[FOLIO-2416] Enforce SCRAM-SHA-256 PostgreSQL passwords in reference environments Created: 08/Jan/20  Updated: 06/Oct/23

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: New Feature Priority: P2
Reporter: Julian Ladisch Assignee: Julian Ladisch
Resolution: Unresolved Votes: 0
Labels: platform-backlog, postgres, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-2411 Use SCRAM-SHA-256 for passwords on Po... Blocked
is blocked by OKAPI-793 Enable SCRAM-SHA-256 PostgreSQL passw... Closed
is blocked by RMB-548 Enable SCRAM-SHA-256 PostgreSQL passw... Closed
Sprint: DevOps Requests
Development Team: FOLIO DevOps
Release: Quesnelia (R1 2024)

 Description   

Alter the PostgreSQL server configuration of the reference environments: Enforce SCRAM-SHA-256 passwords because MD5 passwords are insecure.

Prerequisite: All modules can handle SCRAM-SHA-256 passwords.

Modules using https://github.com/eclipse-vertx/vertx-sql-client must use version >= 4 and add ship with com.ongres.scram:client package.

Modules using JDBC (Spring, Grails, ...) work out of the box.

List of PostgreSQL drivers with status of SCRAM support: https://wiki.postgresql.org/wiki/List_of_drivers



 Comments   
Comment by Jakub Skoczen [ 04/Apr/22 ]

Why is this a problem for reference environments?

Comment by Julian Ladisch [ 05/Apr/22 ]

Reference environments should run with all security features enabled so that any regression in those security features gets noticed and gets fixed.

Comment by Craig McNally [ 06/Oct/22 ]

Jakub Skoczen it looks like the blockers for this have been completed... is this something devops can now address?  It's been kicking around for a long time.  Thanks!

Comment by Axel Dörrer [ 19/Jan/23 ]

Julian Ladisch  will review this to retrieve the status

Comment by Craig McNally [ 17/Aug/23 ]

If the prerequisites are satisfied, this is just a matter of updating the postgres config in the reference environments (may require adjustments to ansible scripts).  Jakub Skoczen / John Malconian / David Crossley  I'm not sure who can help with this so I'm at-mentioning you in hopes you can help sort this out or get it into the right person's hands.

Generated at Thu Feb 08 23:20:29 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.