Bug 2065903
Summary: | [RFE] Support SCRAM based authentication for Postgresql | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Alexey Masolov <amasolov> |
Component: | Installation | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | ASSIGNED --- | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.10.3 | CC: | ahumbe, ajambhul, cldavey, egolov, ehelms, ekohlvan, gtalreja, pondrejk, shetze, zhunting |
Target Milestone: | Unspecified | Keywords: | FutureFeature, PrioBumpGSS, Triaged, WorkAround |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexey Masolov
2022-03-19 07:15:45 UTC
* The error in question is due to the use of SCRAM based authentication for PostgreSQL which we do not currently test or support - we are waiting for RHEL 8 based installations to re-assess this * Libraries we rely on, such as tfm-rubygem-pg are built against the system libpg and thus, may have issues connecting to a PostgreSQL with SCRAM authentication (as this is untested) * Satellite supports running on a RHEL enabled FIPS and compliant OS but is itself not FIPS compliant * Current, and past releases of Satellite with our FIPS support policy have used the MD5 password option for both internal and external databases. This is what we test and support. * We recommend that if an external database is desired, that it is installed per our external database documentation (e.g. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_disconnected_network/performing-additional-configuration#installing-postgresql_satellite) and that this should work when connected to by a Satellite running on a FIPS enabled RHEL machine. * I would additionally recommend we track this BZ as a request for official SCRAM based authentication support for Satellite. This is a fair enhancement for us to consider as it's made easier by RHEL 8 and is relevant to both FIPS and non-FIPS based installations. Additional resource for FIPS support can be found at https://access.redhat.com/solutions/2799971 Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you. By now Satellite 6.12 or newer only runs on RHEL 8 and anything older is EOL. So SCRAM should be supported from a library perspective. https://github.com/puppetlabs/puppetlabs-postgresql/pull/1313 added some initial SCRAM support to the installer (foreman-installer 3.3) and https://github.com/puppetlabs/puppetlabs-postgresql/pull/1406 changes the default encryption to SCRAM on PostgreSQL 14, reflecting PostgreSQL defaults (foreman-installer 3.9). It should be possible to set the installer wide default to SCRAM now. I've opened https://github.com/theforeman/foreman-installer/pull/924 . Skipping auto-closure as this is now actively being worked on. |