Bug #1866093 “Support MariaDB's ed25519 authentication” : Bugs : tripleo

Damien Ciabrini (dciabrin) on 2020-03-04

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-12: Fix proposed to puppet-tripleo (master)

#1

Fix proposed to branch: master
Review: https://review.opendev.org/712769

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-17: Fix proposed to tripleo-heat-templates (master)

#2

Fix proposed to branch: master
Review: https://review.opendev.org/713470

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-25: Fix proposed to tripleo-common (master)

#3

Fix proposed to branch: master
Review: https://review.opendev.org/715016

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-27: Fix merged to puppet-tripleo (master)

#4

Reviewed: https://review.opendev.org/712769
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=00a06edc5c44896319068dbde7ef47cb534592e0
Submitter: Zuul
Branch: master

commit 00a06edc5c44896319068dbde7ef47cb534592e0
Author: Damien Ciabrini <email address hidden>
Date: Fri Mar 6 13:17:57 2020 +0100

Support for mariadb's ed25519 authentication

    Add the ability to configure all mysql users to require authenticating
    to the server via mariadb's ed25519 auth plugin [1], rather than the
    default native authentication [2].

[1] https://mariadb.com/kb/en/authentication-plugin-ed25519/
[2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/

Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a
Partial-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-30: Fix proposed to puppet-tripleo (stable/train)

#5

Fix proposed to branch: stable/train
Review: https://review.opendev.org/715905

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix merged to tripleo-common (master)

#6

Reviewed: https://review.opendev.org/715016
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=047170597379f19aa634fca47a82282d7ec2f257
Submitter: Zuul
Branch: master

commit 047170597379f19aa634fca47a82282d7ec2f257
Author: Damien Ciabrini <email address hidden>
Date: Wed Mar 25 18:58:16 2020 +0100

Fix placement dependencies to work with mysql's ed25519

    In placement, mysql-migrate-db.sh calls the mysql CLI directly,
    and when users are configured to authenticate via ed25519, mysql
    CLI requires client_ed25519.so, which is provided by mariadb-server.

Partial-Bug: #1866093

Change-Id: I011d0056c34150420eb4b9dfde721a7f30a0e25a

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix proposed to tripleo-common (stable/train)

#7

Fix proposed to branch: stable/train
Review: https://review.opendev.org/716208

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-03: Fix merged to tripleo-common (stable/train)

#8

Reviewed: https://review.opendev.org/716208
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=cf9f0019e663f730807aeec03d44490da2e1d2bc
Submitter: Zuul
Branch: stable/train

commit cf9f0019e663f730807aeec03d44490da2e1d2bc
Author: Damien Ciabrini <email address hidden>
Date: Wed Mar 25 18:58:16 2020 +0100

Fix placement dependencies to work with mysql's ed25519

    In placement, mysql-migrate-db.sh calls the mysql CLI directly,
    and when users are configured to authenticate via ed25519, mysql
    CLI requires client_ed25519.so, which is provided by mariadb-server.

Partial-Bug: #1866093

Change-Id: I011d0056c34150420eb4b9dfde721a7f30a0e25a
(cherry picked from commit 047170597379f19aa634fca47a82282d7ec2f257)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-06: Fix merged to puppet-tripleo (stable/train)

#9

Reviewed: https://review.opendev.org/715905
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=6fe363c0663117ea7bccfd3fcac7b71ed7b84d76
Submitter: Zuul
Branch: stable/train

commit 6fe363c0663117ea7bccfd3fcac7b71ed7b84d76
Author: Damien Ciabrini <email address hidden>
Date: Fri Mar 6 13:17:57 2020 +0100

Support for mariadb's ed25519 authentication

    Add the ability to configure all mysql users to require authenticating
    to the server via mariadb's ed25519 auth plugin [1], rather than the
    default native authentication [2].

[1] https://mariadb.com/kb/en/authentication-plugin-ed25519/
[2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/

(manually adapted to apply cleanly and to support python2)

    Depends-On: I1c7b40d110190eba861ed466d2644c2f1abbf7b0
    Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a
    Partial-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-08: Related fix proposed to tripleo-common (master)

#10

Related fix proposed to branch: master
Review: https://review.opendev.org/718453

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-11: Related fix merged to tripleo-common (master)

#11

Reviewed: https://review.opendev.org/718453
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=5ec5abb796c9d423f89b3093cb846d390453ad6a
Submitter: Zuul
Branch: master

commit 5ec5abb796c9d423f89b3093cb846d390453ad6a
Author: Damien Ciabrini <email address hidden>
Date: Wed Apr 8 15:26:48 2020 +0200

mariadb: add pynacl dependency to support ed25519

In order to support configuration of ed25519 authentication,
puppet-tripleo uses a python helper that depends on pynacl.

