puppet: process_fts_updates connects as nagios (or provided username).

It should not use the configured zulip username, but should instead
pull from the login user (likely `nagios`), or an explicit alternate
provided PostgreSQL username.  Failure to do so results in Nagios
failures because the `nagios` login does not have permissions to
authenticated the `zulip` PostgreSQL user.

This requires CI changes, as the install tests install as the `zulip`
login username, which allowed Nagios tests to pass previously; with
the custom database and username, however, they must be passed to
process_fts_updates explicitly when validating the install.

.github/workflows/production-suite.yml

@@ -194,7 +194,7 @@ jobs:
           sudo /tmp/production-install ${{ matrix.extra-args }}
 
       - name: Verify install
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}
 
       - name: Install pgroonga
         if: ${{ matrix.is_bionic }}
@@ -202,7 +202,7 @@ jobs:
 
       - name: Verify install after installing pgroonga
         if: ${{ matrix.is_bionic }}
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}
 
       - name: Upgrade postgresql
         if: ${{ matrix.is_bionic }}
@@ -210,7 +210,7 @@ jobs:
 
       - name: Verify install after upgrading postgresql
         if: ${{ matrix.is_bionic }}
-        run: sudo /tmp/production-verify
+        run: sudo /tmp/production-verify ${{ matrix.extra-args }}
 
       - name: Report status
         if: failure()

puppet/zulip/files/postgresql/process_fts_updates

@@ -47,6 +47,7 @@ BATCH_SIZE = 1000
 parser = argparse.ArgumentParser()
 parser.add_argument("--quiet", action="store_true")
 parser.add_argument("--nagios-check", action="store_true")
+parser.add_argument("--nagios-user")
 options = parser.parse_args()
 
 logging.Formatter.converter = time.gmtime
@@ -154,6 +155,11 @@ except ImportError:
 conn: Optional[psycopg2.extensions.connection]
 
 if options.nagios_check:
+    # Nagios connects as itself, unless you specify otherwise
+    if options.nagios_user:
+        pg_args["user"] = options.nagios_user
+    else:
+        del pg_args["user"]
     conn = psycopg2.connect(**pg_args)
     cursor = conn.cursor()
     cursor.execute("SELECT count(*) FROM fts_update_log")

tools/ci/production-verify

@@ -5,6 +5,42 @@
 set -e
 set -x
 
+usage() {
+    cat <<'EOF'
+Usage:
+  production-verify
+  production-verify --test-custom-db
+  production-verify --help
+
+Options:
+  --test-custom-db
+      Use custom database and user names.
+
+EOF
+}
+
+# Shell option parsing.
+args="$(getopt -o '' --long help,test-custom-db -n "$0" -- "$@")"
+eval "set -- $args"
+NAGIOS_USER="zulip"
+while true; do
+    case "$1" in
+        --help)
+            usage
+            exit 0
+            ;;
+
+        --test-custom-db)
+            NAGIOS_USER="zulipcustomuser"
+            shift
+            ;;
+        --)
+            shift
+            break
+            ;;
+    esac
+done
+
 cat >>/etc/zulip/settings.py <<EOF
 # CircleCI override settings above
 AUTHENTICATION_BACKENDS = ( 'zproject.backends.EmailAuthBackend', )
@@ -111,7 +147,7 @@ echo
 echo "Now running additional Nagios tests"
 echo
 if ! /usr/lib/nagios/plugins/zulip_app_frontend/check_queue_worker_errors \
-    || ! su zulip -c "/usr/local/bin/process_fts_updates --nagios-check"; then # || \
+    || ! su zulip -c "/usr/local/bin/process_fts_updates --nagios-check --nagios-user=$NAGIOS_USER"; then # || \
     #   ! su zulip -c "/usr/lib/nagios/plugins/zulip_app_frontend/check_send_receive_time --site=https://127.0.0.1/api --nagios --insecure"; then
     set +x
     echo