conjur-oss-helm-chart icon indicating copy to clipboard operation
conjur-oss-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Make Postgres FIPS compliant

Open doodlesbykumbi opened this issue 1 year ago • 6 comments

Set the postgres password encryption to scram-sha-256 to make Postgres FIPS compliant. Before merging we should figure out the upgrade path in terms of re-encrypting pre-existing passwords from md5.

Desired Outcome

Please describe the desired outcome for this PR. Said another way, what was the original request that resulted in these code changes? Feel free to copy this information from the connected issue.

Implemented Changes

Describe how the desired outcome above has been achieved with this PR. In particular, consider:

  • What's changed? Why were these changes made?
  • How should the reviewer approach this PR, especially if manual tests are required?
  • Are there relevant screenshots you can add to the PR description?

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue ID: [insert issue ID]

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be merged.

Changelog

  • [ ] The CHANGELOG has been updated, or
  • [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • [ ] This PR includes new unit and integration tests to go with the code changes, or
  • [ ] The changes in this PR do not require tests

Documentation

  • [ ] Docs (e.g. READMEs) were updated in this PR
  • [ ] A follow-up issue to update official docs has been filed here: [insert issue ID]
  • [ ] This PR does not require updating any documentation

Behavior

  • [ ] This PR changes product behavior and has been reviewed by a PO, or
  • [ ] These changes are part of a larger initiative that will be reviewed later, or
  • [ ] No behavior was changed with this PR

Security

  • [ ] Security architect has reviewed the changes in this PR,
  • [ ] These changes are part of a larger initiative with a separate security review, or
  • [ ] There are no security aspects to these changes

doodlesbykumbi avatar Jul 12 '23 19:07 doodlesbykumbi

I believe it is not required to set this explicitly since for postgres 15 we're using right now in appliance the default vaule is already set to scram-sha-256:

 psql -c "SHOW password_encryption;"
 password_encryption 
---------------------
 scram-sha-256
(1 row)

But this actually means that the upgrade procedure would be needed.

tarnowsc avatar Jul 14 '23 09:07 tarnowsc

@tarnowsc I've not been able to find a Postgres 15 RHEL image

doodlesbykumbi avatar Jul 14 '23 13:07 doodlesbykumbi

For the given Dockerfile:

FROM registry.access.redhat.com/ubi9/ubi

RUN dnf install -y --nodocs "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" && \
    dnf -y update && \
    dnf install -y --nodocs \
      postgresql15-server && \
    dnf clean all && \
    rm -rf /var/cache/yum /var/cache/dnf /var/lib/dnf

ENV PATH="/usr/pgsql-15/bin/:$PATH" \
    PGDATA=/var/lib/pgsql/data

USER postgres

CMD ["/bin/bash", "-c", "initdb && pg_ctl start -w && psql -c 'SHOW password_encryption;'"]

I'm getting the following result:

docker run $(docker build -q .)
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "C".
The default database encoding has accordingly been set to "SQL_ASCII".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /var/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections
initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    /usr/pgsql-15/bin/pg_ctl -D /var/lib/pgsql/data -l logfile start

waiting for server to start....2023-07-17 08:51:18.455 UTC [19] LOG:  redirecting log output to logging collector process
2023-07-17 08:51:18.455 UTC [19] HINT:  Future log output will appear in directory "log".
 done
server started
 password_encryption 
---------------------
 scram-sha-256
(1 row)

tarnowsc avatar Jul 17 '23 08:07 tarnowsc

@tarnowsc the changed config file is only relevant to the Helm deployment. The Dockerfile doesn't capture the config

doodlesbykumbi avatar Jul 20 '23 15:07 doodlesbykumbi

@tarnowsc I think I misunderstood your last comment. If I understand correctly you are demonstrating building our own container image for Postgres 15 that should run in OpenShift. Can you confirm if you were able to get this image to run on OpenShift ?

doodlesbykumbi avatar Jul 31 '23 16:07 doodlesbykumbi

SCRAM is very important!

Linked to:

  • https://github.com/scram-sasl/info/issues/1

Neustradamus avatar Aug 18 '23 02:08 Neustradamus