Skip to content

Commit

Permalink
Convertge quorum member auth
Browse files Browse the repository at this point in the history
The current code for authenticating to quorum members runs the auth
command on every puppet run. This both updates the credentials on
disk, and generates a puppet change event, which are btoh undesirable.

The proposed change checks to ensure all quorum members have an auth
token in the credentials file, and updates auth for all members if
any one member is missing. This results in a convergent state.

There is a caveat, in that what gets stored in the credentials file
is not the original password, but an auth token. There does not seem
to be a pcs command to check the tokens are still valid. So this code
is only checking for presenence of auth tokens, not correctness.
If the authentication token is later invalided, puppet will not correct
this. It would be necessary to manually run the `pcs host auth` or
`pcs cluster auth` commands to fix it.

Fixes #500
  • Loading branch information
optiz0r committed Jun 29, 2022
1 parent 5f48a6c commit fa1c724
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -597,12 +597,18 @@
default => 'pcs host auth',
}

# Check that all nodes have an authorization token
$auth_check_command = $quorum_members.map |$node| {
"grep '${node}' /var/lib/pcsd/tokens"
}.join(' && ')

# Attempt to authorize all members. The command will return successfully
# if they were already authenticated so it's safe to run every time this
# is applied.
# TODO - make it run only once
exec { 'authorize_members':
command => "${pcs_auth_command} ${node_string} ${auth_credential_string}",
unless => $auth_check_command,
path => $exec_path,
require => [
Service['pcsd'],
Expand Down

0 comments on commit fa1c724

Please sign in to comment.