Generate password hash from password

Currently openstacklib only accepts password_hash instead of password
for db credentials, thus we should implement hashing process in each
modules, with including puppet-mysql and puppet-postgresql.
This patch migrates that hash generation to puppet-openstacklib, so
that all logics related to db is gathered in one module.

In addition, because postgresql_password function was deprecated in
favor of postgresql::postgresql_password in puppet-postgresql
6.5.0[1], this patch also deals with that deprecation.

[1] 700d2c5bb5

Change-Id: I898d31e88188bfd3476412a37f48fc918122a98a
This commit is contained in:
Takashi Kajinami 2020-05-16 09:06:42 +09:00
parent 79c976c98e
commit e4b68e9ad6
6 changed files with 92 additions and 24 deletions

View File

@ -4,8 +4,8 @@
#
# == Parameters:
#
# [*password_hash*]
# Password hash to use for the database user for this service;
# [*password*]
# Password to use for the database user for this service;
# string; required
#
# [*plugin*]
@ -54,8 +54,14 @@
# The TLS options that the user will have
# Defaults to ['NONE']
#
# DEPRECATED PARAMETERS
#
# [*password_hash*]
# Password hash to use for the database user for this service;
# string; optional; default to undef
#
define openstacklib::db::mysql (
$password_hash,
$password = undef,
$plugin = undef,
$dbname = $title,
$user = $title,
@ -67,11 +73,23 @@ define openstacklib::db::mysql (
$create_user = true,
$create_grant = true,
$tls_options = ['NONE'],
# DEPRECATED PARAMETER
$password_hash = undef,
) {
include mysql::server
include mysql::client
if $password_hash != undef {
warning('The password_hash parameter was deprecated and will be removed
in a future release. Use password instead')
$password_hash_real = $password_hash
} elsif $password != undef {
$password_hash_real = mysql::password($password)
} else {
fail('password should be set')
}
mysql_database { $dbname:
ensure => present,
charset => $charset,
@ -88,7 +106,7 @@ define openstacklib::db::mysql (
openstacklib::db::mysql::host_access { $real_allowed_hosts:
user => $user,
plugin => $plugin,
password_hash => $password_hash,
password_hash => $password_hash_real,
database => $dbname,
privileges => $privileges,
create_user => $create_user,

View File

@ -4,8 +4,8 @@
#
# == Parameters:
#
# [*password_hash*]
# Password hash to use for the database user for this service;
# [*password*]
# Password to use for the database user for this service;
# string; required
#
# [*dbname*]
@ -23,18 +23,36 @@
# [*privileges*]
# Privileges given to the database user;
# string or array of strings; optional; default to 'ALL'
#
# DEPRECATED PARAMETERS
#
# [*password_hash*]
# Password hash to use for the database user for this service;
# string; required
#
define openstacklib::db::postgresql (
$password_hash,
$password = undef,
$dbname = $title,
$user = $title,
$encoding = undef,
$privileges = 'ALL',
# DEPRECATED PARAMETERS
$password_hash = undef,
){
if $password_hash != undef {
warning('The password_hash parameter was deprecated and will be removed
in a future release. Use password instead')
$password_hash_real = $password_hash
} elsif $password != undef {
$password_hash_real = postgresql::postgresql_password($user, $password)
} else {
fail('password should be set')
}
postgresql::server::db { $dbname:
user => $user,
password => $password_hash,
password => $password_hash_real,
encoding => $encoding,
grant => $privileges,
}

View File

@ -23,7 +23,7 @@
},
{
"name": "puppetlabs/postgresql",
"version_requirement": ">=5.10.0 <6.0.0"
"version_requirement": ">=6.4.0 <7.0.0"
}
],
"description": "Puppet module library to expose common functionality between OpenStack modules.",

View File

@ -0,0 +1,10 @@
---
deprecations:
- |
The ``password_hash`` parameter in ``openstacklib::db::mysql`` and
``openstacklib::db::postgresql`` were deprecated and will be removed in
a future release. Use the ``password`` parameter instead, so that password
hash is generated from given user and password in puppet-openstacklib.
upgrade:
- |
Now this module requires puppetlabs-postgresql >= 6.4.0 .

View File

@ -9,7 +9,7 @@ describe 'openstacklib::db::mysql' do
let :required_params do
{
:password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
:password => 'fooboozoo_default_password',
}
end
@ -90,7 +90,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:plugin => params[:plugin],
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title,
:privileges => 'ALL',
:create_user => true,
@ -107,7 +107,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_mysql_database(title).with_charset(params[:charset]) }
end
context 'when omitting the required parameter password_hash' do
context 'when omitting the required parameter password' do
let :params do
{}
end
@ -115,6 +115,17 @@ describe 'openstacklib::db::mysql' do
it { should raise_error(Puppet::Error) }
end
context 'when deprecated password_hash is used' do
let :params do
{ :password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206' }
end
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
)}
end
context 'when notifying other resources' do
let :pre_condition do
'exec {"nova-db-sync":}'
@ -151,14 +162,14 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:plugin => nil,
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title
)}
it { should contain_openstacklib__db__mysql__host_access("#{title}_%").with(
:user => title,
:plugin => nil,
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title
)}
end
@ -171,7 +182,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_192.168.1.1").with(
:user => title,
:plugin => nil,
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title
)}
end
@ -184,7 +195,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:plugin => nil,
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title
)}
end
@ -251,7 +262,7 @@ describe 'openstacklib::db::mysql' do
it { should contain_openstacklib__db__mysql__host_access("#{title}_127.0.0.1").with(
:user => title,
:plugin => nil,
:password_hash => params[:password_hash],
:password_hash => '*3DDF34A86854A312A8E2C65B506E21C91800D206',
:database => title,
:tls_options => ['SSL'],
)}

View File

@ -5,7 +5,7 @@ describe 'openstacklib::db::postgresql' do
let :required_params do
{
:password_hash => 'AA1420F182E88B9E5F874F6FBE7459291E8F4601'
:password => 'pw'
}
end
@ -21,7 +21,7 @@ describe 'openstacklib::db::postgresql' do
it { should contain_postgresql__server__db(title).with(
:user => title,
:password => params[:password_hash]
:password => 'md557ae0608fad632bf0155cb9502a6b454'
)}
end
@ -70,6 +70,17 @@ describe 'openstacklib::db::postgresql' do
it { should contain_service('keystone').that_requires("Openstacklib::Db::Postgresql[keystone]") }
end
context 'when deprecated password_hash is used' do
let :params do
{ :password_hash => 'md557ae0608fad632bf0155cb9502a6b454' }
end
it { should contain_postgresql__server__db(title).with(
:user => title,
:password => 'md557ae0608fad632bf0155cb9502a6b454'
)}
end
end
on_supported_os({