Default HBA does not take scram into account

[vaol]

Hello,

the default HBA rules are still hardcoded with md5, couldn't we use the $password_encryption variable of config.pp to initialize it ?

Best regards,
Olivier

[SimonHoenscheid]

That should be easy to implement. If you prepare a PR, I am happy to review and provide feedback.

[SimonHoenscheid]

AFAIK:

Postgres 14+ supports scram-sha-256
postgres 10-13 supports md5

The module only sets password_encryption in the postgresql.conf from version 10+:
https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/instance/config.pp#L209-L214

Given this, I would consider setting
https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/params.pp#L28

from
$password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef }
to
$password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { 'md5' }
a save option.

That would allow replacing the auth_method in the following lines with $password_encryption:
https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/instance/config.pp#L102-L141

Any thought on this @vaol @bastelfreak @cruelsmith @ekohl?

[cruelsmith]

Ups ... #1406 did not changed the hba but it should have as we see. Thanks for the report @vaol ❤️

@SimonHoenscheid fine with the change on the first look. But we should also check if we can remove some Optional[...] types since with this change there is no undef per default anymore. Like here

puppetlabs-postgresql/manifests/server.pp

Line 185 in 5b2edeb

Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption,

puppetlabs-postgresql/manifests/server/instance/config.pp

Line 73 in 5b2edeb

Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption,

[SimonHoenscheid]

@cruelsmith added to PR

[ekohl]

Postgres 14+ supports scram-sha-256
postgres 10-13 supports md5

I don't think this is entirely true. https://www.cybertec-postgresql.com/en/from-md5-to-scram-sha-256-in-postgresql/ says:

Since v10, PostgreSQL has provided support for scram-sha-256 for password hashing and authentication.

Also:

This step is not strictly necessary, because PostgreSQL will use scram-sha-256 authentication for scram-sha-256-hashed passwords, even if the authentication method is set to md5 in pg_hba.conf. This is a compatibility feature.

[SimonHoenscheid]

@ekohl That makes the change more interesting. If users want to switch to scram-sha-256 and use the pg_hba default provided by the module, the PR would allow them to enforce scram-sha-256.