Merge branch 'master' of github.com:NikolayS/PostgresDBA

nikolay · nikolay · commit 987b08eb4232 · 2017-12-19T05:17:06.000+03:00
diff --git a/matviews/refresh_all.sql b/matviews/refresh_all.sql
@@ -1,6 +1,6 @@
 -- Use this to do the very 1st REFRESH for your matviews
 -- In case when there are complex relations between matviews,
--- it might perform multiple iterations and eventyally refreshes
+-- it might perform multiple iterations and eventually refreshes
 -- all matviews (either all w/o data or absolutely all -- it's up to you).
 
 -- set thos to TRUE here if you need ALL matviews to be refrehsed, not only those that already have been refreshed
@@ -56,15 +56,14 @@ begin
       end;
     end loop;
 
-    exit when 0 = (select count(*) from pg_matviews where not ispopulated);
     iter := iter + 1;
+    exit when iter > 5 or 0 = (select count(*) from pg_matviews where not ispopulated);
   end loop;
 
-  raise notice 'Finished! % matviews refreshed in % iterations. It took %', done_cnt, iter, (clock_timestamp() - now())::text;
+  raise notice 'Finished! % matviews refreshed in % iteration(s). It took %', done_cnt, (iter - 1), (clock_timestamp() - now())::text;
 end;
 $$ language plpgsql;
 
 reset postgres_dba.refresh_matviews_with_data;
 reset client_min_messages;
 reset statement_timeout;
-
diff --git a/misc/generate_password.sql b/misc/generate_password.sql
@@ -1,13 +1,16 @@
 with init(len, arr) as (
-  select 16, string_to_array('23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ&#%@', null)
+  -- edit password length and possible characters here
+  select 16, string_to_array('123456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ', null)
 ), arrlen(l) as (
   select count(*)
   from (select unnest(arr) from init) _
 ), indexes(i) as (
   select 1 + int4(random() * (l - 1))
   from arrlen, (select generate_series(1, len) from init) _
+), res as (
+  select array_to_string(array_agg(arr[i]), '') as password
+  from init, indexes
 )
-select array_to_string(array_agg(arr[i]), '') as password
-from init, indexes
+select password--, 'md5' || md5(password || {{username}}) as password_md5
+from res
 ;
-
diff --git a/roles/alter_user_with_random_password.psql b/roles/alter_user_with_random_password.psql
@@ -0,0 +1,71 @@
+-- When you do "ALTER ROLE ... PASSWORD '...';" manually in psql,
+-- password goes to log files, psql/bash history files, AWS logfiles, etc.
+-- This is insecure.
+-- This interactive script solves this problem.
+
+-- Usage (run in psql):
+-- 1) Set messages level to DEBUG (and keep logging level higher, to avoid having password in logs):
+--     set client_min_messages to DEBUG;
+-- 2) Run interactive script in psql:
+--     \i /path/to/PostgresDBA/roles/alter_user_with_random_password.psql
+
+\prompt "Username?" postgres_dba_username
+\prompt "Superuser? (1 if yes, 0 if no)" postgres_dba_is_superuser
+\prompt "Login? (1 if yes, 0 if no)" postgres_dba_login
+
+\set q_postgres_dba_username '\'' :postgres_dba_username '\''
+\set q_postgres_dba_is_superuser '\'' :postgres_dba_is_superuser '\''
+\set q_postgres_dba_login '\'' :postgres_dba_login '\''
+
+begin;
+
+\o /dev/null
+select set_config('postgres_dba.username', :q_postgres_dba_username, true);
+select set_config('postgres_dba.is_superuser', :q_postgres_dba_is_superuser, true);
+select set_config('postgres_dba.login', :q_postgres_dba_login, true);
+\o
+
+do $$
+declare
+  pwd text;
+  j int4;
+  allowed text;
+  allowed_len int4;
+  sql text;
+begin
+  if current_setting('postgres_dba.username')::text = '' then
+    raise exception 'Username is not specified.';
+  end if;
+  allowed := '23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ';
+  allowed_len := length(allowed);
+  pwd := '';
+  while length(pwd) < 16 loop
+    j := int4(random() * allowed_len);
+    pwd := pwd || substr(allowed, j+1, 1);
+  end loop;
+  sql := 'alter role ' || current_setting('postgres_dba.username')::text || ' password ''' || pwd || ''';';
+  raise debug 'SQL: %', sql;
+  execute sql;
+  sql := 'alter role ' || current_setting('postgres_dba.username')::text
+    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
+    || ';';
+  raise debug 'SQL: %', sql;
+  execute sql;
+  sql := 'alter role ' || current_setting('postgres_dba.username')::text
+    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
+    || ';';
+  raise debug 'SQL: %', sql;
+  execute sql;
+  raise debug 'User % altered, password: %', current_setting('postgres_dba.username')::text, pwd;
+end;
+$$ language plpgsql;
+
+commit;
+
+\unset postgres_dba_username
+\unset postgres_dba_is_superuser
+\unset postgres_dba_login
+\unset q_postgres_dba_username
+\unset q_postgres_dba_is_superuser
+\unset q_postgres_dba_login
+
diff --git a/roles/create_user_with_random_password.psql b/roles/create_user_with_random_password.psql
@@ -3,9 +3,11 @@
 -- This is insecure.
 -- This interactive script solves this problem.
 
--- SOLVED: avoid passwords in psql/bash history files
--- TODO: avoid passwords in logfiles (idea: to use function/select/with to print it 
---       just to output, w/o any RAISEs that also throws everything to log).
+-- Usage (run in psql):
+-- 1) Set messages level to DEBUG (and keep logging level higher, to avoid having password in logs):
+--     set client_min_messages to DEBUG;
+-- 2) Run interactive script in psql:
+--     \i /path/to/PostgresDBA/roles/create_user_with_random_password.psql
 
 \prompt "Username?" postgres_dba_username
 \prompt "Superuser? (1 if yes, 0 if no)" postgres_dba_is_superuser
@@ -34,7 +36,7 @@ begin
   if current_setting('postgres_dba.username')::text = '' then
     raise exception 'Username is not specified.';
   end if;
-  allowed := '23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ&#%@';
+  allowed := '23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ';
   allowed_len := length(allowed);
   pwd := '';
   while length(pwd) < 16 loop
@@ -45,18 +47,18 @@ begin
     || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
     || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
     || ' password ''' || pwd || ''';';
-  raise notice 'SQL: %', sql;
+  raise debug 'SQL: %', sql;
   execute sql;
-  raise notice 'User % created, password: %', current_setting('postgres_dba.username')::text, pwd;
+  raise info 'User % created, password: %', current_setting('postgres_dba.username')::text, pwd;
 end;
 $$ language plpgsql;
 
 commit;
 
 \unset postgres_dba_username
-\unset postgres_dba_username
+\unset postgres_dba_is_superuser
 \unset postgres_dba_login
 \unset q_postgres_dba_username
-\unset q_postgres_dba_username
+\unset q_postgres_dba_is_superuser
 \unset q_postgres_dba_login
 
