READ DESCRIPTION: Improved handling of passwords for sensu_user #1251
Conversation
| @@ -74,6 +74,7 @@ def create | |||
| configure_cmd << '--trusted-ca-file' | |||
| configure_cmd << resource[:configure_trusted_ca_file] | |||
| end | |||
| Puppet.notice('Executing sensuctl configure') | |||
There was a problem hiding this comment.
Are these present in a puppet run? Could you paste an example?
There was a problem hiding this comment.
This is from vagrant where I changed admin password:
[root@sensu-backend ~]# puppet apply backend.pp
Notice: Compiled catalog for sensu-backend in environment production in 1.16 seconds
Notice: /Stage[main]/Sensu::Backend/Sensu_user[admin]/password: changed password
Notice: Executing sensuctl configure
Notice: Applied catalog in 4.97 seconds
| @@ -190,6 +190,8 @@ | |||
| configure => true, | |||
| configure_url => $sensu::api_url, | |||
| configure_trusted_ca_file => $sensu::trusted_ca_file, | |||
| provider => 'sensu_api', | |||
There was a problem hiding this comment.
Is it necessary to specify the provider? Isn't there only one?
There was a problem hiding this comment.
There are two providers for all types except those prefixed with sensuctl. They are sensuctl and sensu_api. By using the API to manage the admin user, removes potential circular dependency as sensuctl requires the admin user password and setting the admin user password via sensuctl would create a dependency problem when removing the old_password necessity. The API is able to either use existing password or reads tokens from the config files written by sensuctl which will exist after bootstrap and those are the "backup" form of API authentication on the backend host.
There was a problem hiding this comment.
Also the default provider for all types is sensuctl as a form of backwards compatibility before the API provider existed. In order to use the API you must specify the sensu_api provider.
* Deprecate `old_password`, no longer used or necessary * Validate sensu_user passwords are at least 8 characters long * All resources except sensu_user and sensuctl_configure now auto-require Sensu_user[admin]
…ging admin user using API Move sensu-backend init to Exec to ensure proper order and that it comes before admin user
…r in order to be able to properly be applied
… to prefetch which could halt catalog application
Pull Request Checklist
Description
sensu::old_passwordandsensu::agent_old_password, no longer used or necessarysensu_userpasswords are at least 8 characters longSensu_user[admin]Motivation and Context
Sensu Go now makes it easier to manage passwords in such a way that using the old password is no longer necessary. This deprecates the unnecessary password so that catalogs don't produce errors if people have provided the
old_passwordparameters.The changes to support this should be released in Sensu Go 5.21 but this should still work before 5.21 by passing the plain text password when managing users if the command to generate the hash fails.
There will be deprecation warnings for public resources with
old_password. All private resources hadold_passwordremoved.I've added hopefully catchy bold to pull request title to grab people's attention in CHANGELOG.