Support for mariadb's ed25519 authentication

Add Heat parameter EnableMysqlAuthEd25519, which when set to true, drives puppet-tripleo in configuring MySQL user credentials to require ed25519-based authentication (auth_ed25519) instead of the default SHA1-based authentication (mysql_native_password). This works starting with libsodium >= 1.0.18, python3-pynacl >= 1.3.0-6.el8.rdo.1, python3-PyMySQL >= 0.9.3-2.el8.rdo.1 Change-Id: I4f3d38ea70d48589be3e1b7f5eea96c358b44560 Partial-Bug: #1866093
2020-03-17 16:17:09 +01:00 · 2020-03-17 16:17:09 +01:00 · ccacc6ce3c
parent b0e4364adc
commit ccacc6ce3c
2 changed files with 13 additions and 0 deletions
--- a/deployment/database/mysql-base.yaml
+++ b/deployment/database/mysql-base.yaml
@ -53,6 +53,11 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  EnableMysqlAuthEd25519:
+    type: boolean
+    description: Whether to configure MySQL users to connect to the
+                 server using the Ed25519-based client authentication.
+    default: false
  MysqlIPv6:
    default: false
    description: Enable IPv6 in MySQL
@ -89,6 +94,7 @@ outputs:
                    - {get_param: [DefaultPasswords, mysql_root_password]}
            mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
            enable_galera: {get_param: EnableGalera}
+            mysql_auth_ed25519: {get_param: EnableMysqlAuthEd25519}
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples
            # (eg. for internal_api):
--- a/releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml
+++ b/releasenotes/notes/mysql-auth-ed25519-28aaea4e69fbfdf7.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add Heat parameter ``EnableMysqlAuthEd25519``, which when set to
+    true, configures MySQL user credentials to require ed25519-based
+    authentication to the mariadb server, instead of the default
+    SHA1-based native authentication.