Browse Source

Set postgresql password encryption for FIPS compliance

This is part of the work to add jobs which confirm ironic works with
FIPS enabled, but this change is also appropriate non-FIPS jobs.

Change-Id: I4af4e811104088d28d7be6df53c26e72db039e08
changes/28/803128/8
Steve Baker 6 months ago
parent
commit
6af0eb374e
  1. 27
      tools/test-setup.sh
  2. 1
      zuul.d/ironic-jobs.yaml

27
tools/test-setup.sh

@ -48,9 +48,25 @@ DB_ROOT_PW=${POSTGRES_ROOT_PW:-insecure_slave}
# which it can't when executed as the postgres user, which is required
# as same user as process for initial administrative authentication to
# the postgres database
cd /tmp
# Identify and update the postgres hba file which can be in
# a version specific path.
PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file")
PG_CONF=$(sudo -H -u postgres psql -t -c "show config_file")
# setup postgres encryption algorithm and authentication
sudo sed -i 's/ident$/scram-sha-256/g' $PG_HBA
sudo sed -i 's/md5$/scram-sha-256/g' $PG_HBA
sudo sed -i 's/^.*password_encryption =.*/password_encryption = scram-sha-256/' $PG_CONF
sudo cat $PG_HBA
sudo cat $PG_CONF
# restart postgres fo new HBA file is loaded
sudo systemctl stop postgresql || true
sudo systemctl start postgresql || true
# Setup user
root_roles=$(sudo -H -u postgres psql -t -c "
SELECT 'HERE' from pg_roles where rolname='$DB_USER'")
@ -60,15 +76,6 @@ else
sudo -H -u postgres psql -c "CREATE ROLE $DB_USER WITH SUPERUSER LOGIN PASSWORD '$DB_PW'"
fi
# Identify and update the postgres hba file which can be in
# a version specific path.
PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file")
sudo sed -i 's/ident/trust/g' $PG_HBA
sudo cat $PG_HBA
# restart postgres fo new HBA file is loaded and our user trusted.
sudo systemctl stop postgresql || true
sudo systemctl start postgresql || true
# Store password for tests
cat << EOF > $HOME/.pgpass
*:*:*:$DB_USER:$DB_PW

1
zuul.d/ironic-jobs.yaml

@ -23,7 +23,6 @@
- ^releasenotes/.*$
- ^setup.cfg$
- ^test-requirements.txt$
- ^tools/.*$
- ^tox.ini$
vars:
tox_envlist: all

Loading…
Cancel
Save