-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a migration to encrypt database password using scram-sha-256 #757
Conversation
Note that if anyone has their database locally setup as md5 (or just on a old version), this will break their local database. I'm ok with that, but we might need some instructions either here or in guides/dev-setup on the changes needed to unbreak them. |
class ReencryptPasswordScramsha < ActiveRecord::Migration[6.1] | ||
def up | ||
say_with_time('Reencrypting database user password with scram-sha-256') do | ||
database_yml = YAML.safe_load(Rails.root.join("config", "database.yml")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are cases where we could use DATABASE_URL, so I think it's better to use the database configuration instead. Additionally, database confiuguration should have already decrypted the password for us, so there's no need to further try_decrypt:
ActiveRecord::Base.connection_db_config.configuration_hash
# => {:adapter=>"postgresql", :encoding=>"utf8", :username=>"root", :pool=>"5", :wait_timeout=>5, :min_messages=>"notice", :database=>"vmdb_development", :password=>"smartvm", :port=>5432, :host=>"localhost"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
f496a83
to
288c276
Compare
I think the only concern here is the plaintext password will be printed into the pg logs in some cases. This is from what I've read and I have not researched/looked too deep into this |
Backported to
|
Add a migration to encrypt database password using scram-sha-256 (cherry picked from commit 3762bf5)
@kbrock the way it's done here encrypts the password first (in memory) then sends that, so it should not be in the logs |
Related:
CP4AIOPS-3003