search

ANXS / postgresql

Fairly full featured Ansible role for Postgresql.
http://anxs.io/
MIT License
849 stars 573 forks source link

Order of execution issue with postgresql_default_auth_method: "md5" and user creation #459

Closed morgangraphics closed 6 months ago

morgangraphics commented 4 years ago

Setting the postgresql_default_auth_method: "md5" on a fresh install tells postgres that the default postgres user requires password authentication without first having set up an initial password before hand. This is a order of execution issue where:

  1. the configuration files are provisioned (essentially requiring passwords)
  2. users are attempting to be created but passwords are not set

Ideally the order should be

  1. user creation should happen first
  2. the configurations applied afterwards locking up the database access.

Minimum test case for generating issue

  - role: ansible-role-postgres
        postgresql_version: 12
        postgresql_default_auth_method: "md5"
        postgresql_users:
          - name: postgres
            pass: somegeneratedpassword123
            encrypted: yes

current work around is to accept the default postgresql_default_auth_method: "peer"

and after the posgres role has run, edit the /etc/postgresql/12/main/pg_hba.conf file

from 

# local postgres without password
local  all  postgres    peer

to

# local postgres without password
local  all  postgres    md5

in another task.

morgangraphics commented 4 years ago

In thinking about this further. Perhaps it might be a little easier for the role to have a default pg_hba.conf file added before user creation which allows for unobstructed user creation and then the pg_hba.conf configurations are applied after user creation is successful.

gclough commented 3 years ago

@morgangraphics, can you just use the postgresql_pg_hba_default parameter to include what you want?

  postgresql_pg_hba_default:
    - comment: "Local postgresql Unix user"
      type: local
      database: all
      user: postgres
      address: ""
      method: "md5"
morgangraphics commented 3 years ago

I'm no longer involved in the project where this came up. If the above proposal this really the "correct" way to solve this issue, then I think the only thing would be to update the documentation accordingly pointing out that like in #473 order is important.

github-actions[bot] commented 8 months ago

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

github-actions[bot] commented 6 months ago

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.