postgresql_user module fails with password on version 10.x if server is fips enabled

[Akasurde]

From @Andersson007 on Apr 06, 2020 11:27

Copied from https://github.com/ansible/ansible/issues/41787 Initially reported by @jbscalia

Postgresql_user needs to support AES-256 encryption.

SUMMARY

If a server is FIPS-140-2 enabled, md5 is not permitted as an "encryption/hashing" algorithm. PostgreSQL version 10 supports AES-256 encryption, but postgresql_user does not support that option, and is unusable on a FIPS enabled server.

ISSUE TYPE

• Bug Report

COMPONENT NAME

postgresql_user

ANSIBLE VERSION

ansible --version ansible 2.4.2.0 config file = /home/419635/.ansible.cfg configured module search path = [u'/home/419635/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

##### CONFIGURATION
ansible-config dump --only-changed
DEFAULT_FORKS(/home/419635/.ansible.cfg) = 2
DEFAULT_HOST_LIST(/home/419635/.ansible.cfg) = [u'/home/419635/postgres/9.6/ansible/environm
DEFAULT_LOG_PATH(/home/419635/.ansible.cfg) = /home/419635/ansible.log
DEFAULT_ROLES_PATH(/home/419635/.ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible
DEFAULT_VAULT_PASSWORD_FILE(/home/419635/.ansible.cfg) = /home/419635/postgres/10/ansible/.v
PERSISTENT_CONNECT_TIMEOUT(/home/419635/.ansible.cfg) = 30

##### OS / ENVIRONMENT
Redhat Enterprise Linux 7.4, kernel 3.10.0-514.el7

##### STEPS TO REPRODUCE
create a play using the postgresql_user module as shown and attempt to run the play on a fips enabled server.

""
- name: Ensure the "{{ pg_replication_user }}" role exists in our primary
  become: yes
  become_user: "{{ postgresql_superuser }}"
  postgresql_user:
    name: "{{ pg_replication_user }}"
    password: "{{ pg_replication_user_password }}"
    encrypted: True
    port: "{{ pg_port }}"
    role_attr_flags: LOGIN,REPLICATION

EXPECTED RESULTS

Expected the user to be created in the specified PostgreSQL cluster.

ACTUAL RESULTS

The module failed.

TASK [replica : Ensure the "rplctn_usr" role exists in our primary] ************************
atal: [cl-rhdb-7025.ba.ssa.gov]: FAILED! => {"changed": false, "module_stderr": "Shared connection to cl-rhdb-7025.ba.ssa.gov closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 844, in <module>\r\n    main()\r\n  File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 803, in main\r\n    role_attr_flags, encrypted, expires, no_password_changes, conn_limit)\r\n  File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 338, in user_alter\r\n    pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted)\r\n  File \"/tmp/ansible_IsugL6/ansible_module_postgresql_user.py\", line 304, in user_should_we_change_password\r\n    hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest())\r\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\r\n", "msg": "MODULE FAILURE", "rc": 1}

Copied from original issue: ansible/ansible#119

[Akasurde]

From @ansibullbot on Apr 17, 2020 14:44

cc @Dorn- @amenonsen @andytom @kostiantyn-nemchenko @matburt @nerzhul @sebasmannem @tcraxs click here for bot help

[Akasurde]

From @avidspartan1 on Sep 04, 2020 18:47

Would love to see this issue worked. Running into this when trying to deploy Pulp on a FIPS-enabled system.

[mator]

how do I check that postgresql is fips enabled or how do i install fips enabled postgresql ?

[hunleyd]

how do I check that postgresql is fips enabled or how do i install fips enabled postgresql ?

PG isn't 'FIPS-enabled'. The OS that PG runs on is (or isn't). On RHEL-based systems, you can cat /proc/sys/crypto/fips_enabled, sysctl crypto.fips_enabled, or fips-mode-setup --check

[Andersson007]

closing this to keep the tracker clean, thanks everyone!