Generate password hash from password

Currently openstacklib only accepts password_hash instead of password for db credentials, thus we should implement hashing process in each modules, with including puppet-mysql and puppet-postgresql. This patch migrates that hash generation to puppet-openstacklib, so that all logics related to db is gathered in one module. In addition, because postgresql_password function was deprecated in favor of postgresql::postgresql_password in puppet-postgresql 6.5.0[1], this patch also deals with that deprecation. [1] 700d2c5bb5 Change-Id: I898d31e88188bfd3476412a37f48fc918122a98a
2020-05-16 09:06:42 +09:00 · 2020-05-16 09:06:42 +09:00 · e4b68e9ad6
commit e4b68e9ad6
parent 79c976c98e
6 changed files with 92 additions and 24 deletions
--- a/manifests/db/mysql.pp
+++ b/manifests/db/mysql.pp
@ -4,8 +4,8 @@
 #
 # == Parameters:
 #
-#  [*password_hash*]
+#  [*password*]
-#    Password hash to use for the database user for this service;
+#    Password to use for the database user for this service;
 #    string; required
 #
 #  [*plugin*]
@ -54,8 +54,14 @@
 #    The TLS options that the user will have
 #    Defaults to ['NONE']
 #
 # DEPRECATED PARAMETERS
 #
 #  [*password_hash*]
 #    Password hash to use for the database user for this service;
 #    string; optional; default to undef
 #
 define openstacklib::db::mysql (
-  $password_hash,
+  $password       = undef,
  $plugin         = undef,
  $dbname         = $title,
  $user           = $title,
@ -67,11 +73,23 @@ define openstacklib::db::mysql (
  $create_user    = true,
  $create_grant   = true,
  $tls_options    = ['NONE'],
  # DEPRECATED PARAMETER
  $password_hash  = undef,
 ) {
  include mysql::server
  include mysql::client
  if $password_hash != undef {
    warning('The password_hash parameter was deprecated and will be removed
 in a future release. Use password instead')
    $password_hash_real = $password_hash
  } elsif $password != undef {
    $password_hash_real = mysql::password($password)
  } else {
    fail('password should be set')
  }
  mysql_database { $dbname:
    ensure  => present,
    charset => $charset,
@ -88,7 +106,7 @@ define openstacklib::db::mysql (
    openstacklib::db::mysql::host_access { $real_allowed_hosts:
      user          => $user,
      plugin        => $plugin,
-      password_hash => $password_hash,
+      password_hash => $password_hash_real,
      database      => $dbname,
      privileges    => $privileges,
      create_user   => $create_user,
--- a/manifests/db/postgresql.pp
+++ b/manifests/db/postgresql.pp
@ -4,8 +4,8 @@
 #
 # == Parameters:
 #
-#  [*password_hash*]
+#  [*password*]
-#    Password hash to use for the database user for this service;
+#    Password to use for the database user for this service;
 #    string; required
 #
 #  [*dbname*]
@ -23,18 +23,36 @@
 #  [*privileges*]
 #    Privileges given to the database user;
 #    string or array of strings; optional; default to 'ALL'
-
+#
 # DEPRECATED PARAMETERS
 #
 #  [*password_hash*]
 #    Password hash to use for the database user for this service;
 #    string; required
 #
 define openstacklib::db::postgresql (
-  $password_hash,
+  $password      = undef,
-  $dbname     = $title,
+  $dbname        = $title,
-  $user       = $title,
+  $user          = $title,
-  $encoding   = undef,
+  $encoding      = undef,
-  $privileges = 'ALL',
+  $privileges    = 'ALL',
  # DEPRECATED PARAMETERS
  $password_hash = undef,
 ){
  if $password_hash != undef {
    warning('The password_hash parameter was deprecated and will be removed
 in a future release. Use password instead')
    $password_hash_real = $password_hash
  } elsif $password != undef {
    $password_hash_real = postgresql::postgresql_password($user, $password)
  } else {
    fail('password should be set')
  }
  postgresql::server::db { $dbname:
    user     => $user,
-    password => $password_hash,
+    password => $password_hash_real,
    encoding => $encoding,
    grant    => $privileges,
  }
--- a/metadata.json
+++ b/metadata.json
@ -23,7 +23,7 @@
        },
        {
            "name": "puppetlabs/postgresql",
-            "version_requirement": ">=5.10.0 <6.0.0"
+            "version_requirement": ">=6.4.0 <7.0.0"
        }
    ],
    "description": "Puppet module library to expose common functionality between OpenStack modules.",
--- a/releasenotes/notes/db-password_hash-1045114a36b6f292.yaml
+++ b/releasenotes/notes/db-password_hash-1045114a36b6f292.yaml
@ -0,0 +1,10 @@
 ---
 deprecations:
  - |
    The ``password_hash`` parameter in ``openstacklib::db::mysql`` and
    ``openstacklib::db::postgresql`` were deprecated and will be removed in
    a future release. Use the ``password`` parameter instead, so that password
    hash is generated from given user and password in puppet-openstacklib.
