Commit 810f5db6738c8096db80ca7b6fa73014ef92f3ae
Exists in
master
and in
9 other branches
Merge branch 'pg_peer' of dev.gitlab.org:gitlab/omnibus-gitlab
Conflicts: CHANGELOG
Showing
8 changed files
with
71 additions
and
17 deletions
Show diff stats
CHANGELOG
... | ... | @@ -21,6 +21,13 @@ omnibus-gitlab repository. |
21 | 21 | - Change default Runit log rotation from 10x1MB to 30x24h |
22 | 22 | - Security: Restrict redis and postgresql log directory permissions to 0700 |
23 | 23 | - Add a 'gitlab-ctl deploy-page' command |
24 | +- Security: Use sockets and peer authentication for Postgres | |
25 | + | |
26 | +6.9.4-ee.omnibus.1 | |
27 | +- Security: Use sockets and peer authentication for Postgres | |
28 | + | |
29 | +6.9.2.omnibus.2 | |
30 | +- Security: Use sockets and peer authentication for Postgres | |
24 | 31 | |
25 | 32 | 6.9.2 |
26 | 33 | - Create the authorized-keys.lock file for gitlab-shell 1.9.4 | ... | ... |
files/gitlab-cookbooks/gitlab/attributes/default.rb
... | ... | @@ -123,8 +123,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode" |
123 | 123 | default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production" |
124 | 124 | default['gitlab']['gitlab-rails']['db_pool'] = 10 |
125 | 125 | default['gitlab']['gitlab-rails']['db_username'] = "gitlab" |
126 | -default['gitlab']['gitlab-rails']['db_password'] = "password" | |
127 | -default['gitlab']['gitlab-rails']['db_host'] = "localhost" | |
126 | +default['gitlab']['gitlab-rails']['db_password'] = nil | |
127 | +default['gitlab']['gitlab-rails']['db_host'] = nil | |
128 | 128 | default['gitlab']['gitlab-rails']['db_port'] = 5432 |
129 | 129 | default['gitlab']['gitlab-rails']['db_socket'] = nil |
130 | 130 | |
... | ... | @@ -182,12 +182,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh" |
182 | 182 | default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql" |
183 | 183 | default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" |
184 | 184 | default['gitlab']['postgresql']['sql_user'] = "gitlab" |
185 | -default['gitlab']['postgresql']['sql_password'] = "snakepliskin" | |
186 | 185 | default['gitlab']['postgresql']['port'] = 5432 |
187 | -default['gitlab']['postgresql']['listen_address'] = 'localhost' | |
186 | +default['gitlab']['postgresql']['listen_address'] = nil | |
188 | 187 | default['gitlab']['postgresql']['max_connections'] = 200 |
189 | -default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ] | |
190 | -default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ] | |
188 | +default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [] | |
189 | +default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [] | |
191 | 190 | default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295 |
192 | 191 | default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575 |
193 | 192 | ... | ... |
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
... | ... | @@ -66,16 +66,12 @@ module Gitlab |
66 | 66 | end |
67 | 67 | end |
68 | 68 | |
69 | - Gitlab['postgresql']['sql_password'] ||= generate_hex(50) | |
70 | 69 | Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64) |
71 | 70 | |
72 | 71 | if File.directory?("/etc/gitlab") |
73 | 72 | File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f| |
74 | 73 | f.puts( |
75 | 74 | Chef::JSONCompat.to_json_pretty({ |
76 | - 'postgresql' => { | |
77 | - 'sql_password' => Gitlab['postgresql']['sql_password'], | |
78 | - }, | |
79 | 75 | 'gitlab_rails' => { |
80 | 76 | 'secret_token' => Gitlab['gitlab_rails']['secret_token'], |
81 | 77 | } | ... | ... |
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
... | ... | @@ -115,6 +115,13 @@ template pg_hba_config do |
115 | 115 | notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") |
116 | 116 | end |
117 | 117 | |
118 | +template File.join(postgresql_data_dir, "pg_ident.conf") do | |
119 | + owner node['gitlab']['postgresql']['username'] | |
120 | + mode "0644" | |
121 | + variables(node['gitlab']['postgresql'].to_hash) | |
122 | + notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") | |
123 | +end | |
