From f17452c7d574dcaa5102f990a536ba74b1c612e5 Mon Sep 17 00:00:00 2001 From: Mickey Date: Wed, 8 Aug 2018 17:29:53 +0800 Subject: [PATCH 1/2] use project name for postgres user --- ansible/inventory/group_vars/db-servers/postgresql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/inventory/group_vars/db-servers/postgresql.yml b/ansible/inventory/group_vars/db-servers/postgresql.yml index afc89f5..70a715f 100644 --- a/ansible/inventory/group_vars/db-servers/postgresql.yml +++ b/ansible/inventory/group_vars/db-servers/postgresql.yml @@ -21,7 +21,7 @@ postgresql_default_auth_method: "md5" postgresql_pg_hba_default: # Allow OS postgres user to manage databases without a password - - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer", comment: "" } + - { type: local, database: all, user: "{{ elixir_release_name_code }}", address: "", method: "peer", comment: "" } # Same for other users, as long as OS user matches PG user # - { type: local, database: all, user: all, address: "", method: "peer", comment: '"local" is for Unix domain socket connections only' } - { type: local, database: all, user: all, address: "", method: "{{ postgresql_default_auth_method }}", comment: '"local" is for Unix domain socket connections only' } From c687a2f3960934915eb1bd7a95b0bc6657b3fc1d Mon Sep 17 00:00:00 2001 From: Mickey Date: Thu, 9 Aug 2018 12:42:49 +0800 Subject: [PATCH 2/2] reversed previous commit, add a new line to pg_hba for designated user to application database --- ansible/inventory/group_vars/db-servers/postgresql.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/inventory/group_vars/db-servers/postgresql.yml b/ansible/inventory/group_vars/db-servers/postgresql.yml index 70a715f..41aa1f9 100644 --- a/ansible/inventory/group_vars/db-servers/postgresql.yml +++ b/ansible/inventory/group_vars/db-servers/postgresql.yml @@ -20,8 +20,8 @@ postgresql_user_privileges: postgresql_default_auth_method: "md5" postgresql_pg_hba_default: - # Allow OS postgres user to manage databases without a password - - { type: local, database: all, user: "{{ elixir_release_name_code }}", address: "", method: "peer", comment: "" } + # Allow OS postgres user to manage databasepostgresql_admin_users without a password + - { type: local, database: all, user: "{{ postgresql_admin_user }}", address: "", method: "peer", comment: "" } # Same for other users, as long as OS user matches PG user # - { type: local, database: all, user: all, address: "", method: "peer", comment: '"local" is for Unix domain socket connections only' } - { type: local, database: all, user: all, address: "", method: "{{ postgresql_default_auth_method }}", comment: '"local" is for Unix domain socket connections only' } @@ -31,3 +31,5 @@ postgresql_pg_hba_default: # - { type: host, database: replication, user: all, address: "127.0.0.1/32", method: "{{ postgresql_default_auth_method }}", comment: "" } # - { type: host, database: replication, user: all, address: "::1/128", method: "{{ postgresql_default_auth_method }}", comment: "" } - { type: host, database: all, user: all, address: "::1/128", method: "{{ postgresql_default_auth_method }}", comment: "IPv6 local connections:" } + # Application DB with designated user password access + - { type: local, database: "{{ elixir_release_name_code }}_prod", user: "{{ elixir_release_name_code }}", address: "", method: "md5", comment: "" }