Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Postgres FIPS compliant #184

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Make Postgres FIPS compliant #184

wants to merge 1 commit into from

Conversation

doodlesbykumbi
Copy link
Contributor

@doodlesbykumbi doodlesbykumbi commented Jul 12, 2023
edited
Loading

Set the postgres password encryption to scram-sha-256 to make Postgres FIPS compliant. Before merging we should figure out the upgrade path in terms of re-encrypting pre-existing passwords from md5.

Desired Outcome

Please describe the desired outcome for this PR. Said another way, what was
the original request that resulted in these code changes? Feel free to copy
this information from the connected issue.

Implemented Changes

Describe how the desired outcome above has been achieved with this PR. In
particular, consider:

  • What's changed? Why were these changes made?
  • How should the reviewer approach this PR, especially if manual tests are required?
  • Are there relevant screenshots you can add to the PR description?

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue ID: [insert issue ID]

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: [insert issue ID]
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@doodlesbykumbi
Make Postgres FIPS compliant
0dc8cf1 
Set the postgres password encryption to scram-sha-256 to make Postgres FIPS compliant
@tarnowsc
Copy link

I believe it is not required to set this explicitly since for postgres 15 we're using right now in appliance the default vaule is already set to scram-sha-256:

 psql -c "SHOW password_encryption;"
 password_encryption 
---------------------
 scram-sha-256
(1 row)

But this actually means that the upgrade procedure would be needed.

@doodlesbykumbi
Copy link
Contributor Author

@tarnowsc I've not been able to find a Postgres 15 RHEL image

@tarnowsc
Copy link

For the given Dockerfile:

FROM registry.access.redhat.com/ubi9/ubi

RUN dnf install -y --nodocs "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-$(arch)/pgdg-redhat-repo-latest.noarch.rpm" && \
    dnf -y update && \
    dnf install -y --nodocs \
      postgresql15-server && \
    dnf clean all && \
    rm -rf /var/cache/yum /var/cache/dnf /var/lib/dnf

ENV PATH="/usr/pgsql-15/bin/:$PATH" \
    PGDATA=/var/lib/pgsql/data

USER postgres

CMD ["/bin/bash", "-c", "initdb && pg_ctl start -w && psql -c 'SHOW password_encryption;'"]

I'm getting the following result:

docker run $(docker build -q .)
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "C".
The default database encoding has accordingly been set to "SQL_ASCII".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /var/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections
initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    /usr/pgsql-15/bin/pg_ctl -D /var/lib/pgsql/data -l logfile start

waiting for server to start....2023-07-17 08:51:18.455 UTC [19] LOG:  redirecting log output to logging collector process
2023-07-17 08:51:18.455 UTC [19] HINT:  Future log output will appear in directory "log".
 done
server started
 password_encryption 
---------------------
 scram-sha-256
(1 row)

@doodlesbykumbi
Copy link
Contributor Author

@tarnowsc the changed config file is only relevant to the Helm deployment. The Dockerfile doesn't capture the config

@doodlesbykumbi
Copy link
Contributor Author

@tarnowsc I think I misunderstood your last comment. If I understand correctly you are demonstrating building our own container image for Postgres 15 that should run in OpenShift. Can you confirm if you were able to get this image to run on OpenShift ?

@Neustradamus
Copy link

SCRAM is very important!

Linked to:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@doodlesbykumbi @tarnowsc @Neustradamus