From e4b68e9ad62bc55f9d941874bc3af97c01e4bc61 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 16 May 2020 09:06:42 +0900 Subject: [PATCH] Generate password hash from password Currently openstacklib only accepts password_hash instead of password for db credentials, thus we should implement hashing process in each modules, with including puppet-mysql and puppet-postgresql. This patch migrates that hash generation to puppet-openstacklib, so that all logics related to db is gathered in one module. In addition, because postgresql_password function was deprecated in favor of postgresql::postgresql_password in puppet-postgresql 6.5.0[1], this patch also deals with that deprecation. [1] https://github.com/puppetlabs/puppetlabs-postgresql/commit/700d2c5bb54b7ea91d518de96e2c7a22318d0afa Change-Id: I898d31e88188bfd3476412a37f48fc918122a98a --- manifests/db/mysql.pp | 26 +++++++++++--- manifests/db/postgresql.pp | 36 ++++++++++++++----- metadata.json | 2 +- .../db-password_hash-1045114a36b6f292.yaml | 10 ++++++ spec/defines/openstacklib_db_mysql_spec.rb | 27 +++++++++----- .../openstacklib_db_postgresql_spec.rb | 15 ++++++-- 6 files changed, 92 insertions(+), 24 deletions(-) create mode 100644 releasenotes/notes/db-password_hash-1045114a36b6f292.yaml diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index 184eb8ee..1131d26c 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -4,8 +4,8 @@ # # == Parameters: # -# [*password_hash*] -# Password hash to use for the database user for this service; +# [*password*] +# Password to use for the database user for this service; # string; required # # [*plugin*] @@ -54,8 +54,14 @@ # The TLS options that the user will have # Defaults to ['NONE'] # +# DEPRECATED PARAMETERS +# +# [*password_hash*] +# Password hash to use for the database user for this service; +# string; optional; default to undef +# define openstacklib::db::mysql ( - $password_hash, + $password = undef, $plugin = undef, $dbname = $title, $user = $title, @@ -67,11 +73,23 @@ define openstacklib::db::mysql ( $create_user = true, $create_grant = true, $tls_options = ['NONE'], + # DEPRECATED PARAMETER + $password_hash = undef, ) { include mysql::server include mysql::client + if $password_hash != undef { + warning('The password_hash parameter was deprecated and will be removed +in a future release. Use password instead') + $password_hash_real = $password_hash + } elsif $password != undef { + $password_hash_real = mysql::password($password) + } else { + fail('password should be set') + } + mysql_database { $dbname: ensure => present, charset => $charset, @@ -88,7 +106,7 @@ define openstacklib::db::mysql ( openstacklib::db::mysql::host_access { $real_allowed_hosts: user => $user, plugin => $plugin, - password_hash => $password_hash, + password_hash => $password_hash_real, database => $dbname, privileges => $privileges, create_user => $create_user, diff --git a/manifests/db/postgresql.pp b/manifests/db/postgresql.pp index 52969e06..a7ddedf7 100644 --- a/manifests/db/postgresql.pp +++ b/manifests/db/postgresql.pp @@ -4,8 +4,8 @@ # # == Parameters: # -# [*password_hash*] -# Password hash to use for the database user for this service; +# [*password*] +# Password to use for the database user for this service; # string; required # # [*dbname*] @@ -23,18 +23,36 @@ # [*privileges*] # Privileges given to the database user; # string or array of strings; optional; default to 'ALL' - +# +# DEPRECATED PARAMETERS +# +# [*password_hash*] +# Password hash to use for the database user for this service; +# string; required +# define openstacklib::db::postgresql ( - $password_hash, - $dbname = $title, - $user = $title, - $encoding = undef, - $privileges = 'ALL', + $password = undef, + $dbname = $title, + $user = $title, + $encoding = undef, + $privileges = 'ALL', + # DEPRECATED PARAMETERS + $password_hash = undef, ){ + if $password_hash != undef { + warning('The password_hash parameter was deprecated and will be removed +in a future release. Use password instead') + $password_hash_real = $password_hash + } elsif $password != undef { + $password_hash_real = postgresql::postgresql_password($user, $password) + } else { + fail('password should be set') + } + postgresql::server::db { $dbname: user => $user, - password => $password_hash, + password => $password_hash_real, encoding => $encoding, grant => $privileges, } diff --git a/metadata.json b/metadata.json index d3e52eff..34e8fb7d 