Permission granting not idempotent anymore after update

[smortex]

Describe the Bug

Permissions granting started to happen on every run after updating my control-repo Puppetfile on a FreeBSD infra.

root@agrajag /usr/home/romain # facter os
{
  architecture => "amd64",
  family => "FreeBSD",
  hardware => "amd64",
  name => "FreeBSD",
  release => {
    branch => "RC4",
    full => "14.0-RC4",
    major => "14",
    minor => "0"
  }
}
root@agrajag /usr/home/romain # puppet agent -t -E romain 
Info: Refreshing CA certificate
Info: CA certificate is unmodified, using existing CA certificate
Info: Refreshing CRL
Info: CRL is unmodified, using existing CRL
Info: Using environment 'romain'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agrajag.blogreen.org
Info: Applying configuration version 'romain-cce4580'
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql_psql[revoke all access on public schema]/command: command changed 'notrun' to 'REVOKE CREATE ON SCHEMA public FROM public' (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql_psql[grant all permissions to puppetdb]/command: command changed 'notrun' to 'GRANT CREATE ON SCHEMA public TO "puppetdb"' (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Default_read_grant[puppetdb grant read permission on new objects from puppetdb to puppetdb-read]/Postgresql_psql[grant default select permission for puppetdb-read]/command: command changed 'notrun' to "ALTER DEFAULT PRIVILEGES\n                  FOR USER \"puppetdb\"\n                  IN SCHEMA \"public\"\n                GRANT SELECT ON TABLES\n                  TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Default_read_grant[puppetdb grant read permission on new objects from puppetdb to puppetdb-read]/Postgresql_psql[grant default usage permission for puppetdb-read]/command: command changed 'notrun' to "ALTER DEFAULT PRIVILEGES\n                  FOR USER \"puppetdb\"\n                  IN SCHEMA \"public\"\n                GRANT USAGE ON SEQUENCES\n                  TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Default_read_grant[puppetdb grant read permission on new objects from puppetdb to puppetdb-read]/Postgresql_psql[grant default execute permission for puppetdb-read]/command: command changed 'notrun' to "ALTER DEFAULT PRIVILEGES\n                  FOR USER \"puppetdb\"\n                  IN SCHEMA \"public\"\n                GRANT EXECUTE ON FUNCTIONS\n                  TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Read_grant[puppetdb grant read-only permission on existing objects to puppetdb-read]/Postgresql_psql[grant select permission for puppetdb-read]/command: command changed 'notrun' to "GRANT SELECT\n                ON ALL TABLES IN SCHEMA \"public\"\n                TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Read_grant[puppetdb grant read-only permission on existing objects to puppetdb-read]/Postgresql_psql[grant usage permission for puppetdb-read]/command: command changed 'notrun' to "GRANT USAGE\n                ON ALL SEQUENCES IN SCHEMA \"public\"\n                TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Puppetdb::Database::Read_only_user[puppetdb-read]/Puppetdb::Database::Read_grant[puppetdb grant read-only permission on existing objects to puppetdb-read]/Postgresql_psql[grant execution permission for puppetdb-read]/command: command changed 'notrun' to "GRANT EXECUTE\n                ON ALL FUNCTIONS IN SCHEMA \"public\"\n                TO \"puppetdb-read\"" (corrective)
Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql_psql[grant puppetdb-read role to puppetdb]/command: command changed 'notrun' to 'GRANT "puppetdb-read" TO "puppetdb"' (corrective)
Notice: Applied catalog in 34.69 seconds

Expected Behavior

Permissions granting should be idempotent.

Steps to Reproduce

All these grants are related to PuppetDB. My PuppetDB is as follow:

# Manage PuppetDB
class profile::puppetdb {
  include profile::postgresql

  class { 'puppetdb::globals':
    version => 'latest',
  }

  class { 'puppetdb':
    manage_firewall  => false,
    manage_dbserver  => false,
    node_ttl         => '0d',
    node_purge_ttl   => '0d',
  }

  class { 'puppetdb::master::config':
    manage_report_processor => true,
    enable_reports          => true,
  }
}

Environment

• puppet8-8.2.0
• puppetserver8-8.2.1
• FreeBSD 14.0-RC4

Additional Context

Had not time to investigate the issue yet due to another layer of breakage in the module (#1550).

[smortex]

In order to investigate this issue, I took one of the changes to run it on the database. Connecting to the database raised some warnings:

romain@agrajag ~ % sudo -u postgres psql 
[sudo] password for romain: 
psql (15.4)
Saisissez « help » pour l'aide.

postgres=# \c puppetdb
WARNING:  database "puppetdb" has a collation version mismatch
DÉTAIL : The database was created using collation version 34.0, but the operating system provides version 43.0.
ASTUCE : Rebuild all objects in this database that use the default collation and run ALTER DATABASE puppetdb REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
Vous êtes maintenant connecté à la base de données « puppetdb » en tant qu'utilisateur « postgres ».
puppetdb=# 

This seems to be related to the PostgreSQL package being built with a newer version of ICU. I gave the suggested command a try:

puppetdb=# ALTER DATABASE puppetdb REFRESH COLLATION VERSION;
NOTICE:  changing version from 34.0 to 43.0
ALTER DATABASE
puppetdb=# 

and now the problem does not occur anymore. Closing, sorry for the noise.