||
context 'when omitting the required parameter password' do
|
||||
let :params do
|
||||
{}
|
||||
end
|
||||
@ -115,6 +115,17 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should raise_error(Puppet::Error) }
|
||||
end
|
||||
|
||||
context 'when deprecated password_hash is used' do
|
||||
let :params do
|
||||
{ :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206' }
|
||||
end
|
||||
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
|
||||
:user => title,
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
)}
|
||||
end
|
||||
|
||||
context 'when notifying other resources' do
|
||||
let :pre_condition do
|
||||
'exec {"nova-db-sync":}'
|
||||
@ -151,14 +162,14 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
|
||||
:user => title,
|
||||
:plugin => nil,
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title
|
||||
)}
|
||||
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with(
|
||||
:user => title,
|
||||
:plugin => nil,
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title
|
||||
)}
|
||||
end
|
||||
@ -171,7 +182,7 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with(
|
||||
:user => title,
|
||||
:plugin => nil,
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title
|
||||
)}
|
||||
end
|
||||
@ -184,7 +195,7 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
|
||||
:user => title,
|
||||
:plugin => nil,
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title
|
||||
)}
|
||||
end
|
||||
@ -251,7 +262,7 @@ describe 'openstacklib::db::mysql' do
|
||||
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
|
||||
:user => title,
|
||||
:plugin => nil,
|
||||
:password_hash => params[:password_hash],
|
||||
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
|
||||
:database => title,
|
||||
:tls_options => ['SSL'],
|
||||
)}
|
||||
|
@ -5,7 +5,7 @@ describe 'openstacklib::db::postgresql' do
|
||||
|
||||
let :required_params do
|
||||
{
|
||||
:password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
|
||||
:password => 'pw'
|
||||
}
|
||||
end
|
||||
|
||||
@ -21,7 +21,7 @@ describe 'openstacklib::db::postgresql' do
|
||||
|
||||
it { should contain_postgresql__server__db(title).with(
|
||||
:user => title,
|
||||
:password => params[:password_hash]
|
||||
:password => 'md557ae0608fad632bf0155cb9502a6b454'
|
||||
)}
|
||||
end
|
||||
|
||||
@ -70,6 +70,17 @@ describe 'openstacklib::db::postgresql' do
|
||||
|
||||
it { should contain_service('keystone').that_requires("Openstacklib::Db::Postgresql[keystone]") }
|
||||
end
|
||||
|
||||
context 'when deprecated password_hash is used' do
|
||||
let :params do
|
||||
{ :password_hash => 'md557ae0608fad632bf0155cb9502a6b454' }
|
||||
end
|
||||
|
||||
it { should contain_postgresql__server__db(title).with(
|
||||
:user => title,
|
||||
:password => 'md557ae0608fad632bf0155cb9502a6b454'
|
||||
)}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
Loading…
Reference in New Issue
Block a user