[#2064] hammer: change pg auth method to md5

diff --git a/doc/devel/unit-tests.dox b/doc/devel/unit-tests.dox
index 27799c1fcb07b19e7c4ab9d632704b3324f203d2..a87b56c9cee4932861ae5d8256b93099892f65b4 100644 (file)
--- a/doc/devel/unit-tests.dox
+++ b/doc/devel/unit-tests.dox
@@ -290,25 +290,21 @@ keatest=>
 @endverbatim
 
   If instead of seeing keatest=> prompt, your login is refused with an error
-  code about failed peer or indent authentication, it means that PostgreSQL is
-  configured to check unix username and reject login attempts if PostgreSQL names
-  are different. To alter that, the PostgreSQL configuration must be changed -
-  the <tt>/etc/postgresql/9.1/main/pg_hba.conf</tt> config file
-  has to be altered. (It may be in a different location in your system.) The following
-  lines:
+  code about failed peer or
+  <tt>Ident authentication failed for user "keatest"</tt>, it means that
+  PostgreSQL is configured to check unix username and reject login attempts if
+  PostgreSQL names are different. To alter that, the PostgreSQL pg_hba.conf
+  configuration file must be changed. It usually resides at
+  <tt>/var/lib/postgresql/data/pg_hba.conf</tt> or at
+  <tt>/etc/postgresql/${version}/main/pg_hba.conf</tt>, but you can find out
+  for sure by running
+  <tt>printf 'SHOW hba_file' | sudo -u postgres psql -t postgres</tt>. Make sure
+  that all the authentication methods are changed to "md5" like this:
 
 @verbatim
-local   all             all                                     peer
+local   all             all                                     md5
 host    all             all             127.0.0.1/32            md5
 host    all             all             ::1/128                 md5
-@endverbatim
-
-need to be replaced with:
-
-@verbatim
-local   all             all                                     password
-host    all             all             127.0.0.1/32            password
-host    all             all             ::1/128                 password
 @endverbatim
 
   Another possible problem is that you get no password prompt. This is

diff --git a/hammer.py b/hammer.py
index d4bf2e172fe947a67917b296ad42e9b799c203ab..fbb3a204df8732685801fe778ff04bd4103801b2 100755 (executable)
--- a/hammer.py
+++ b/hammer.py
@@ -1163,8 +1163,18 @@ def _restart_postgresql(system):
         execute('sudo systemctl restart postgresql.service')
 
 
+def _change_postgresql_auth_method(connection_type, auth_method, hba_file):
+    execute("sudo sed -i.bak 's/^{}\(.*\) [a-z0-9]*$/{}\\1 {}/g' '{}'".format(
+        connection_type, connection_type, auth_method, hba_file), cwd='/tmp')
+
+
 def _configure_pgsql(system, features):
     """ Configure PostgreSQL DB """
+
+    # execute() calls will set cwd='/tmp' when switching user to postgres to
+    # avoid the error:
+    #   could not change as postgres user directory to "/home/jenkins": Permission denied
+
     if system in ['fedora', 'centos']:
         # https://fedoraproject.org/wiki/PostgreSQL
         exitcode = execute('sudo ls /var/lib/pgsql/data/postgresql.conf', raise_error=False)
@@ -1183,15 +1193,6 @@ def _configure_pgsql(system, features):
     _enable_postgresql(system)
     _restart_postgresql(system)
 
-    # Change auth-method to 'trust' on local connections.
-    cmd = "printf 'SHOW hba_file' | sudo -u postgres psql -t postgres | xargs"
-    _, output = execute(cmd, capture=True, cwd='/tmp') # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-    hba_file = output.rstrip()
-    cmd = "sudo sed -i.bak 's/^local\(.*\) [a-z0-9]*$/local\\1 trust/g' '{}'".format(hba_file)
-    execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-
-    _restart_postgresql(system)
-
     cmd = """bash -c \"cat <<EOF | sudo -u postgres psql postgres
         DROP DATABASE IF EXISTS keatest;
         DROP USER IF EXISTS keatest;
@@ -1202,14 +1203,14 @@ def _configure_pgsql(system, features):
         GRANT ALL PRIVILEGES ON DATABASE keatest TO keatest;
         ALTER DATABASE keatest SET TIMEZONE='{}';\n""".format(_get_local_timezone())
     cmd += 'EOF\n"'
-    execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
+    execute(cmd, cwd='/tmp')
 
     cmd = """bash -c \"cat <<EOF | sudo -u postgres psql -U keatest keatest
         ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO keatest_readonly;\n"""
     cmd += 'EOF\n"'
     env = os.environ.copy()
     env['PGPASSWORD'] = 'keatest'
-    execute(cmd, cwd='/tmp', env=env)  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
+    execute(cmd, cwd='/tmp', env=env)
 
     if 'forge' in features:
         cmd = "bash -c \"cat <<EOF | sudo -u postgres psql postgres\n"
@@ -1219,12 +1220,16 @@ def _configure_pgsql(system, features):
         cmd += "CREATE DATABASE keadb;\n"
         cmd += "GRANT ALL PRIVILEGES ON DATABASE keauser TO keadb;\n"
         cmd += "EOF\n\""
-        execute(cmd, cwd='/tmp')  # CWD to avoid: could not change as postgres user directory to "/home/jenkins": Permission denied
-        # TODO: in /etc/postgresql/10/main/pg_hba.conf
-        # change:
-        #    local   all             all                                     peer
-        # to:
-        #    local   all             all                                     md5
+        execute(cmd, cwd='/tmp')
+
+    # Change auth-method to 'md5' on all connections.
+    cmd = "printf 'SHOW hba_file' | sudo -u postgres psql -t postgres | xargs"
+    _, output = execute(cmd, capture=True, cwd='/tmp')
+    hba_file = output.rstrip()
+    _change_postgresql_auth_method('host', 'md5', hba_file)
+    _change_postgresql_auth_method('local', 'md5', hba_file)
+
+    _restart_postgresql(system)
 
     log.info('postgresql just configured')