From 09ac950d170794e8d975e1a46a62ee8122d95317 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Oct 2021 16:32:05 +0300 Subject: [PATCH] Fix dump importing (backup restore) into Postgres v14 In short, the problem is that older Postgres versions store passwords hashed as md5. When you dump such a database, the dump naturally also contains md5-hashed passwords. Restoring from that dump used to create users and updates their passwords with these md5 hashes. However, Postgres v14 prefers does not like md5-hashed passwords now (by default), which breaks connectivity. Postgres v14 prefers `scram-sha-256` for authentication. Our solution is to just ignore setting passwords (`ALTER ROLE ..` statements) when restoring dumps. We don't need to set passwords as defined in the dump anyway, because the playbook creates users and manages their passwords by itself. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1340 --- roles/matrix-postgres/defaults/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 53b1c0f4c..91a31d997 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -63,7 +63,16 @@ matrix_postgres_additional_databases: [] # We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] -matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" +# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid: +# - creating users (`CREATE ROLE ..`) +# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`) +# +# Both of these operations are done by the playbook anyway. +# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file, +# which is unsupported by default by newer Postgres versions (v14+). +# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+. +# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default. +matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }})(;| WITH)" # A list of databases to avoid creating when importing (or upgrading) the database. # If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`),