search

openSUSE / salt

openSUSE and SUSE patches and backports for SaltStack
Apache License 2.0
22 stars 52 forks source link

postgres_user:present: Add support for scram-sha-256 #258

Closed cryptomilk closed 9 months ago

cryptomilk commented 4 years ago

Description of Issue/Question

Creating a postgres user with:

p:
  postgres_user.present:
    - name: wurst
    - password: brot
    - encrypted: True

only supports md5 and not scram-sha256! I would expect something like:

p:
  postgres_user.present:
    - name: wurst
    - password: brot
    - encryption: no|md5|scam-sha-256

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
           Salt: 3000

Dependency Versions:
           cffi: 1.13.2
       cherrypy: Not Installed
       dateutil: 2.7.3
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.10.1
        libgit2: 0.28.4
       M2Crypto: 0.35.2
           Mako: 1.0.7
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: 1.4.6
      pycparser: 2.17
       pycrypto: 3.9.0
   pycryptodome: Not Installed
         pygit2: 0.28.2
         Python: 3.6.10 (default, Jan 16 2020, 09:12:04) [GCC]
   python-gnupg: Not Installed
         PyYAML: 5.1.2
          PyZMQ: 17.0.0
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.3

System Versions:
           dist:   
         locale: UTF-8
        machine: x86_64
        release: 5.3.18-lp152.36-default
         system: Linux
        version: Not Installed
darix commented 4 years ago

For scram you probably need to send the plaintext to the server.

cryptomilk commented 4 years ago

Setting encrypted: False should do that, but then it fails to create the user.

darix commented 4 years ago

if you need a test DB:

initdb --data-checksums --pwprompt --auth=scram-sha-256 --encoding=UTF-8 --locale=C.UTF-8 .

cryptomilk commented 4 years ago 
 3 2020-09-10 15:18:40.594 CEST postgres postgres [21889]ERROR:  UNENCRYPTED PASSWORD is no longer supported at character 45                                                                 
 4 2020-09-10 15:18:40.594 CEST postgres postgres [21889]HINT:  Remove UNENCRYPTED to store the password in encrypted form instead.

I think the easiest is to just remove the encrypted stuff as postgres does the right thing for you

cryptomilk commented 4 years ago

Hotfix:

--- modules/postgres.py.orig    2020-09-10 17:44:58.766340926 +0200
+++ modules/postgres.py 2020-09-10 17:45:05.074350846 +0200
@@ -1063,11 +1063,6 @@
          'test': bool(connlimit),
          'addtxt': six.text_type(connlimit),
          'skip': connlimit is None},
-        {'flag': 'ENCRYPTED',
-         'test': (encrypted is not None and bool(rolepassword)),
-         'skip': skip_passwd or isinstance(rolepassword, bool),
-         'cond': encrypted,
-         'prefix': 'UN'},
         {'flag': 'PASSWORD', 'test': bool(rolepassword),
          'skip': skip_passwd,
          'addtxt': escaped_password},
cryptomilk commented 4 years ago

Ping!

cryptomilk commented 3 years ago

Knock knock

vzhestkov commented 3 years ago

https://github.com/saltstack/salt/pull/59034

meaksh commented 9 months ago

As mentioned, the SCRAM-SHA-256 for postgres states is already supported in Salt 3006.0.

This issue can be closed. Thanks.