puppet-mongodb icon indicating copy to clipboard operation
puppet-mongodb copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

The 'password' attribute was constantly updated even when the password was not changed

Open identw opened this issue 2 years ago • 1 comments

Example code:

mongodb_user { 'user':
  name          => 'user',
  ensure        => present,
  database      => 'test',
  password      => 'password',
  roles         => ['readWrite'],
  tries         => 10,
}

apply agent:

# created user
$ puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for mongo26-1
Info: Applying configuration version '1633423266'
Notice: /Stage[main]/Main/Node[mongo26-1]/Mongodb_user[user]/ensure: created
Notice: Applied catalog in 0.95 seconds
# password not changed, but:
$ puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for mongo26-1
Info: Applying configuration version '1633423278'
Notice: /Stage[main]/Main/Node[mongo26-1]/Mongodb_user[user]/password: defined 'password' as 3bcfc22a1cd6be41bc7814c13d3ce94c (corrective)
Notice: Applied catalog in 0.75 seconds
# password not changed, but:
$ puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for mongo26-1
Info: Applying configuration version '1633423289'
Notice: /Stage[main]/Main/Node[mongo26-1]/Mongodb_user[user]/password: defined 'password' as 3bcfc22a1cd6be41bc7814c13d3ce94c (corrective)
Notice: Applied catalog in 0.82 seconds

As you can see, password is constantly being flagged as requiring changes. This PR fixes this behavior.

mongodb versions 4 and up use SCRAM-SHA-256 by default. This mechanism disallows the use of a password hash:

$ mongo test --quiet --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({\"createUser\":\"user\",\"pwd\":\"3bcfc22a1cd6be41bc7814c13d3ce94c\",\"roles\":[\"readWrite\"],\"digestPassword\":false})"
{
	"operationTime" : Timestamp(1633424331, 1),
	"ok" : 0,
	"errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords",
	"code" : 2,
	"codeName" : "BadValue",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1633424331, 1),
		"signature" : {
			"hash" : BinData(0,"phzg8Y9u+y3uMQL5IbE0z4DQa/c="),
			"keyId" : NumberLong("7015499301837078530")
		}
	}
}

Therefore, it makes sense to improve support for the 'password' attribute.

identw avatar Oct 05 '21 09:10 identw

thanks for the PR! Is it possible to provide a tiny acceptance test for this?

bastelfreak avatar Oct 21 '21 07:10 bastelfreak