hacluster password creation

Bug #2011516 reported by Mathias Gonzalez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-pacemaker
Invalid
Undecided
Unassigned

Bug Description

The creation of password for the user hacluster use the fqdns of the nodes, so if 2 nodes have diferent fqdns then the have diferents password for the hacluster user, so how they can reach the authentication?

    user { 'hacluster':
      password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
      groups => 'haclient',
      require => Class['pacemaker::install'],
      before => Service['pcsd'],
      notify => Exec['reauthenticate-across-all-nodes'],
    }

Revision history for this message
Michele Baldessari (michele) wrote :

That is the salt, not the password.

Changed in puppet-pacemaker:
status: New → Invalid
Revision history for this message
Mathias Gonzalez (mathgonzlez) wrote :

but you are using this to auth with other nodes

    user { 'hacluster':
      password => $::pacemaker::hacluster_pwd},
      groups => 'haclient',
      require => Class['pacemaker::install'],
      before => Service['pcsd'],
      notify => Exec['reauthenticate-across-all-nodes'],
    }

    # If we fail the local authentication via pcs, let's try and reauthenticate
    # This might happen if /var/lib/pcsd/tokens got corrupt or if we upgraded pcs versions
    # and authentication is not working even though the hacluster user has not changed
    exec { 'check-for-local-authentication':
      command => "/bin/echo 'local pcsd auth failed, triggering a reauthentication'",
      onlyif => "${::pacemaker::pcs_bin} status pcsd ${::hostname} 2>&1 | grep 'Unable to authenticate'",
      tag => 'pacemaker-auth',
      notify => Exec['reauthenticate-across-all-nodes'],
    }

    # pcs-0.10.x has different commands to set up the cluster
    if $::pacemaker::pcs_010 {
      $cluster_setup_cmd = "${::pacemaker::pcs_bin} cluster setup ${cluster_name} ${cluster_members_rrp_real} ${cluster_setup_extras_real}"
      $cluster_reauthenticate_cmd = "${::pacemaker::pcs_bin} host auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}"
      $cluster_authenticate_cmd = "${::pacemaker::pcs_bin} host auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}"
      $cluster_authenticate_unless = "${::pacemaker::pcs_bin} host auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} | grep 'Already authorized'"
    } else {
      $cluster_setup_cmd = "${::pacemaker::pcs_bin} cluster setup --wait --name ${cluster_name} ${cluster_members_rrp_real} ${cluster_setup_extras_real}"
      $cluster_reauthenticate_cmd = "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} --force"
      $cluster_authenticate_cmd = "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}"
      $cluster_authenticate_unless = "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} | grep 'Already authorized'"
    }

i create this because when i want to deploy a new cluster this stuck at:

Info: /Stage[main]/Pacemaker::Corosync/Exec[check-for-local-authentication]: Scheduling refresh of Exec[reauthenticate-across-all-nodes]

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.