puppet: process_fts_updates connects as nagios (or provided username).

It should not use the configured zulip username, but should instead pull from the login user (likely `nagios`), or an explicit alternate provided PostgreSQL username. Failure to do so results in Nagios failures because the `nagios` login does not have permissions to authenticated the `zulip` PostgreSQL user. This requires CI changes, as the install tests install as the `zulip` login username, which allowed Nagios tests to pass previously; with the custom database and username, however, they must be passed to process_fts_updates explicitly when validating the install.
2021-12-13 20:23:23 -08:00 · 2021-12-13 20:23:23 -08:00 · 71b56f7c1c
parent 9d67e37166
commit 71b56f7c1c
3 changed files with 46 additions and 4 deletions
--- a/.github/workflows/production-suite.yml
+++ b/.github/workflows/production-suite.yml
@ -194,7 +194,7 @@ jobs:
          sudo /tmp/production-install ${{ matrix.extra-args }}

      - name: Verify install
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}

      - name: Install pgroonga
        if: ${{ matrix.is_bionic }}
@ -202,7 +202,7 @@ jobs:

      - name: Verify install after installing pgroonga
        if: ${{ matrix.is_bionic }}
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}

      - name: Upgrade postgresql
        if: ${{ matrix.is_bionic }}
@ -210,7 +210,7 @@ jobs:

      - name: Verify install after upgrading postgresql
        if: ${{ matrix.is_bionic }}
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}

      - name: Report status
        if: failure()
--- a/puppet/zulip/files/postgresql/process_fts_updates
+++ b/puppet/zulip/files/postgresql/process_fts_updates
@ -47,6 +47,7 @@ BATCH_SIZE = 1000
 parser = argparse.ArgumentParser()
 parser.add_argument("--quiet", action="store_true")
 parser.add_argument("--nagios-check", action="store_true")
+parser.add_argument("--nagios-user")
 options = parser.parse_args()

 logging.Formatter.converter = time.gmtime
@ -154,6 +155,11 @@ except ImportError:
 conn: Optional[psycopg2.extensions.connection]

 if options.nagios_check:
+    # Nagios connects as itself, unless you specify otherwise
+    if options.nagios_user:
+        pg_args["user"] = options.nagios_user
+    else:
+        del pg_args["user"]
    conn = psycopg2.connect(**pg_args)
    cursor = conn.cursor()
    cursor.execute("SELECT count(*) FROM fts_update_log")
--- a/tools/ci/production-verify
+++ b/tools/ci/production-verify
@ -5,6 +5,42 @@
 set -e
 set -x

+usage() {
+    cat <<'EOF'
+Usage:
+  production-verify
+  production-verify --test-custom-db
+  production-verify --help
+
+Options:
+  --test-custom-db
+      Use custom database and user names.
+
+EOF
+}
+
+# Shell option parsing.
+args="$(getopt -o '' --long help,test-custom-db -n "$0" -- "$@")"
+eval "set -- $args"
+NAGIOS_USER="zulip"
+while true; do
+    case "$1" in
+        --help)
+            usage
+            exit 0
+            ;;
+
+        --test-custom-db)
+            NAGIOS_USER="zulipcustomuser"
+            shift
+            ;;
+        --)
+            shift
+            break
+            ;;
+    esac
+done
+
 cat >>/etc/zulip/settings.py <<EOF
 # CircleCI override settings above
 AUTHENTICATION_BACKENDS = ( 'zproject.backends.EmailAuthBackend', )
@ -111,7 +147,7 @@ echo
 echo "Now running additional Nagios tests"
 echo
 if ! /usr/lib/nagios/plugins/zulip_app_frontend/check_queue_worker_errors \
-    || ! su zulip -c "/usr/local/bin/process_fts_updates --nagios-check"; then # || \
+    || ! su zulip -c "/usr/local/bin/process_fts_updates --nagios-check --nagios-user=$NAGIOS_USER"; then # || \
    #   ! su zulip -c "/usr/lib/nagios/plugins/zulip_app_frontend/check_send_receive_time --site=https://127.0.0.1/api --nagios --insecure"; then
    set +x
    echo