Specifying a new password for an existing user does not work with postgresql_user
anewb opened this issue · comments
Cookbook version
7.1.3
Chef-client version
14.10.9
Platform Details
Ubuntu 18.04.1 LTS
Scenario:
Specifying a new password for an existing user does not work with postgresql_user as resource is only executed when user does not exist.
This is a bit similar to chef/chef#8099.
Steps to Reproduce:
Run
postgresql_user 'user' do
password 'user_password1'
createdb true
end
once and a second time with a different password:
postgresql_user 'user' do
password 'user_password2'
createdb true
end
Expected Result:
I would expect that the specified password is set on the second run.
Actual Result:
The specified password is not set if the user already exists.
Output:
* postgresql_user[user] action create
* execute[create postgresql user user] action run (skipped due to not_if)
(up to date)
Hi!
thanks for submitting an issue.
I think in this case you want to use the :update
action. This should change the user only if it exists already.
https://github.com/sous-chefs/postgresql/blob/master/resources/user.rb#L47-L73
Thanks for your reply. So if i want to specify that a user exists and has a certain password i would have to do
postgresql_credentials = chef_vault_item("credentials", "postgresql")
postgresql_user postgresql_credentials['user_name'] do
password postgresql_credentials['user_password']
createdb true
end
postgresql_user "Update #{postgresql_credentials['user_name']}" do
action :update
create_user postgresql_credentials['user_name']
password postgresql_credentials['user_password']
createdb true
end
, and the update part is executed on every chef-client run?
From my understanding the principle for configuration management is to specify the desired state and the system makes sure the state is as specified. So when i specify a password for a postgresql_user, i would expect this password to be as specified. So at the moment this resource behaves in a non-expected way for me. Also i think it is not very elegant to have to specify the password in 2 places (DRY..).
Maybe there is a better solution?
Also, if i want the db admin user to have a certain password, what works for me at the moment is
postgresql_credentials = chef_vault_item("credentials", "postgresql")
postgresql_user 'postgres' do
action :update
password postgresql_credentials['admin_password']
superuser true
createrole true
createdb true
replication true
end
Is this the way it should be done?
You should just be able to do
postgresql_user "Bob" do
create_user postgresql_credentials['user_name']
password postgresql_credentials['user_password']
createdb true
action :update
end
If that does fire every turn, we would need to check the password is correct in the database every run to make sure it's correct. Which is certainly possible.
I have tried that and the update action does not do anything if the user does not exist. It does not throw an error in that case. So if i want to cover both the situations where the user does not exist or does exist but has a different password it seems i need both.
For me the update action does fire on every turn and the resource is reported as updated.
Do you fancy having a go at amending this test to work? Sounds like you have a few test cases we can put together too.
I have to admit i'm not quite sure what exactly i am supposed to do ; )
Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.