Deployments with auth_ed25519 don't work with FIPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
In Progress
|
Medium
|
Damien Ciabrini |
Bug Description
mariadb's auth_ed25519 uses a variant of the ed25519 signature scheme
which currently requires python clients to authenticate to mariadb by
using pynacl and libsodium to implement the ed25519-based challenge
sent my mariadb.
When compliance with FIPS standard is required, neither pynacl or
libsodium can be used, so TripleO cannot configure the python
clients to use auth_ed25519 anymore.
py-cryptography has an OpenSSL backend that is FIPS-compliant and
supports standard ed25519, which can be used to authenticate to
mariadb only when the DB users' passwords are configured to be
"32 bytes of crytographically random password".
The auth_ed25519 support in TripleO should be amended to only generate
32 bytes-long password to only depend on py-cryptography and OpenSSL,
which is a combination that is compatible with FIPS.
Changed in tripleo: | |
status: | New → In Progress |
Changed in tripleo: | |
importance: | Undecided → Medium |
Reviewed: https:/ /review. opendev. org/c/openstack /tripleo- common/ +/833615 /opendev. org/openstack/ tripleo- common/ commit/ 0cf9c1270203dbd 796212688b43ea8 90607403c3
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 0cf9c1270203dbd 796212688b43ea8 90607403c3
Author: Damien Ciabrini <email address hidden>
Date: Mon Mar 14 12:15:05 2022 +0100
Generate database URI for ed25519 passwords
In addition to generating base64-encoded passwords when AuthEd25519 is set [1], we need to encode the
EnableMysql
password part of the database URI in a way that can be
decoded by oslo.db. This is then used by tripleo heat
templates [2] to generate appropriate hiera keys.
Let tripleo-common generate a pair of keys Password and <service> PasswordDatabas e to
<service>
generate base64-encoded passwords, and RFC-1738-encoded
passwords for URI. The former is still used as before
to create users in the database, and the latter is used
by oslo.db for connection to the database.
Tested by deploying a standalone, undercloud and HA overcloud Ed25519. Password rotation passwords_ rotate is also supported.
with and without EnableMysqlAuth
with tripleo_
[1] I00d3d2a43d08d3 d317a25c7ecb54d 197e36a8f93 28453e2b5857967 893996cf552
[2] I2e2cd7256700b7
Related-Bug: #1960271
Change-Id: Ic7ff36a5f3f4ec eeb6c8a338093e9 56b7db00533