 upgrade:
  - |
    Now this module requires puppetlabs-postgresql >= 6.4.0 .
--- a/spec/defines/openstacklib_db_mysql_spec.rb
+++ b/spec/defines/openstacklib_db_mysql_spec.rb
@ -9,7 +9,7 @@ describe 'openstacklib::db::mysql' do
  let :required_params do
    {
-      :password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
+      :password => 'fooboozoo_default_password',
    }
  end
@ -90,7 +90,7 @@ describe 'openstacklib::db::mysql' do
      it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
        :user          => title,
        :plugin        => params[:plugin],
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title,
        :privileges    => 'ALL',
        :create_user   => true,
@ -107,7 +107,7 @@ describe 'openstacklib::db::mysql' do
      it { should contain_mysql_database(title).with_charset(params[:charset]) }
    end
-    context 'when omitting the required parameter password_hash' do
+    context 'when omitting the required parameter password' do
      let :params do
        {}
      end
@ -115,6 +115,17 @@ describe 'openstacklib::db::mysql' do
      it { should raise_error(Puppet::Error) }
    end
    context 'when deprecated password_hash is used' do
      let :params do
        { :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206' }
      end
      it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
        :user          => title,
        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
      )}
    end
    context 'when notifying other resources' do
      let :pre_condition do
        'exec {"nova-db-sync":}'
@ -151,14 +162,14 @@ describe 'openstacklib::db::mysql' do
      it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
        :user          => title,
        :plugin        => nil,
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title
      )}
      it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with(
        :user          => title,
        :plugin        => nil,
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title
      )}
    end
@ -171,7 +182,7 @@ describe 'openstacklib::db::mysql' do
      it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with(
        :user          => title,
        :plugin        => nil,
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title
      )}
    end
@ -184,7 +195,7 @@ describe 'openstacklib::db::mysql' do
      it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
        :user          => title,
        :plugin        => nil,
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title
      )}
    end
@ -251,7 +262,7 @@ describe 'openstacklib::db::mysql' do
      it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
        :user          => title,
        :plugin        => nil,
-        :password_hash => params[:password_hash],
+        :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
        :database      => title,
        :tls_options   => ['SSL'],
      )}
--- a/spec/defines/openstacklib_db_postgresql_spec.rb
+++ b/spec/defines/openstacklib_db_postgresql_spec.rb
@ -5,7 +5,7 @@ describe 'openstacklib::db::postgresql' do
  let :required_params do
    {
-      :password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
+      :password => 'pw'
    }
  end
@ -21,7 +21,7 @@ describe 'openstacklib::db::postgresql' do
      it { should contain_postgresql__server__db(title).with(
        :user     => title,
-        :password => params[:password_hash]
+        :password => 'md557ae0608fad632bf0155cb9502a6b454'
      )}
    end
@ -70,6 +70,17 @@ describe 'openstacklib::db::postgresql' do
      it { should contain_service('keystone').that_requires("Openstacklib::Db::Postgresql[keystone]") }
    end
    context 'when deprecated password_hash is used' do
      let :params do
        { :password_hash => 'md557ae0608fad632bf0155cb9502a6b454' }
      end
      it { should contain_postgresql__server__db(title).with(
        :user     => title,
        :password => 'md557ae0608fad632bf0155cb9502a6b454'
      )}
    end
  end
  on_supported_os({