Update the kolla config override to install pynacl in the mariadb
image to support the ed25519 use case.

Change-Id: I908b2af6acce25dfb115463f9d04b0e14c7cba33
Related-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-12: Related fix proposed to tripleo-common (stable/train)

#12

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/719368

wes hayutin (weshayutin) on 2020-04-13

Changed in tripleo:
milestone:	ussuri-3 → ussuri-rc3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-14: Related fix proposed to puppet-tripleo (master)

#13

Related fix proposed to branch: master
Review: https://review.opendev.org/719971

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-15: Change abandoned on tripleo-heat-templates (master)

#14

Change abandoned by Alex Schultz (<email address hidden>) on branch: master
Review: https://review.opendev.org/713470
Reason: clearing gate, need to land https://review.opendev.org/#/c/720132/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-18: Fix merged to tripleo-heat-templates (master)

#15

Reviewed: https://review.opendev.org/713470
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ccacc6ce3cc45dec6bcb4a637ff0a5684b6e697f
Submitter: Zuul
Branch: master

commit ccacc6ce3cc45dec6bcb4a637ff0a5684b6e697f
Author: Damien Ciabrini <email address hidden>
Date: Tue Mar 17 16:17:09 2020 +0100

Support for mariadb's ed25519 authentication

    Add Heat parameter EnableMysqlAuthEd25519, which when set to
    true, drives puppet-tripleo in configuring MySQL user credentials
    to require ed25519-based authentication (auth_ed25519) instead
    of the default SHA1-based authentication (mysql_native_password).

    This works starting with libsodium >= 1.0.18,
    python3-pynacl >= 1.3.0-6.el8.rdo.1,
    python3-PyMySQL >= 0.9.3-2.el8.rdo.1

Change-Id: I4f3d38ea70d48589be3e1b7f5eea96c358b44560
Partial-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-18: Related fix merged to puppet-tripleo (master)

#16

Reviewed: https://review.opendev.org/719971
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1479a0ea32967eab145a5eb78fa94e2e68c30b78
Submitter: Zuul
Branch: master

commit 1479a0ea32967eab145a5eb78fa94e2e68c30b78
Author: Damien Ciabrini <email address hidden>
Date: Tue Apr 14 15:48:08 2020 +0200

Use a python shim for running for auth_ed25519 helper

    When mysql ed25519 authentication is enabled, puppet-tripleo
    uses a python helper to generate password hashes. Python
    helpers have their +x permission stripped on install time,
    so run the helper via the right python interpreter instead.

Change-Id: I13b02af166d7767799be99a0fb52066b00637a01
Related-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-18: Fix proposed to tripleo-heat-templates (stable/train)

#17

Fix proposed to branch: stable/train
Review: https://review.opendev.org/720875

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-19: Related fix merged to tripleo-common (stable/train)

#18

Reviewed: https://review.opendev.org/719368
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=5691454d52bdec3bc1df289ec1d7e4ceb39dcd36
Submitter: Zuul
Branch: stable/train

commit 5691454d52bdec3bc1df289ec1d7e4ceb39dcd36
Author: Damien Ciabrini <email address hidden>
Date: Wed Apr 8 15:26:48 2020 +0200

mariadb: add pynacl dependency to support ed25519

In order to support configuration of ed25519 authentication,
puppet-tripleo uses a python helper that depends on pynacl.

Update the kolla config override to install pynacl in the mariadb
image to support the ed25519 use case.

    Change-Id: I908b2af6acce25dfb115463f9d04b0e14c7cba33
    Related-Bug: #1866093
    (cherry picked from commit 5ec5abb796c9d423f89b3093cb846d390453ad6a)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-20: Fix merged to tripleo-heat-templates (stable/train)

#19

Reviewed: https://review.opendev.org/720875
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=069a37fa27dac18611e77f7c43337767953896f4
Submitter: Zuul
Branch: stable/train

commit 069a37fa27dac18611e77f7c43337767953896f4
Author: Damien Ciabrini <email address hidden>
Date: Tue Mar 17 16:17:09 2020 +0100

Support for mariadb's ed25519 authentication

    Add Heat parameter EnableMysqlAuthEd25519, which when set to
    true, drives puppet-tripleo in configuring MySQL user credentials
    to require ed25519-based authentication (auth_ed25519) instead
    of the default SHA1-based authentication (mysql_native_password).

