Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-3267

Postgresql password inconsistently assumed cleartext / encrypted

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: PDB module-5.1.0
    • Fix Version/s: None
    • Component/s: PuppetDB
    • Labels:
    • Template:
    • Team:
      Systems Engineering
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppetdb passes the database_password parameter to ::postgresql::server::db as cleartext, but ::postgresql::server::db is expecting encrypted text

      1. puppetdb::init invokes puppetdb::server with database_password, which defaults to cleartext 'puppetdb' (see lines 100 and 126). This is correct, as the client side of the database connection needs to have the cleartext password (puppetdb::server invokes puppetdb::server::database and puppetdb::server::read_database; these need the cleartext password
      2. puppetdb::init also invokes puppetdb::database::postgresql with database_password also set to the same (cleartext) value (see line 159). puppetdb::database::postgresql passes this parameter along to postgresql::server::db (see line 35). BUT postgresql::server::db is expecting a hashed password, not a cleartext one.
      3. I believe the fix is to modify pupptedb::database::postgresql line 35 to hash the password

        password => postgresql_password($database_username, $database_password)

      Also see ::postgresql::server::role, especially the last few lines.

        Attachments

          Activity

            People

            • Assignee:
              russell.mull Russell Mull
              Reporter:
              ChrisOwens Chris Owens
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support