tripleo

Deployments with auth_ed25519 don't work with FIPS

Bug #1960271 reported by Damien Ciabrini on 2022-02-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	In Progress	Medium	Damien Ciabrini

Bug Description

mariadb's auth_ed25519 uses a variant of the ed25519 signature scheme
which currently requires python clients to authenticate to mariadb by
using pynacl and libsodium to implement the ed25519-based challenge
sent my mariadb.

When compliance with FIPS standard is required, neither pynacl or
libsodium can be used, so TripleO cannot configure the python
clients to use auth_ed25519 anymore.

py-cryptography has an OpenSSL backend that is FIPS-compliant and
supports standard ed25519, which can be used to authenticate to
mariadb only when the DB users' passwords are configured to be
"32 bytes of crytographically random password".

The auth_ed25519 support in TripleO should be amended to only generate
32 bytes-long password to only depend on py-cryptography and OpenSSL,
which is a combination that is compatible with FIPS.

OpenStack Infra (hudson-openstack) on 2022-02-07

Changed in tripleo:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-23: Related fix merged to tripleo-common (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/833615
Committed: https://opendev.org/openstack/tripleo-common/commit/0cf9c1270203dbd796212688b43ea890607403c3
Submitter: "Zuul (22348)"
Branch: master

commit 0cf9c1270203dbd796212688b43ea890607403c3
Author: Damien Ciabrini <email address hidden>
Date: Mon Mar 14 12:15:05 2022 +0100

Generate database URI for ed25519 passwords

    In addition to generating base64-encoded passwords when
    EnableMysqlAuthEd25519 is set [1], we need to encode the
    password part of the database URI in a way that can be
    decoded by oslo.db. This is then used by tripleo heat
    templates [2] to generate appropriate hiera keys.

    Let tripleo-common generate a pair of keys
    <service>Password and <service>PasswordDatabase to
    generate base64-encoded passwords, and RFC-1738-encoded
    passwords for URI. The former is still used as before
    to create users in the database, and the latter is used
    by oslo.db for connection to the database.

    Tested by deploying a standalone, undercloud and HA overcloud
    with and without EnableMysqlAuthEd25519. Password rotation
    with tripleo_passwords_rotate is also supported.

[1] I00d3d2a43d08d3d317a25c7ecb54d197e36a8f93
[2] I2e2cd7256700b728453e2b5857967893996cf552

Related-Bug: #1960271

Change-Id: Ic7ff36a5f3f4eceeb6c8a338093e956b7db00533

Takashi Kajinami (kajinamit) on 2022-04-25

Changed in tripleo:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-05-09: Change abandoned on puppet-tripleo (master)

Change abandoned by "Brent Eagles <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/822189
Reason: inactive > 1yr, possibly replaced by other changes?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Change abandoned on tripleo-heat-templates (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/822188
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26:

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/833616
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Change abandoned on python-tripleoclient (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/python-tripleoclient/+/822455
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Change abandoned on puppet-tripleo (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/833362
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.