search

puppetlabs / puppetlabs-puppetdb

A puppet module for installing and managing puppetdb
https://forge.puppetlabs.com/puppetlabs/puppetdb
Apache License 2.0
55 stars 231 forks source link

Support scram-sha-256 password_encryption method #400

Closed deric closed 7 months ago

deric commented 7 months ago

PostgreSQL module uses by default scram-sha-256 password encryption for PostgreSQL databases since 14 - introduced in puppetlabs-postgresql == 10.1.0. At least puppetlabs-postgresql >= 9.2 is needed.

This PR introduces new parameter postgresql_password_encryption, to apply the old (less secure behavior) use:

puppetdb::postgresql_password_encryption: 'md5'

In order to use modern password auth, the hba rules and password function requires passing the password_encryption parameter.

Related issues:

bastelfreak commented 7 months ago

I'm wondering why this is needed. I don't know why scram-sha-256 wasn't working / why the user had to switch to md5.

deric commented 7 months ago

@bastelfreak Because postgresql::postgresql_password function is not checking postgresql::globals::version whether is at least 14. It hashes passwords as md5, while postgresql::server::role will be configured to use scram-sha-256, this would break connections to puppetdb.