[#2064] hammer: change pg auth method to md5

2025-08-22 01:49:48 +00:00 · 2021-09-01 13:39:57 +03:00 · 2021-09-01 13:39:57 +03:00 · 7e96b0108c
commit 7e96b0108c
parent 0ac3069163
2 changed files with 33 additions and 32 deletions
--- a/doc/devel/unit-tests.dox
+++ b/doc/devel/unit-tests.dox
@ -290,25 +290,21 @@ keatest=>
@endverbatim

  If instead of seeing keatest=> prompt, your login is refused with an error
-  code about failed peer or indent authentication, it means that PostgreSQL is
-  configured to check unix username and reject login attempts if PostgreSQL names
-  are different. To alter that, the PostgreSQL configuration must be changed -
-  the <tt>/etc/postgresql/9.1/main/pg_hba.conf</tt> config file
-  has to be altered. (It may be in a different location in your system.) The following
-  lines:
+  code about failed peer or
+  <tt>Ident authentication failed for user "keatest"</tt>, it means that
+  PostgreSQL is configured to check unix username and reject login attempts if
+  PostgreSQL names are different. To alter that, the PostgreSQL pg_hba.conf
+  configuration file must be changed. It usually resides at
+  <tt>/var/lib/postgresql/data/pg_hba.conf</tt> or at
+  <tt>/etc/postgresql/${version}/main/pg_hba.conf</tt>, but you can find out
+  for sure by running
+  <tt>printf 'SHOW hba_file' | sudo -u postgres psql -t postgres</tt>. Make sure
+  that all the authentication methods are changed to "md5" like this:

@verbatim
-local   all             all                                     peer
+local   all             all                                     md5
 host    all             all             127.0.0.1/32            md5
 host    all             all             ::1/128                 md5
-@endverbatim
-
-need to be replaced with:
-
-@verbatim
-local   all             all                                     password
-host    all             all             127.0.0.1/32            password
-host    all             all             ::1/128                 password
@endverbatim

  Another possible problem is that you get no password prompt. This is
--- a/hammer.py
+++ b/hammer.py
@ -1163,8 +1163,18 @@ def _restart_postgresql(system):
        execute('sudo systemctl restart postgresql.service')


+def _change_postgresql_auth_method(connection_type, auth_method, hba_file):
+    execute("sudo sed -i.bak 's/^{}\(.*\) [a-z0-9]*$/{}\\1 {}/g' '{}'".format(
+        connection_type, connection_type, auth_method, hba_file), cwd='/tmp')
+
+
 def _configure_pgsql(system, features):
    """ Configure PostgreSQL DB """
+
+    # execute() calls will set cwd='/tmp' when switching user to postgres to
+    # avoid the error:
+    #   could not change as postgres user directory to "/home/jenkins": Permission denied
+
    if system in ['fedora', 'centos']:
        # https://fedoraproject.org/wiki/PostgreSQL
        exitcode = execute('sudo ls /var/lib/pgsql/data/postgresql.conf', raise_error=False)
@ -1183,15 +1193,6 @@ def _configure_pgsql(system, features):
    _enable_postgresql(system)
    _restart_postgresql(system)

-    # Change auth-method to 'trust' on local connections.
-    cmd = "printf 'SHOW hba_file' | sudo -u postgres psql -t postgres | xargs"
-    _, output = execute(cmd, capture=True, cwd='/tmp') # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-    hba_file = output.rstrip()
-    cmd = "sudo sed -i.bak 's/^local\(.*\) [a-z0-9]*$/local\\1 trust/g' '{}'".format(hba_file)
-    execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-
-    _restart_postgresql(system)
-
    cmd = """bash -c \"cat <<EOF | sudo -u postgres psql postgres
        DROP DATABASE IF EXISTS keatest;
        DROP USER IF EXISTS keatest;
@ -1202,14 +1203,14 @@ def _configure_pgsql(system, features):
        GRANT ALL PRIVILEGES ON DATABASE keatest TO keatest;
        ALTER DATABASE keatest SET TIMEZONE='{}';\n""".format(_get_local_timezone())
    cmd += 'EOF\n"'
-    execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
+    execute(cmd, cwd='/tmp')

    cmd = """bash -c \"cat <<EOF | sudo -u postgres psql -U keatest keatest
        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO keatest_readonly;\n"""
    cmd += 'EOF\n"'
    env = os.environ.copy()
    env['PGPASSWORD'] = 'keatest'
-    execute(cmd, cwd='/tmp', env=env)  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
+    execute(cmd, cwd='/tmp', env=env)

    if 'forge' in features:
        cmd = "bash -c \"cat <<EOF | sudo -u postgres psql postgres\n"
@ -1219,12 +1220,16 @@ def _configure_pgsql(system, features):
        cmd += "CREATE DATABASE keadb;\n"
        cmd += "GRANT ALL PRIVILEGES ON DATABASE keauser TO keadb;\n"
        cmd += "EOF\n\""
-        execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-        # TODO: in /etc/postgresql/10/main/pg_hba.conf
-        # change:
-        #    local   all             all                                     peer
-        # to:
-        #    local   all             all                                     md5
+        execute(cmd, cwd='/tmp')
+
+    # Change auth-method to 'md5' on all connections.
+    cmd = "printf 'SHOW hba_file' | sudo -u postgres psql -t postgres | xargs"
+    _, output = execute(cmd, capture=True, cwd='/tmp')
+    hba_file = output.rstrip()
+    _change_postgresql_auth_method('host', 'md5', hba_file)
+    _change_postgresql_auth_method('local', 'md5', hba_file)
+
+    _restart_postgresql(system)

    log.info('postgresql just configured')