Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2065903 - [RFE] Support SCRAM based authentication for Postgresql
Summary: [RFE] Support SCRAM based authentication for Postgresql
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.10.3
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-19 07:15 UTC by Alexey Masolov
Modified: 2024-03-25 17:04 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-9665 0 None None None 2022-09-26 16:47:49 UTC
Red Hat Knowledge Base (Solution) 6966997 0 None None None 2022-07-10 03:13:22 UTC

Description Alexey Masolov 2022-03-19 07:15:45 UTC 
Description of problem:

Satellite 6.10 installation is failing with the below error:

===
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: psycopg2.OperationalError: SCRAM authentication requires libpq version 10 or above
2022-03-14 10:17:28 [DEBUG ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[migrate --noinput]/Exec[pulpcore-manager migrate --noinput]/unless: django.db.utils.OperationalError: SCRAM authentication requires libpq version 10 or above
===

pulp is relying on /usr/lib64/libpq.so.5 provided by postgresql-libs-9.2.24 but it's too old to support database authentication using SCRAM-SHA-256 (because MD5 is not supported on FIPS). 

Making a symlink from the software collection helps to make it work:

ln -s /opt/rh/rh-postgresql12/root/usr/lib64/libpq.so.rh-postgresql12-5 /usr/lib64/libpq.so.5
 
Version-Release number of selected component (if applicable):
Satellite 6.10.3 FIPS, external PostgreSQL 12 (FIPS too)

How reproducible:
100%
Comment 5 Eric Helms 2022-03-29 21:31:15 UTC 
 * The error in question is due to the use of SCRAM based authentication for PostgreSQL which we do not currently test or support - we are waiting for RHEL 8 based installations to re-assess this
 * Libraries we rely on, such as tfm-rubygem-pg are built against the system libpg and thus, may have issues connecting to a PostgreSQL with SCRAM authentication (as this is untested)
 * Satellite supports running on a RHEL enabled FIPS and compliant OS but is itself not FIPS compliant
 * Current, and past releases of Satellite with our FIPS support policy have used the MD5 password option for both internal and external databases. This is what we test and support. 

 * We recommend that if an external database is desired, that it is installed per our external database documentation (e.g. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_disconnected_network/performing-additional-configuration#installing-postgresql_satellite) and that this should work when connected to by a Satellite running on a FIPS enabled RHEL machine. 
 * I would additionally recommend we track this BZ as a request for official SCRAM based authentication support for Satellite. This is a fair enhancement for us to consider as it's made easier by RHEL 8 and is relevant to both FIPS and non-FIPS based installations.


Additional resource for FIPS support can be found at https://access.redhat.com/solutions/2799971
Comment 8 Brad Buckingham 2024-03-21 21:07:37 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 9 Ewoud Kohl van Wijngaarden 2024-03-25 17:04:08 UTC 
By now Satellite 6.12 or newer only runs on RHEL 8 and anything older is EOL. So SCRAM should be supported from a library perspective.

https://github.com/puppetlabs/puppetlabs-postgresql/pull/1313  added some initial SCRAM support to the installer (foreman-installer 3.3) and https://github.com/puppetlabs/puppetlabs-postgresql/pull/1406 changes the default encryption to SCRAM on PostgreSQL 14, reflecting PostgreSQL defaults (foreman-installer 3.9). It should be possible to set the installer wide default to SCRAM now.

I've opened https://github.com/theforeman/foreman-installer/pull/924 .
Note You need to log in before you can comment on or make changes to this bug.