hunleyd
commented
2 months ago thanks for the report @carcuevas !
Closed carcuevas closed 1 week ago
hunleyd
commented
2 months ago thanks for the report @carcuevas !
carcuevas
commented
2 months ago Thanks for having a look :)
hunleyd
commented
2 months ago @carcuevas did you want to make an attempt at fixing the issue? if not, that's OK; someone from the community will tackle it. if so, a couple of (probably obvious) things worth mentioning:
thanks!
carcuevas
commented
2 months ago @hunleyd Hi, actually I do not feel so confident with my Python skills so I could properly fix this, I had a look to the plugin but I am not sure where the problem can be... but If I run with debugging the play I have this:
changed: [server1] => (item={'users': 'user1', 'method': 'reject', 'contype': 'hostnossl'}) => {
"ansible_loop_var": "item",
"changed": true,
"diff": {
"after": {
"file": "/var/lib/pgsql/15/data/pg_hba.conf",
"pg_hba": [
"hostnossl\tall\tuser1\t0.0.0.0/0\treject"
]
},
"before": {
"file": "/var/lib/pgsql/15/data/pg_hba.conf",
"pg_hba": []
}
},
"invocation": {
"module_args": {
"address": "0.0.0.0/0",
"attributes": null,
"backup": false,
"backup_file": null,
"comment": null,
"contype": "hostnossl",
"create": true,
"databases": "all",
"dest": "/var/lib/pgsql/15/data/pg_hba.conf",
"group": null,
"keep_comments_at_rules": false,
"method": "reject",
"mode": "0755",
"netmask": null,
"options": null,
"overwrite": false,
"owner": null,
"rules": null,
"rules_behavior": "conflict",
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"source": "0.0.0.0/0",
"state": "present",
"unsafe_writes": false,
"users": "user1"
}
},
"item": {
"contype": "hostnossl",
"method": "reject",
"users": "user1"
},
"msgs": [
"Adding rule {'type': 'hostnossl', 'db': 'all', 'usr': 'user1', 'src': '0.0.0.0/0', 'method': 'reject'}",
"Changed",
"Writing"
],
"pg_hba": [
{
"db": "replication",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "all",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "127.0.0.1/32",
"type": "host",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "::1/128",
"type": "host",
"usr": "all"
},
{
"db": "all",
"method": "reject",
"src": "0.0.0.0/0",
"type": "hostnossl",
"usr": "user1"
}
]
}and then after:
changed: [server1] => (item={'users': 'user1', 'method': 'scram-sha-256', 'contype': 'hostssl'}) => {
"ansible_loop_var": "item",
"changed": true,
"diff": {
"after": {
"file": "/var/lib/pgsql/15/data/pg_hba.conf",
"pg_hba": [
"hostssl\tall\tuser1\t0.0.0.0/0\tscram-sha-256"
]
},
"before": {
"file": "/var/lib/pgsql/15/data/pg_hba.conf",
"pg_hba": []
}
},
"invocation": {
"module_args": {
"address": "0.0.0.0/0",
"attributes": null,
"backup": false,
"backup_file": null,
"comment": null,
"contype": "hostssl",
"create": true,
"databases": "all",
"dest": "/var/lib/pgsql/15/data/pg_hba.conf",
"group": null,
"keep_comments_at_rules": false,
"method": "scram-sha-256",
"mode": "0755",
"netmask": null,
"options": null,
"overwrite": false,
"owner": null,
"rules": null,
"rules_behavior": "conflict",
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"source": "0.0.0.0/0",
"state": "present",
"unsafe_writes": false,
"users": "user1"
}
},
"item": {
"contype": "hostssl",
"method": "scram-sha-256",
"users": "user1"
},
"msgs": [
"Adding rule {'type': 'hostssl', 'db': 'all', 'usr': 'user1', 'src': '0.0.0.0/0', 'method': 'scram-sha-256'}",
"Changed",
"Writing"
],
"pg_hba": [
{
"db": "replication",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "all",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "127.0.0.1/32",
"type": "host",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "::1/128",
"type": "host",
"usr": "all"
},
{
"db": "all",
"method": "scram-sha-256",
"src": "0.0.0.0/0",
"type": "hostssl",
"usr": "user1"
}
]
}
So it can be seen that it's like the first change was not detected somehow and it was overwritten.
maybe this can point to someone familiar with the right direction...
