search

jfrog / JFrog-Cloud-Installers

Template to deploy Artifactory Enterprise cluster.
Apache License 2.0
78 stars 140 forks source link

[ansible/postgres] pg_hba var should be one of method or auth #417

Open EmptyByte opened 4 weeks ago

EmptyByte commented 4 weeks ago

There is a mix between method and auth to configure pg_hba.conf. Seems to default to trust always.

postgres/defaults/main.yml

postgres_allowed_hosts:
  - {
      type: "host",
      database: "all",
      user: "all",
      address: "0.0.0.0/0",
      method: "trust",
    }

postgres/templates/pg_hba.conf.j2

{% if postgres_allowed_hosts and postgres_allowed_hosts is iterable -%}
{%- for host in postgres_allowed_hosts %}
{{ host.type | default('host') }}         {{ host.database | default('all') }}        {{ host.user | default('all') }}             {{ host.address | default('0.0.0.0/0') }}            {{ item.auth | default('trust') }}
{% endfor %}

postgres\README.md

postgres_allowed_hosts:
  - { type: "host", database: "all", user: "all", address: "0.0.0.0/0", method: "trust"}
chukka commented 4 days ago

I think there is already PR #428 for this, will be part of next patch release

bbaassssiiee commented 4 days ago

Indeed my PR will fix that, it should be method in the template file (with host as the loop_var, and the var should be tested by JFrog defined as:

# Set the hosts that can access the database
# The first allows SSL with password from the same subnet
# The second does not require SSL from localhost
# The third denies all others
postgres_allowed_hosts:
  - {
    type: "hostssl",
    database: "all",
    user: "all",
    address: "samenet",
    method: "password",
  }
  - {
    type: "host",
    database: "all",
    user: "all",
    address: "127.0.0.1/0",
    method: "password"
  }
  - {
    type: "hostnossl",
    database: "all",
    user: "all",
    address: "0.0.0.0/0",
    method: "reject",
  }