00a06edc5c
Add the ability to configure all mysql users to require authenticating to the server via mariadb's ed25519 auth plugin [1], rather than the default native authentication [2]. [1] https://mariadb.com/kb/en/authentication-plugin-ed25519/ [2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/ Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a Partial-Bug: #1866093
20 lines
856 B
Ruby
20 lines
856 B
Ruby
# Custom function to generate password hash for MariaDB's auth_ed25519
|
|
# Input is a regular mariadb user password
|
|
# Output is the hashed password as expected by auth_ed25519
|
|
Puppet::Functions.create_function(:'mysql_ed25519_password') do
|
|
dispatch :mysql_ed25519_password do
|
|
param 'String', :password
|
|
return_type 'String'
|
|
end
|
|
|
|
def mysql_ed25519_password(password)
|
|
# mysql's auth_ed25519 consists in generating a ed25519 public key
|
|
# out of the sha512(password). Unfortunately, there is no native
|
|
# ruby implementation of ed25519's unclamped scalar multiplication
|
|
# just yet, so rely on an binary to get the hash for now.
|
|
hashed = `/etc/puppet/modules/tripleo/files/mysql_ed25519_password.py #{password}`
|
|
raise Puppet::Error, 'generated hash is not 43 bytes long.' unless hashed.length == 43
|
|
return hashed
|
|
end
|
|
end
|