Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pg_hba.conf doesn't reach a stable state #747

Open
hamarituc opened this issue Jun 19, 2023 · 0 comments
Open

pg_hba.conf doesn't reach a stable state #747

hamarituc opened this issue Jun 19, 2023 · 0 comments

Comments

@hamarituc
Copy link
Contributor

πŸ‘» Brief Description

Using multiple postgresql_access resources addressing the same entry, trigger changes in pg_hba.conf at each Chef run and thus don't converge to a stable result.

πŸ₯ž Cookbook version

11.4.0

πŸ‘©β€πŸ³ Chef-Infra Version

17.10.0

🎩 Platform details

Debian 11

Steps To Reproduce

Steps to reproduce the behavior:

  1. Consider the following recipe
postgresql_access 'foo' do
  type 'host'
  database 'foo'
  user 'all'
  auth_method 'md5'
  address '127.0.0.1/32'

  action :delete
end

postgresql_access 'foo' do
  type 'host'
  database 'foo'
  user 'all'
  auth_method 'md5'
  address '127.0.0.1/32'
end
  1. Run the Chef client. The following line will be inserted into pg_hba.conf
host    foo                             all                             127.0.0.1/32            md5
  1. Run the Chef client. The line inserted in step 2 will be removed.
  2. Run the Chef client. The line of step 2 is inserted again.
  3. Run the Chef client. The line of step 2 is removed again.
  4. ...

A similar behavior can be observed in the following recipe.

postgresql_access 'bar' do
  type 'host'
  database 'bar'
  user 'all'
  auth_method 'md5'
  address '127.0.0.1/32'
end

postgresql_access 'bar' do
  type 'host'
  database 'bar'
  user 'all'
  auth_method 'scram-sha-256'
  address '127.0.0.1/32'
end

In this example the authentication method in the corresponding pg_hba.conf-entry will flap between scram-sha-256 and md5 with each Chef client run.

πŸš“ Expected behavior

The attributes of the most recent resource definition should win over all earlier definitions.

βž• Additional context

Up to version 10 of the cookbook, the content of pg_hba.conf was solely defined by the postgresql_access-resource. Since version 11 existing entries will be kept. To deleted unnecessary default entries, the cookbook author has to delete them manually through the :delete action.

In our organisation we maintain a PostgreSQL wrapper cookbook defining all common configurations of a PostgreSQL server. Administrators of a PostgreSQL server use this wrapper cookbook and just need to apply their custom configuration. Our security policy requires to drop all non-necessary access entries. We want to implement this by using the :delete-action inside the common wrapper cookbook. When later (re-)adding a pg_hba.conf entry similar to such a default rule in a custom server cookbook, the above mentioned behavior can be observed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hamarituc