2065903 – [RFE] Support SCRAM based authentication for Postgresql

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2065903 - [RFE] Support SCRAM based authentication for Postgresql

Summary: [RFE] Support SCRAM based authentication for Postgresql

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.10.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-19 07:15 UTC by Alexey Masolov
Modified:	2024-06-06 12:20 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-06-06 12:20:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-9665	0	None	Migrated	None	2024-06-06 12:20:34 UTC
Red Hat Knowledge Base (Solution)	6966997	0	None	None	None	2022-07-10 03:13:22 UTC

Description Alexey Masolov 2022-03-19 07:15:45 UTC

Description of problem:

Satellite 6.10 installation is failing with the below error:

===
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: psycopg2.OperationalError: SCRAM authentication requires libpq version 10 or above
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: django.db.utils.OperationalError: SCRAM authentication requires libpq version 10 or above
===

pulp is relying on /usr/lib64/libpq.so.5 provided by postgresql-libs-9.2.24 but it's too old to support database authentication using SCRAM-SHA-256 (because MD5 is not supported on FIPS). 

Making a symlink from the software collection helps to make it work:

ln -s /opt/rh/rh-postgresql12/root/usr/lib64/libpq.so.rh-postgresql12-5 /usr/lib64/libpq.so.5
 
Version-Release number of selected component (if applicable):
Satellite 6.10.3 FIPS, external PostgreSQL 12 (FIPS too)

How reproducible:
100%

Comment 5 Eric Helms 2022-03-29 21:31:15 UTC

 * The error in question is due to the use of SCRAM based authentication for PostgreSQL which we do not currently test or support - we are waiting for RHEL 8 based installations to re-assess this
 * Libraries we rely on, such as tfm-rubygem-pg are built against the system libpg and thus, may have issues connecting to a PostgreSQL with SCRAM authentication (as this is untested)
 * Satellite supports running on a RHEL enabled FIPS and compliant OS but is itself not FIPS compliant
 * Current, and past releases of Satellite with our FIPS support policy have used the MD5 password option for both internal and external databases. This is what we test and support. 

 * We recommend that if an external database is desired, that it is installed per our external database documentation (e.g. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_disconnected_network/performing-additional-configuration#installing-postgresql_satellite) and that this should work when connected to by a Satellite running on a FIPS enabled RHEL machine. 
 * I would additionally recommend we track this BZ as a request for official SCRAM based authentication support for Satellite. This is a fair enhancement for us to consider as it's made easier by RHEL 8 and is relevant to both FIPS and non-FIPS based installations.


Additional resource for FIPS support can be found at https://access.redhat.com/solutions/2799971

Comment 8 Brad Buckingham 2024-03-21 21:07:37 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 9 Ewoud Kohl van Wijngaarden 2024-03-25 17:04:08 UTC

By now Satellite 6.12 or newer only runs on RHEL 8 and anything older is EOL. So SCRAM should be supported from a library perspective.

https://github.com/puppetlabs/puppetlabs-postgresql/pull/1313  added some initial SCRAM support to the installer (foreman-installer 3.3) and https://github.com/puppetlabs/puppetlabs-postgresql/pull/1406 changes the default encryption to SCRAM on PostgreSQL 14, reflecting PostgreSQL defaults (foreman-installer 3.9). It should be possible to set the installer wide default to SCRAM now.

I've opened https://github.com/theforeman/foreman-installer/pull/924 .

Comment 11 Brad Buckingham 2024-05-10 12:26:11 UTC

Skipping auto-closure as this is now actively being worked on.

Comment 12 Eric Helms 2024-06-06 12:20:36 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.