Puppet Version: 2019.8 Puppet Server Version: OS Name/Version: RHEL 7 Desired Behavior: The change occurs once and applies the correct configuration Actual Behavior: Every Puppet run a corrective change occurs:
Notice: /Stage[main]/Puppet_enterprise::Profile::Database/Puppet_enterprise::App_database[puppetdb]/Puppet_enterprise::Pg::Migrator_user[pe-puppetdb-migrator]/Puppet_enterprise::Psql[SET ROLE pe-puppetdb-migrator; GRANT pe-puppetdb - CONNECT - pe-puppetdb]/Pe_postgresql_psql[SET ROLE pe-puppetdb-migrator; GRANT pe-puppetdb - CONNECT - pe-puppetdb]/command: command changed to 'SET ROLE "pe-puppetdb-migrator"; GRANT CONNECT ON DATABASE "pe-puppetdb" TO "pe-puppetdb"' (corrective) |
This seems to be occurring as the below isn't returning the expected output here:
pe-postgres=# SELECT datacl FROM pg_catalog.pg_database WHERE datname = 'pe-puppetdb'; |
datacl |
-------------------------------------------------------------- |
{"=T/\"pe-puppetdb\"","\"pe-puppetdb\"=CTc/\"pe-puppetdb\""} |
(1 row) |
|
Output from my working test 2019.8:
pe-postgres=# SELECT datacl FROM pg_catalog.pg_database WHERE datname = 'pe-puppetdb'; |
datacl |
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
{"\"pe-postgres\"=CTc/\"pe-postgres\"","=T/\"pe-postgres\"","\"pe-puppetdb\"=CT/\"pe-postgres\"","\"pe-puppetdb-migrator\"=c*/\"pe-postgres\"","\"pe-puppetdb\"=c/\"pe-puppetdb-migrator\""}
|
Another difference is the customers pe-postgres user is missing the Bypass RLS attribute, we tested removing this but didn't see the same behaviour as the customer. Looking for some next steps for the customer. |