[FOLIO-2416] Enforce SCRAM-SHA-256 PostgreSQL passwords in reference environments Created: 08/Jan/20 Updated: 06/Oct/23 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | New Feature | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Julian Ladisch |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | platform-backlog, postgres, security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | DevOps Requests | ||||||||||||||||
| Development Team: | FOLIO DevOps | ||||||||||||||||
| Release: | Quesnelia (R1 2024) | ||||||||||||||||
| Description |
|
Alter the PostgreSQL server configuration of the reference environments: Enforce SCRAM-SHA-256 passwords because MD5 passwords are insecure. Prerequisite: All modules can handle SCRAM-SHA-256 passwords. Modules using https://github.com/eclipse-vertx/vertx-sql-client must use version >= 4 and add ship with com.ongres.scram:client package. Modules using JDBC (Spring, Grails, ...) work out of the box. List of PostgreSQL drivers with status of SCRAM support: https://wiki.postgresql.org/wiki/List_of_drivers |
| Comments |
| Comment by Jakub Skoczen [ 04/Apr/22 ] |
|
Why is this a problem for reference environments? |
| Comment by Julian Ladisch [ 05/Apr/22 ] |
|
Reference environments should run with all security features enabled so that any regression in those security features gets noticed and gets fixed. |
| Comment by Craig McNally [ 06/Oct/22 ] |
|
Jakub Skoczen it looks like the blockers for this have been completed... is this something devops can now address? It's been kicking around for a long time. Thanks! |
| Comment by Axel Dörrer [ 19/Jan/23 ] |
|
Julian Ladisch will review this to retrieve the status |
| Comment by Craig McNally [ 17/Aug/23 ] |
|
If the prerequisites are satisfied, this is just a matter of updating the postgres config in the reference environments (may require adjustments to ansible scripts). Jakub Skoczen / John Malconian / David Crossley I'm not sure who can help with this so I'm at-mentioning you in hopes you can help sort this out or get it into the right person's hands. |