diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index f9817081..3c6e57ac 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -65,6 +65,11 @@ # `manage_database` is set to `true`, it will use the value of the `database_host` # parameter. This option is supported in PuppetDB >= 1.6. # +# @param password_sensitive +# Whether password should be of Datatype Sensitive[String] +# @param password_encryption +# PostgreSQL password authentication method, either `md5` or `scram-sha-256` +# class puppetdb::database::postgresql ( $listen_addresses = $puppetdb::params::database_host, $puppetdb_server = $puppetdb::params::puppetdb_server, @@ -82,7 +87,9 @@ $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path, $read_database_username = $puppetdb::params::read_database_username, $read_database_password = $puppetdb::params::read_database_password, - $read_database_host = $puppetdb::params::read_database_host + $read_database_host = $puppetdb::params::read_database_host, + Boolean $password_sensitive = false, + Postgresql::Pg_password_encryption $password_encryption = $puppetdb::params::password_encryption, ) inherits puppetdb::params { $port = scanf($database_port, '%i')[0] @@ -96,6 +103,7 @@ ip_mask_allow_all_users => '0.0.0.0/0', listen_addresses => $listen_addresses, port => $port, + password_encryption => $password_encryption, } # We need to create the ssl connection for the read user, when @@ -166,9 +174,11 @@ -> puppetdb::database::read_only_user { $read_database_username: read_database_username => $read_database_username, database_name => $database_name, - password_hash => postgresql::postgresql_password($read_database_username, $read_database_password), + password_hash => postgresql::postgresql_password( + $read_database_username, $read_database_password, $password_sensitive, $password_encryption), database_owner => $database_username, database_port => $port, + password_encryption => $password_encryption, } -> postgresql_psql { "grant ${read_database_username} role to ${database_username}": diff --git a/manifests/database/read_only_user.pp b/manifests/database/read_only_user.pp index e4507ca3..f056eb1a 100644 --- a/manifests/database/read_only_user.pp +++ b/manifests/database/read_only_user.pp @@ -13,18 +13,22 @@ # The user which owns the database (i.e. the migration user for the database). # @param password_hash # The value of $_database_password in app_database. +# @param password_encryption +# The hash method for postgresql password, since PostgreSQL 14 default is `scram-sha-256`. # # @api private define puppetdb::database::read_only_user ( String $read_database_username, String $database_name, String $database_owner, - Variant[String, Boolean] $password_hash = false, + Variant[String, Boolean, Sensitive[String]] $password_hash = false, Optional[Stdlib::Port] $database_port = undef, + Optional[Postgresql::Pg_password_encryption] $password_encryption = undef, ) { postgresql::server::role { $read_database_username: password_hash => $password_hash, port => $database_port, + hash => $password_encryption, } -> postgresql::server::database_grant { "${database_name} grant connection permission to ${read_database_username}": diff --git a/manifests/init.pp b/manifests/init.pp index 10d55128..05f16f6f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -374,6 +374,9 @@ # @param java_bin # java binary path for PuppetDB. If undef, default will be used. # +# @param postgresql_password_encryption +# PostgreSQL password authentication method, either `md5` or `scram-sha-256` +# class puppetdb ( $listen_address = $puppetdb::params::listen_address, $listen_port = $puppetdb::params::listen_port, @@ -460,6 +463,7 @@ Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup, String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval, Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age, + Postgresql::Pg_password_encryption $postgresql_password_encryption = $puppetdb::params::password_encryption, Optional[Stdlib::Absolutepath] $java_bin = $puppetdb::params::java_bin, ) inherits puppetdb::params { class { 'puppetdb::server': @@ -568,6 +572,7 @@ read_database_username => $read_database_username, read_database_password => $read_database_password, read_database_host => $read_database_host, + password_encryption => $postgresql_password_encryption, before => $database_before, } } diff --git a/manifests/params.pp b/manifests/params.pp index 2c45b519..809e65f6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -42,6 +42,7 @@ $database_validate = true $database_max_pool_size = undef $puppetdb_server = fact('networking.fqdn') + $password_encryption = 'scram-sha-256' # These settings manage the various auto-deactivation and auto-purge settings $node_ttl = '7d' diff --git a/metadata.json b/metadata.json index 8bf65e46..a2db698b 100644 --- a/metadata.json +++ b/metadata.json @@ -14,7 +14,7 @@ }, { "name": "puppetlabs/postgresql", - "version_requirement": ">= 6.5.0 < 11.0.0" + "version_requirement": ">= 9.2.0 < 11.0.0" }, { "name": "puppetlabs/firewall", diff --git a/spec/unit/classes/init_spec.rb b/spec/unit/classes/init_spec.rb index f9532ee7..423b97af 100644 --- a/spec/unit/classes/init_spec.rb +++ b/spec/unit/classes/init_spec.rb @@ -67,6 +67,22 @@ class { 'postgresql::server': end end + context 'with password encryption' do + let :params do + { + postgresql_password_encryption: 'md5', + } + end + + it do + is_expected.to contain_postgresql__server__pg_hba_rule('allow access to all users for instance main') + .with_type('host') + .with_database('all') + .with_user('all') + .with_auth_method('md5') + end + end + context 'when using ssl certificates' do let(:params) do {