    This works starting with libsodium >= 1.0.18,
    python3-pynacl >= 1.3.0-6.el8.rdo.1,
    python3-PyMySQL >= 0.9.3-2.el8.rdo.1

    Change-Id: I4f3d38ea70d48589be3e1b7f5eea96c358b44560
    Partial-Bug: #1866093
    (cherry picked from commit ccacc6ce3cc45dec6bcb4a637ff0a5684b6e697f)

wes hayutin (weshayutin) on 2020-05-26

Changed in tripleo:
milestone:	ussuri-rc3 → victoria-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-15: Related fix proposed to tripleo-common (master)

#20

Related fix proposed to branch: master
Review: https://review.opendev.org/741229

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-15: Fix proposed to tripleo-common (stable/train)

#21

Fix proposed to branch: stable/train
Review: https://review.opendev.org/741252

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-15: Related fix proposed to tripleo-common (stable/train)

#22

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/741331

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-16: Related fix merged to tripleo-common (master)

#23

Reviewed: https://review.opendev.org/741229
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=1b22253e4503304bbe5f1a1f7ffdb98b5a3a39ad
Submitter: Zuul
Branch: master

commit 1b22253e4503304bbe5f1a1f7ffdb98b5a3a39ad
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 15 10:48:27 2020 -0400

TCIB: add python3-pynacl to mariadb image

Porting I908b2af6acce25dfb115463f9d04b0e14c7cba33 into TCIB.

Change-Id: I660feeba2cfdbca9cff6cc05ff9fd63458d4da0d
Related-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-17: Related fix proposed to tripleo-common (stable/ussuri)

#24

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/741569

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-17: Related fix merged to tripleo-common (stable/ussuri)

#25

Reviewed: https://review.opendev.org/741569
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=d5dc49f8d6056b68c4fd8785a236498ab236c1d3
Submitter: Zuul
Branch: stable/ussuri

commit d5dc49f8d6056b68c4fd8785a236498ab236c1d3
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 15 10:48:27 2020 -0400

TCIB: add python3-pynacl to mariadb image

Porting I908b2af6acce25dfb115463f9d04b0e14c7cba33 into TCIB.

    Change-Id: I660feeba2cfdbca9cff6cc05ff9fd63458d4da0d
    Related-Bug: #1866093
    (cherry picked from commit 1b22253e4503304bbe5f1a1f7ffdb98b5a3a39ad)

tags:

added: in-stable-ussuri

Emilien Macchi (emilienm) on 2020-07-28

Changed in tripleo:
milestone:	victoria-1 → victoria-3

Damien Ciabrini (dciabrin) on 2020-08-10

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

Damien Ciabrini (dciabrin) wrote on 2020-08-10:

#26

Switching to fix-released as the remaining external deps [1,2,3,4] merged in RDO some time ago.

[1] https://review.rdoproject.org/r/#/c/26148/
[2] https://github.com/rdo-common/python-PyMySQL/commit/31de31abec41d308ac6c73dda2b5ebfcb28fe8c2
[3] https://github.com/rdo-common/python-pynacl/commit/416364b3931c51af16824e9700bd7c5328d58e5a
[4] https://review.rdoproject.org/r/#/c/26276/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-11: Fix merged to tripleo-common (stable/train)

#27

Reviewed: https://review.opendev.org/741252
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=a5b956c5c68378a19c3a0fdb221fa9fb1f4545c4
Submitter: Zuul
Branch: stable/train

commit a5b956c5c68378a19c3a0fdb221fa9fb1f4545c4
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 15 11:35:48 2020 -0400

[train-only] add ed25519 to TCIB (placement image)

    Porting I011d0056c34150420eb4b9dfde721a7f30a0e25a into TCIB.
    This is needed for FFU on Train, see context on:
    https://github.com/openstack/tripleo-heat-templates/commit/d1e84cc4b3693bcf8b8670fce33a07e73d74cfea

Change-Id: I306c2a3c391e32fefa834aabd6063a7b40ec5b77
Partial-Bug: #1866093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-25: Change abandoned on tripleo-common (stable/train)

#28

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/741331
Reason: The gate is currently hitting the "docker api 429" issue, see #tripleo channel for more details. I'll abandon that patch so it's cleared from the gate. Please do not restore it as I'll take care of it when the gate is stable again. Thanks for your understanding and patience!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-27: Related fix merged to tripleo-common (stable/train)

#29

Reviewed: https://review.opendev.org/741331
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=95c03f6501cc58393bab48b970fbfea8382ad063
Submitter: Zuul
Branch: stable/train

commit 95c03f6501cc58393bab48b970fbfea8382ad063
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 15 10:48:27 2020 -0400

TCIB: add python3-pynacl to mariadb image

Porting I908b2af6acce25dfb115463f9d04b0e14c7cba33 into TCIB.

    Change-Id: I660feeba2cfdbca9cff6cc05ff9fd63458d4da0d
    Related-Bug: #1866093
    (cherry picked from commit 1b22253e4503304bbe5f1a1f7ffdb98b5a3a39ad)

tripleo

Support MariaDB's ed25519 authentication

Bug Description

Other bug subscribers

Remote bug watches