Specifying a new password for an existing user does not work with postgresql_user
anewb opened this issue · comments
Cookbook version
7.1.3
Chef-client version
14.10.9
Platform Details
Ubuntu 18.04.1 LTS
Scenario:
Specifying a new password for an existing user does not work with postgresql_user as resource is only executed when user does not exist.
This is a bit similar to chef/chef#8099.
Steps to Reproduce:
Run
postgresql_user 'user' do
password 'user_password1'
createdb true
end
once and a second time with a different password:
postgresql_user 'user' do
password 'user_password2'
createdb true
end
Expected Result:
I would expect that the specified password is set on the second run.
Actual Result:
The specified password is not set if the user already exists.
Output:
* postgresql_user[user] action create
* execute[create postgresql user user] action run (skipped due to not_if)
(up to date)
Hi!
thanks for submitting an issue.
I think in this case you want to use the :update action. This should change the user only if it exists already.
https://github.com/sous-chefs/postgresql/blob/master/resources/user.rb#L47-L73
Thanks for your reply. So if i want to specify that a user exists and has a certain password i would have to do
postgresql_credentials = chef_vault_item("credentials", "postgresql")
postgresql_user postgresql_credentials['user_name'] do
password postgresql_credentials['user_password']
createdb true
end
postgresql_user "Update #{postgresql_credentials['user_name']}" do
action :update
create_user postgresql_credentials['user_name']
password postgresql_credentials['user_password']
createdb true
end
, and the update part is executed on every chef-client run?
From my understanding the principle for configuration management is to specify the desired state and the system makes sure the state is as specified. So when i specify a password for a postgresql_user, i would expect this password to be as specified. So at the moment this resource behaves in a non-expected way for me. Also i think it is not very elegant to have to specify the password in 2 places (DRY..).
Maybe there is a better solution?
Also, if i want the db admin user to have a certain password, what works for me at the moment is
postgresql_credentials = chef_vault_item("credentials", "postgresql")
postgresql_user 'postgres' do
action :update
password postgresql_credentials['admin_password']
superuser true
createrole true
createdb true
replication true
end
Is this the way it should be done?
You should just be able to do
postgresql_user "Bob" do
create_user postgresql_credentials['user_name']
password postgresql_credentials['user_password']
createdb true
action :update
endIf that does fire every turn, we would need to check the password is correct in the database every run to make sure it's correct. Which is certainly possible.
I have tried that and the update action does not do anything if the user does not exist. It does not throw an error in that case. So if i want to cover both the situations where the user does not exist or does exist but has a different password it seems i need both.
For me the update action does fire on every turn and the resource is reported as updated.
Do you fancy having a go at amending this test to work? Sounds like you have a few test cases we can put together too.
I have to admit i'm not quite sure what exactly i am supposed to do ; )
Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.