Bug 2072044

Summary: Drop auth_ed25519 support for MySQL
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: python-oslo-dbAssignee: Damien Ciabrini <dciabrin>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: apevec, chjones, dciabrin, jschluet, lhh, lmiccini, mbayer, tkajinam
Target Milestone: ---Keywords: EasyFix, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: python-oslo-db-8.5.1-0.20220619080757.3b452de.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:20:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2072053    

Description Lon Hohberger 2022-04-05 13:40:47 UTC 
Description of problem: python-oslo-db supports using auth_ed25519 for password authentication with MySQL.

This is not the default and is not known to be utilized by any customers at this time.

Furthermore, the RPM requirements pull in pynacl, which pulls in libsodium, which is an encryption library that is otherwise unused in OSP17.

As it happens, the requirement isn't direct from python-oslo-db - PyMySQL will do a check-import of pynacl, and automatically disable auth_ed25519 if pynacl isn't available, so it's safe to drop this support without adversely affecting other code paths.

How reproducible: 100%


Steps to Reproduce:
1.  dnf install -y python3-oslo-db

Actual results:

python3-pynacl and libsodium are installed


Expected results:

No more python3-pynacl or libsodium


Additional info:

To my knowledge, no version of pynacl is FIPS certified.
Comment 1 Takashi Kajinami 2022-04-05 16:35:03 UTC 
There is an RFE which intended to add support for ed25519.
I'm not following the latest status of that work but that RFE should be considered
before we determine whether we go ahead removing support.

https://bugzilla.redhat.com/show_bug.cgi?id=1687309
https://bugs.launchpad.net/tripleo/+bug/1866093
Comment 2 Chris Jones 2022-04-12 14:15:37 UTC 
Per https://bugzilla.redhat.com/show_bug.cgi?id=1687309#c21 I have closed the RFE as CANTFIX since there is no way for us to implement ed25519 support in MariaDB in a FIPS compliant way.
Comment 9 errata-xmlrpc 2022-09-21 12:20:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543