Bug 2065903

Summary: [RFE] Support SCRAM based authentication for Postgresql
Product: Red Hat Satellite Reporter: Alexey Masolov <amasolov>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: ASSIGNED --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.10.3CC: ahumbe, ajambhul, cldavey, egolov, ehelms, ekohlvan, gtalreja, pondrejk, shetze, zhunting
Target Milestone: UnspecifiedKeywords: FutureFeature, PrioBumpGSS, Triaged, WorkAround
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Masolov 2022-03-19 07:15:45 UTC 
Description of problem:

Satellite 6.10 installation is failing with the below error:

===
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: psycopg2.OperationalError: SCRAM authentication requires libpq version 10 or above
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: django.db.utils.OperationalError: SCRAM authentication requires libpq version 10 or above
===

pulp is relying on /usr/lib64/libpq.so.5 provided by postgresql-libs-9.2.24 but it's too old to support database authentication using SCRAM-SHA-256 (because MD5 is not supported on FIPS). 

Making a symlink from the software collection helps to make it work:

ln -s /opt/rh/rh-postgresql12/root/usr/lib64/libpq.so.rh-postgresql12-5 /usr/lib64/libpq.so.5
 
Version-Release number of selected component (if applicable):
Satellite 6.10.3 FIPS, external PostgreSQL 12 (FIPS too)

How reproducible:
100%
Comment 5 Eric Helms 2022-03-29 21:31:15 UTC 
 * The error in question is due to the use of SCRAM based authentication for PostgreSQL which we do not currently test or support - we are waiting for RHEL 8 based installations to re-assess this
 * Libraries we rely on, such as tfm-rubygem-pg are built against the system libpg and thus, may have issues connecting to a PostgreSQL with SCRAM authentication (as this is untested)
 * Satellite supports running on a RHEL enabled FIPS and compliant OS but is itself not FIPS compliant
 * Current, and past releases of Satellite with our FIPS support policy have used the MD5 password option for both internal and external databases. This is what we test and support. 

 * We recommend that if an external database is desired, that it is installed per our external database documentation (e.g. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_disconnected_network/performing-additional-configuration#installing-postgresql_satellite) and that this should work when connected to by a Satellite running on a FIPS enabled RHEL machine. 
 * I would additionally recommend we track this BZ as a request for official SCRAM based authentication support for Satellite. This is a fair enhancement for us to consider as it's made easier by RHEL 8 and is relevant to both FIPS and non-FIPS based installations.


Additional resource for FIPS support can be found at https://access.redhat.com/solutions/2799971
Comment 8 Brad Buckingham 2024-03-21 21:07:37 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 9 Ewoud Kohl van Wijngaarden 2024-03-25 17:04:08 UTC 
By now Satellite 6.12 or newer only runs on RHEL 8 and anything older is EOL. So SCRAM should be supported from a library perspective.

https://github.com/puppetlabs/puppetlabs-postgresql/pull/1313  added some initial SCRAM support to the installer (foreman-installer 3.3) and https://github.com/puppetlabs/puppetlabs-postgresql/pull/1406 changes the default encryption to SCRAM on PostgreSQL 14, reflecting PostgreSQL defaults (foreman-installer 3.9). It should be possible to set the installer wide default to SCRAM now.

I've opened https://github.com/theforeman/foreman-installer/pull/924 .
Comment 11 Brad Buckingham 2024-05-10 12:26:11 UTC 
Skipping auto-closure as this is now actively being worked on.