crunchy-containers
crunchy-containers copied to clipboard
FIPS enabled pgAdmin4 does not start
Describe the bug
When FIPS is enabled, pgAdmin4 does not achieve to create correctly /var/lib/pgadminpgadmin4.db
To Reproduce
Steps to reproduce the behavior:
Be sure that FIPS is enabled:
cat /proc/sys/crypto/fips_enabled
must return 1
Start PGAdmin4 using Crunchy Data Operator (5.1.0) or using common Deployment
Expected behavior Make it works :-)
- Operating System: ubi8
- Container Image Tag: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-1
- PostgreSQL Version: 14
- Platform (Docker, Kubernetes, OpenShift): OpenShift with SCC as restricted
- Platform Version: OpenShift 4.10
Here the full log
sh-4.4$ /opt/crunchy/bin/start-pgadmin4.sh
Wed Jun 8 16:34:52 UTC 2022 INFO: TLS disabled. Applying http configuration..
Wed Jun 8 16:34:52 UTC 2022 INFO: Setting up pgAdmin4 database..
Wed Jun 8 16:34:53 UTC 2022 ERROR: pgAdmin4 Database Setup: Could not create pgAdmin4 database:
Traceback (most recent call last):
File "setup.py", line 449, in <module>
setup_db()
File "setup.py", line 372, in setup_db
app = create_app()
File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/__init__.py", line 351, in create_app
db_upgrade(app)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/db_upgrade.py", line 25, in db_upgrade
flask_migrate.upgrade(migration_folder)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 95, in wrapped
f(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 280, in upgrade
command.upgrade(config, revision, sql=sql, tag=tag)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/command.py", line 254, in upgrade
script.run_env()
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/script/base.py", line 425, in run_env
util.load_python_file(self.dir, 'env.py')
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/pyfiles.py", line 81, in load_python_file
module = load_module_py(module_id, path)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/compat.py", line 83, in load_module_py
spec.loader.exec_module(module)
File "<frozen importlib._bootstrap_external>", line 678, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 93, in <module>
run_migrations_online()
File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 86, in run_migrations_online
context.run_migrations()
File "<string>", line 8, in run_migrations
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/environment.py", line 836, in run_migrations
self.get_context().run_migrations(**kw)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/migration.py", line 330, in run_migrations
step.migration_fn(**kw)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/migrations/versions/fdc58d9bd449_.py", line 122, in upgrade
Security(current_app, user_datastore, register_blueprint=False)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 821, in __init__
app, datastore, register_blueprint=register_blueprint, **kwargs
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 858, in init_app
self._state = state = _get_state(app, datastore, **kwargs)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 496, in _get_state
hashing_context=_get_hashing_context(app),
File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 477, in _get_hashing_context
return CryptContext(schemes=schemes, deprecated=deprecated)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1401, in __init__
self.load(kwds)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1592, in load
config = _CryptConfig(source)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 634, in __init__
self._init_scheme_list(source.get((None,None,"schemes")))
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 652, in _init_scheme_list
handler = get_crypt_handler(elem)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/registry.py", line 350, in get_crypt_handler
mod = __import__(modname, fromlist=[modattr], level=0)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 72, in <module>
hex_md5 = create_hex_hash("md5")
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 55, in create_hex_hash
info = lookup_hash(digest)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 298, in lookup_hash
info = HashInfo(const, name_list)
File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 403, in __init__
hash = const()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
We can see also that the pgadmin4.db file has been created but not correctly:
sh-4.4$ ls -al
total 104
drwxrwsrwx. 5 root pgadmin 4096 Jun 8 16:34 .
drwxr-xr-x. 1 root root 174 May 26 15:01 ..
-rw-r--r--. 1 pgadmin pgadmin 0 Jun 8 13:40 access_log
-rw-r--r--. 1 pgadmin pgadmin 853 Jun 8 16:34 config_local.py
-rw-r--r--. 1 pgadmin pgadmin 927 Jun 8 13:40 error_log
drwxrws---. 2 root pgadmin 16384 Jun 8 13:39 lost+found
-rw-r--r--. 1 pgadmin pgadmin 61440 Jun 8 16:34 pgadmin4.db
-rw-r--r--. 1 pgadmin pgadmin 620 Jun 8 16:34 pgadmin.conf
drwx------. 2 pgadmin pgadmin 4096 Jun 8 13:40 sessions
drwxr-sr-x. 2 pgadmin pgadmin 4096 Jun 8 13:40 storage
sh-4.4$ sqlite3 pgadmin4.db
SQLite version 3.26.0 2018-12-01 12:34:55
Enter ".help" for usage hints.
sqlite> select * from user ;
sqlite>
Hello,
here the explanation of the problem: https://stackoverflow.com/questions/67559170/paramiko-ssh-command-execution-failing-with-valueerror-digital-envelope-routi
Using md5 hash is not allowed with FIPS enabled.
Here the original issue on passlib (and the problem was reported from pgAdmin4): https://foss.heptapod.net/python-libs/passlib/-/issues/116
It seems you are still using an unpatched version of passlib (passlib-1.7.2).
As workaround, changing the line should do the trick:
grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104: return hashlib.md5(data).hexdigest()
to
grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104: return hashlib.md5(data, usedforsecurity=False).hexdigest()
But it's a bit ugly...
Hello, any update with this issue ?