mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-22 12:35:51 +00:00
Fix dump importing (backup restore) into Postgres v14
In short, the problem is that older Postgres versions store passwords hashed as md5. When you dump such a database, the dump naturally also contains md5-hashed passwords. Restoring from that dump used to create users and updates their passwords with these md5 hashes. However, Postgres v14 prefers does not like md5-hashed passwords now (by default), which breaks connectivity. Postgres v14 prefers `scram-sha-256` for authentication. Our solution is to just ignore setting passwords (`ALTER ROLE ..` statements) when restoring dumps. We don't need to set passwords as defined in the dump anyway, because the playbook creates users and manages their passwords by itself. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1340
This commit is contained in:
parent
35c91701a8
commit
09ac950d17
@ -63,7 +63,16 @@ matrix_postgres_additional_databases: []
|
||||
# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump.
|
||||
matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username]
|
||||
|
||||
matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});"
|
||||
# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid:
|
||||
# - creating users (`CREATE ROLE ..`)
|
||||
# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`)
|
||||
#
|
||||
# Both of these operations are done by the playbook anyway.
|
||||
# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file,
|
||||
# which is unsupported by default by newer Postgres versions (v14+).
|
||||
# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+.
|
||||
# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default.
|
||||
matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }})(;| WITH)"
|
||||
|
||||
# A list of databases to avoid creating when importing (or upgrading) the database.
|
||||
# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`),
|
||||
|
Loading…
Reference in New Issue
Block a user