Thanks very much and sorry to don't be able to fix this myself...
ok: [server1] => (item={'users': 'user1', 'method': 'scram-sha-256', 'contype': 'hostnossl'}) => {
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"module_args": {
"address": "0.0.0.0/0",
"attributes": null,
"backup": false,
"backup_file": null,
"comment": null,
"contype": "hostssl",
"create": true,
"databases": "all",
"dest": "/var/lib/pgsql/15/data/pg_hba.conf",
"group": null,
"keep_comments_at_rules": false,
"method": "scram-sha-256",
"mode": "0755",
"netmask": null,
"options": null,
"overwrite": false,
"owner": null,
"rules": null,
"rules_behavior": "conflict",
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"source": "0.0.0.0/0",
"state": "present",
"unsafe_writes": false,
"users": "user1"
}
},
"item": {
"contype": "hostnossl",
"method": "scram-sha-256",
"users": "user1"
},
"msgs": [
"Adding rule {'type': 'hostssl', 'db': 'all', 'usr': 'user1', 'src': '0.0.0.0/0', 'method': 'scram-sha-256'}"
],
"pg_hba": [
{
"db": "replication",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "all",
"method": "trust",
"type": "local",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "127.0.0.1/32",
"type": "host",
"usr": "all"
},
{
"db": "replication",
"method": "trust",
"src": "::1/128",
"type": "host",
"usr": "all"
},
{
"db": "all",
"method": "scram-sha-256",
"src": "0.0.0.0/0",
"type": "hostssl",
"usr": "user1"
},
{
"db": "all",
"method": "scram-sha-256",
"src": "0.0.0.0/0",
"type": "hostssl",
"usr": "user2"
}
]
}
cameronmurdoch
commented
2 months ago @carcuevas In the ansible task you posted you have contype: hostssl hardcoded. As wrriten it won't use the settings from the loop. You would want, for example, contype: "{{ item.contype }}".
carcuevas
commented
2 months ago @cameronmurdoch You are totally right... and I am sorry for messing the example, I was testing this a couple of days ago, and I did many different options and it just put the one which is not correct..
So, after checking it this again the case which does not work is this:
- name: Configuring pg_hba
community.postgresql.postgresql_pg_hba:
dest: "{{ postgresql_cfg_hba_file }}"
mode: "0755"
create: true
contype: "{{ item.contype}}"
databases: all
source: "0.0.0.0/0"
users: "{{ item.users }}"
method: "{{ item.method }}"
notify: Reload_postgresql
loop: [ { users: "user1", method: "scram-sha-256", contype: "hostnossl" } , {users: "user1", method: "scram-sha-256", contype: hostssl}]
Notice that the users will be the same in both cases, then it will just write the last line; it looks to me that the module is just searching for the user name, and if matches it wont check if the rest of the lines are present in the pg_hba.conf....
So in the pg_hba.conf we should have this:
hostnossl all user1 0.0.0.0/0 scram-sha-256
hostssl all user1 0.0.0.0/0 scram-sha-256but we have just:
hostssl all user1 0.0.0.0/0 scram-sha-256I have realized that the issue title and so it's completely miss-leading sorry also for that... should I change the title and example in the first post so it will be more clear ???
Andersson007
commented
2 months ago hello everyone, thanks for the conversation!
@carcuevas yes please change it and use strikethrough for irrelevant statements where possible
carcuevas
commented
2 months ago @Andersson007 so I corrected the issue, hopefully now it's more clear ....thanks very much
Andersson007
commented
2 months ago maybe @sebasmannem and @betanummeric have some thoughts?
toydarian
commented
1 week ago I'll take care of it in my next PR on that module
SUMMARY
Somehow when using ~contype hostnossl is being translated to hostssl...~ different lines of configuration but using the same user, it will overwrite the lines already changed and it will just keep the last one.
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
COLLECTION VERSION
OS / ENVIRONMENT
MacOS BigSur and Sonoma
STEPS TO REPRODUCE
Actually when executing this
EXPECTED RESULTS
ACTUAL RESULTS