hello group,
I have a set of tasks to create a postgres database and user.
The strange thing is, that although it works, the supplied password is never taken as encrypted.
So if I do
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
postgresql_user:
name: “{{dbuser}}”
db: “{{dbuser}}”
password: mango
role_attr_flags: CREATEDB
state: present
I get a user that can login with password mango. However, if I crypt mango with either
mkpassword --method=MD5
or
echo “md5echo -n "mango" | md5sum”
(from the ansible postgresql_user documentation, with md5 replaced by md5sum- ubuntu does not have a md5 command)
and change the task to pass the crypted password
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
when: not rollback
postgresql_user:
name: “{{dbuser}}”
db: “{{dbuser}}”
password: $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1
encrypted: true
role_attr_flags: CREATEDB
state: present
I get a user that can only login with password $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1 and NOT with password mango. It seems postgresql_user is not communicating this well with postgres.
Does anyone know how I can workaround this?
thanks for your help! Ruud
By the way:
I use ansible 1.7.2 on a debian host, ubuntu target.
hello,
I was not completely correct in my first post. When I supply a password that is encrypted with
echo “md5echo -n "mango" | md5sum”
I get as output the string “md5aa00faf97d042c13a59da4d27eb32358 -”
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
Ruud
hello,
I was not completely correct in my first post. When I supply a password that is encrypted with
echo “md5echo -n "mango" | md5sum”
I get as output the string “md5aa00faf97d042c13a59da4d27eb32358 -”
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
Ru
The md5 command is not the same as the md5sum command - as you have found by experiment - since the md5sum command also outputs the name of the file it has just checked.
Additionally if you look at the info in the ansible postgres_user you will see that the encrypted password hash needs the user name in there as well as a salt.
However you would save yourself a lot of pain if you put the credentials into an ansible vault and then passed them to the commands in a normal (ie not hashed) form, but use the encrypted flag so that they are stored hashed within the database.
Nigel.
Hi NIgel,
thanks for your help. I was really having a blind spot when reading the docs. You are right: the username was missing when generating the password. When I added that one, I got a user with the expected password.
The md5sum command can be used, when the file name is trimmed from the output.
And I don’t see how the salt fits in. I have not specified a salt and it is working all the same.
Again: thank you for helping me out. I already spent too much time of living on this issue… 
Ruud