[SAT-30726] Pulpcore password hash is incorrect when pulpcore database username is pulpcore but not pulp - Red Hat Issue Tracker

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 6.17.0
Affects Version/s: 6.14.z, 6.15.z, 6.16.z
Component/s: Installation
Labels:

Satellite Team:

Platform
Target Version:

6.17.0
Blocked:
False
Fixed in Build:
foreman-installer-3.14.0-0.1.develop.20250130142322git907f877
Severity:
Moderate

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:

No Coverage

Market:

Description of problem:

In https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L179-L189 , we do the following i.e.

        $pw_command = "ALTER ROLE \"${username}\" ENCRYPTED PASSWORD '${pwd_hash_sql}'"
        $unless_pw_command = "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"
      }

The password hash with salt is generated via https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/lib/puppet/functions/postgresql/postgresql_password.rb#L40-L47 which uses the username and password

The way we define the password is present in https://github.com/theforeman/puppet-pulpcore/blob/master/manifests/database.pp#L12-L19 i.e.

postgresql::server::db { $pulpcore::postgresql_db_name:
user => $pulpcore::postgresql_db_user,
password => postgresql::postgresql_password($pulpcore::user, $pulpcore::postgresql_db_password),

Where

$pulpcore::postgresql_db_user ~~> is whatever we pass as the value of `{}~~-foreman-proxy-content-pulpcore-postgresql-user` installer option but for password, we use `$pulpcore::user` which is hardcoded to be `pulp`

So as long as the `--foreman-proxy-content-pulpcore-postgresql-user` value is `pulp` everything works fine.

But if `--foreman-proxy-content-pulpcore-postgresql-user` value changes to `pulpcore` or something else, the password hash is generated with wrong salt i.e. `pulp` instead of using the correct username and that turn breaks the installer.

How reproducible:

Under certain circumstances

Is this issue a regression from an earlier version:

Nah ( it always existed at least from 6.10 onwards, we just did not know until now )

Steps to Reproduce:

1. Install a Satellite with External\remote database on the same system where pulpcore database username is pulpcore (instead of pulp)

2. try to convert that installation into local instead of keeping it as external

satellite-installer \
--foreman-db-host localhost \
--foreman-db-manage true \
--foreman-proxy-content-pulpcore-manage-postgresql true \
--foreman-proxy-content-pulpcore-postgresql-host localhost \
--katello-candlepin-db-host localhost \
--katello-candlepin-manage-db true

3. Observe the execution

Actual behavior:

installer fails with error,

2025-01-28 13:48:18 [ERROR ] [configure] 'pulpcore-manager migrate --noinput' returned 1 instead of one of [0]
2025-01-28 13:48:18 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/returns: change from 'notrun' to ['0'] failed: 'pulpcore-manager migrate --noinput' returned 1 instead of one of [0]
2025-01-28 13:48:22 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]: Failed to call refresh: 'pulpcore-manager migrate --noinput' returned 1 instead of one of [0] 2025-01-28 13:48:22 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]: 'pulpcore-manager migrate --noinput' returned 1 instead of one of [0]
2025-01-28 13:48:25 [NOTICE] [configure] 2000 configuration steps out of 2071 steps complete.
2025-01-28 13:48:29 [NOTICE] [configure] System configuration has finished.
...
...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/psycopg/connection.py", line 728, in connect
raise ex.with_traceback(None)
django.db.utils.OperationalError: connection failed: password authentication failed for user "pulpcore"
..
..

Expected behavior:

No such errors.

Business Impact / Additional info:

Bug in code preventing installer actions. The parameters passed with installer should be honored in every applicable step.

In /usr/share/foreman-installer/modules/pulpcore/manifests/database.pp, if we change

grep "password =>" /usr/share/foreman-installer/modules/pulpcore/manifests/database.pp
password => postgresql::postgresql_password($pulpcore::user, $pulpcore::postgresql_db_password),

To

grep "password =>" /usr/share/foreman-installer/modules/pulpcore/manifests/database.pp
password => postgresql::postgresql_password($pulpcore::postgresql_db_user, $pulpcore::postgresql_db_password),

That should fix the issue and allow the installer to execute successfully in one go.

For existing users, they would first need to manually update the password in database directly and then do the changes above.

is blocked by

SAT-30727 use the right username when computing the db password hash by evgeni · Pull Request #373 · theforeman/puppet-pulpcore · GitHub

Closed

links to

RHEA-2025:148331 Satellite 6.17.0 release

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide