From 069a37fa27dac18611e77f7c43337767953896f4 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Tue, 17 Mar 2020 16:17:09 +0100 Subject: [PATCH] Support for mariadb's ed25519 authentication Add Heat parameter EnableMysqlAuthEd25519, which when set to true, drives puppet-tripleo in configuring MySQL user credentials to require ed25519-based authentication (auth_ed25519) instead of the default SHA1-based authentication (mysql_native_password). This works starting with libsodium >= 1.0.18, python3-pynacl >= 1.3.0-6.el8.rdo.1, python3-PyMySQL >= 0.9.3-2.el8.rdo.1 Change-Id: I4f3d38ea70d48589be3e1b7f5eea96c358b44560 Partial-Bug: #1866093 (cherry picked from commit ccacc6ce3cc45dec6bcb4a637ff0a5684b6e697f) --- deployment/database/mysql-base.yaml | 6 ++++++ .../notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml | 7 +++++++ 2 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 12290b133d..cc04b26ac2 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -53,6 +53,11 @@ parameters: EnableInternalTLS: type: boolean default: false + EnableMysqlAuthEd25519: + type: boolean + description: Whether to configure MySQL users to connect to the + server using the Ed25519-based client authentication. + default: false MysqlIPv6: default: false description: Enable IPv6 in MySQL @@ -98,6 +103,7 @@ outputs: - {get_param: [DefaultPasswords, mysql_root_password]} mysql_clustercheck_password: {get_param: MysqlClustercheckPassword} enable_galera: {get_param: EnableGalera} + mysql_auth_ed25519: {get_param: EnableMysqlAuthEd25519} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml b/releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml new file mode 100644 index 0000000000..f1c414cc5b --- /dev/null +++ b/releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Add Heat parameter ``EnableMysqlAuthEd25519``, which when set to + true, configures MySQL user credentials to require ed25519-based + authentication to the mariadb server, instead of the default + SHA1-based native authentication.