100644 --- a/metadata.json +++ b/metadata.json @@ -23,7 +23,7 @@ }, { "name": "puppetlabs/postgresql", - "version_requirement": ">=5.10.0 <6.0.0" + "version_requirement": ">=6.4.0 <7.0.0" } ], "description": "Puppet module library to expose common functionality between OpenStack modules.", diff --git a/releasenotes/notes/db-password_hash-1045114a36b6f292.yaml b/releasenotes/notes/db-password_hash-1045114a36b6f292.yaml new file mode 100644 index 00000000..718265f5 --- /dev/null +++ b/releasenotes/notes/db-password_hash-1045114a36b6f292.yaml @@ -0,0 +1,10 @@ +--- +deprecations: + - | + The ``password_hash`` parameter in ``openstacklib::db::mysql`` and + ``openstacklib::db::postgresql`` were deprecated and will be removed in + a future release. Use the ``password`` parameter instead, so that password + hash is generated from given user and password in puppet-openstacklib. +upgrade: + - | + Now this module requires puppetlabs-postgresql >= 6.4.0 . diff --git a/spec/defines/openstacklib_db_mysql_spec.rb b/spec/defines/openstacklib_db_mysql_spec.rb index 5be62420..44533d70 100644 --- a/spec/defines/openstacklib_db_mysql_spec.rb +++ b/spec/defines/openstacklib_db_mysql_spec.rb @@ -9,7 +9,7 @@ describe 'openstacklib::db::mysql' do let :required_params do { - :password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601' + :password => 'fooboozoo_default_password', } end @@ -90,7 +90,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, :plugin => params[:plugin], - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title, :privileges => 'ALL', :create_user => true, @@ -107,7 +107,7 @@ describe 'openstacklib::db::mysql' do it { should contain_mysql_database(title).with_charset(params[:charset]) } end - context 'when omitting the required parameter password_hash' do + context 'when omitting the required parameter password' do let :params do {} end @@ -115,6 +115,17 @@ describe 'openstacklib::db::mysql' do it { should raise_error(Puppet::Error) } end + context 'when deprecated password_hash is used' do + let :params do + { :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206' } + end + + it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( + :user => title, + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', + )} + end + context 'when notifying other resources' do let :pre_condition do 'exec {"nova-db-sync":}' @@ -151,14 +162,14 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, :plugin => nil, - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title )} it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with( :user => title, :plugin => nil, - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title )} end @@ -171,7 +182,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with( :user => title, :plugin => nil, - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title )} end @@ -184,7 +195,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, :plugin => nil, - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title )} end @@ -251,7 +262,7 @@ describe 'openstacklib::db::mysql' do it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with( :user => title, :plugin => nil, - :password_hash => params[:password_hash], + :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206', :database => title, :tls_options => ['SSL'], )} diff --git a/spec/defines/openstacklib_db_postgresql_spec.rb b/spec/defines/openstacklib_db_postgresql_spec.rb index 860316d6..725d4b26 100644 --- a/spec/defines/openstacklib_db_postgresql_spec.rb +++ b/spec/defines/openstacklib_db_postgresql_spec.rb @@ -5,7 +5,7 @@ describe 'openstacklib::db::postgresql' do let :required_params do { - :password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601' + :password => 'pw' } end @@ -21,7 +21,7 @@ describe 'openstacklib::db::postgresql' do it { should contain_postgresql__server__db(title).with( :user => title, - :password => params[:password_hash] + :password => 'md557ae0608fad632bf0155cb9502a6b454' )} end @@ -70,6 +70,17 @@ describe 'openstacklib::db::postgresql' do it { should contain_service('keystone').that_requires("Openstacklib::Db::Postgresql[keystone]") } end + + context 'when deprecated password_hash is used' do + let :params do + { :password_hash => 'md557ae0608fad632bf0155cb9502a6b454' } + end + + it { should contain_postgresql__server__db(title).with( + :user => title, + :password => 'md557ae0608fad632bf0155cb9502a6b454' + )} + end end on_supported_os({