community.postgresql
community.postgresql copied to clipboard
ansible-collections
postgresql_user module fails with password on version 10.x if server is fips enabled
From @Andersson007 on Apr 06, 2020 11:27
Copied from https://github.com/ansible/ansible/issues/41787 Initially reported by @jbscalia
Postgresql_user needs to support AES-256 encryption.
SUMMARY
If a server is FIPS-140-2 enabled, md5 is not permitted as an "encryption/hashing" algorithm. PostgreSQL version 10 supports AES-256 encryption, but postgresql_user does not support that option, and is unusable on a FIPS enabled server.
ISSUE TYPE
- Bug Report
COMPONENT NAME
postgresql_user
ANSIBLE VERSION
ansible --version ansible 2.4.2.0 config file = /home/419635/.ansible.cfg configured module search path = [u'/home/419635/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
##### CONFIGURATION
ansible-config dump --only-changed
DEFAULT_FORKS(/home/419635/.ansible.cfg) = 2
DEFAULT_HOST_LIST(/home/419635/.ansible.cfg) = [u'/home/419635/postgres/9.6/ansible/environm
DEFAULT_LOG_PATH(/home/419635/.ansible.cfg) = /home/419635/ansible.log
DEFAULT_ROLES_PATH(/home/419635/.ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible
DEFAULT_VAULT_PASSWORD_FILE(/home/419635/.ansible.cfg) = /home/419635/postgres/10/ansible/.v
PERSISTENT_CONNECT_TIMEOUT(/home/419635/.ansible.cfg) = 30
##### OS / ENVIRONMENT
Redhat Enterprise Linux 7.4, kernel 3.10.0-514.el7
##### STEPS TO REPRODUCE
create a play using the postgresql_user module as shown and attempt to run the play on a fips enabled server.
""
- name: Ensure the "{{ pg_replication_user }}" role exists in our primary
become: yes
become_user: "{{ postgresql_superuser }}"
postgresql_user:
name: "{{ pg_replication_user }}"
password: "{{ pg_replication_user_password }}"
encrypted: True
port: "{{ pg_port }}"
role_attr_flags: LOGIN,REPLICATION
EXPECTED RESULTS
Expected the user to be created in the specified PostgreSQL cluster.
ACTUAL RESULTS
The module failed.
TASK [replica : Ensure the "rplctn_usr" role exists in our primary] ************************
atal: [cl-rhdb-7025.ba.ssa.gov]: FAILED! => {"changed": false, "module_stderr": "Shared connection to cl-rhdb-7025.ba.ssa.gov closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 844, in <module>\r\n main()\r\n File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 803, in main\r\n role_attr_flags, encrypted, expires, no_password_changes, conn_limit)\r\n File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 338, in user_alter\r\n pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted)\r\n File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 304, in user_should_we_change_password\r\n hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest())\r\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\r\n", "msg": "MODULE FAILURE", "rc": 1}
Copied from original issue: ansible/ansible#119
From @ansibullbot on Apr 17, 2020 14:44
cc @Dorn- @amenonsen @andytom @kostiantyn-nemchenko @matburt @nerzhul @sebasmannem @tcraxs click here for bot help
From @avidspartan1 on Sep 04, 2020 18:47
Would love to see this issue worked. Running into this when trying to deploy Pulp on a FIPS-enabled system.
how do I check that postgresql is fips enabled or how do i install fips enabled postgresql ?
how do I check that postgresql is fips enabled or how do i install fips enabled postgresql ?
PG isn't 'FIPS-enabled'. The OS that PG runs on is (or isn't). On RHEL-based systems, you can cat /proc/sys/crypto/fips_enabled, sysctl crypto.fips_enabled, or fips-mode-setup --check