124 | + | |
118 | 125 | should_notify = OmnibusHelper.should_notify?("postgresql") |
119 | 126 | |
120 | 127 | runit_service "postgresql" do |
... | ... | @@ -143,10 +150,9 @@ bin_dir = "/opt/gitlab/embedded/bin" |
143 | 150 | db_name = "gitlabhq_production" |
144 | 151 | |
145 | 152 | sql_user = node['gitlab']['postgresql']['sql_user'] |
146 | -sql_user_passwd = node['gitlab']['postgresql']['sql_password'] | |
147 | 153 | |
148 | 154 | execute "create #{sql_user} database user" do |
149 | - command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" | |
155 | + command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\"" | |
150 | 156 | user pg_user |
151 | 157 | not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? } |
152 | 158 | end | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
... | ... | @@ -7,8 +7,8 @@ production: |
7 | 7 | encoding: <%= @db_encoding %> |
8 | 8 | database: <%= @db_database %> |
9 | 9 | pool: <%= @db_pool %> |
10 | - username: "<%= @db_username %>" | |
11 | - password: "<%= @db_password %>" | |
12 | - host: <%= @db_host %> | |
10 | + username: <%= single_quote(@db_username) %> | |
11 | + password: <%= single_quote(@db_password) %> | |
12 | + host: <%= single_quote(@db_host) %> | |
13 | 13 | port: <%= @db_port %> |
14 | - socket: <%= @db_socket %> | |
14 | + socket: <%= single_quote(@db_socket) %> | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
... | ... | @@ -67,7 +67,7 @@ |
67 | 67 | # TYPE DATABASE USER CIDR-ADDRESS METHOD |
68 | 68 | |
69 | 69 | # "local" is for Unix domain socket connections only |
70 | -local all all trust | |
70 | +local all all peer map=gitlab | |
71 | 71 | |
72 | 72 | <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %> |
73 | 73 | host all all <%= cidr %> trust | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
0 → 100644
... | ... | @@ -0,0 +1,45 @@ |
1 | +# PostgreSQL User Name Maps | |
2 | +# ========================= | |
3 | +# | |
4 | +# Refer to the PostgreSQL documentation, chapter "Client | |
5 | +# Authentication" for a complete description. A short synopsis | |
6 | +# follows. | |
7 | +# | |
8 | +# This file controls PostgreSQL user name mapping. It maps external | |
9 | +# user names to their corresponding PostgreSQL user names. Records | |
10 | +# are of the form: | |
11 | +# | |
12 | +# MAPNAME SYSTEM-USERNAME PG-USERNAME | |
13 | +# | |
14 | +# (The uppercase quantities must be replaced by actual values.) | |
15 | +# | |
16 | +# MAPNAME is the (otherwise freely chosen) map name that was used in | |
17 | +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the | |
18 | +# client. PG-USERNAME is the requested PostgreSQL user name. The | |
19 | +# existence of a record specifies that SYSTEM-USERNAME may connect as | |
20 | +# PG-USERNAME. | |
21 | +# | |
22 | +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a | |
23 | +# regular expression. Optionally this can contain a capture (a | |
24 | +# parenthesized subexpression). The substring matching the capture | |
25 | +# will be substituted for \1 (backslash-one) if present in | |
26 | +# PG-USERNAME. | |
27 | +# | |
28 | +# Multiple maps may be specified in this file and used by pg_hba.conf. | |
29 | +# | |
30 | +# No map names are defined in the default configuration. If all | |
31 | +# system user names and PostgreSQL user names are the same, you don't | |
32 | +# need anything in this file. | |
33 | +# | |
34 | +# This file is read on server startup and when the postmaster receives | |
35 | +# a SIGHUP signal. If you edit the file on a running system, you have | |
36 | +# to SIGHUP the postmaster for the changes to take effect. You can | |
37 | +# use "pg_ctl reload" to do that. | |
38 | + | |
39 | +# Put your actual configuration here | |
40 | +# ---------------------------------- | |
41 | + | |
42 | +# MAPNAME SYSTEM-USERNAME PG-USERNAME | |
43 | +gitlab <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['postgresql']['sql_user'] %> | |
44 | +# Default to a 1-1 mapping between system usernames and Postgres usernames | |
45 | +gitlab /^(.*)$ \1 | ... | ... |