Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-5364

Ability to monitor SSL-enabled MongoDB by passing certificate parameters in 'pmm-admin add' command

    XMLWordPrintable

    Details

    • Story Points:
      3
    • Sprint:
      Platform Sprint 32 (2.13+b1), Platform Sprint 30 (2.12+b1)
    • Needs Review:
      Yes
    • Needs QA:
      Yes
    • Needs Doc:
      Yes

      Description

      The problem: 

      There is no ability in PMM2 to pass  SSL certificates to connect PMM. 

      Original report:

      Hello

      • Mongo Community Server 4.0
      • pmm2-client-2.2.1-6.el7.x86_64
      • SSL Part in mongodb.conf:

      sslOnNormalPorts = true
      sslPEMKeyFile = /etc/mongodb/ssl/psmdb2.pem
      sslCAFile = /etc/mongodb/ssl/mongoCA.crt
      sslPEMKeyPassword = <pw>
      sslClusterFile = /etc/mongodb/ssl/psmdb2.pem
      clusterAuthMode = x509

      https://jira.percona.com/browse/PMM-4702 mentions "fixed" but does not work on my config.

      I tried to connect pmm2 client to a mongo 4.0 with SSL enabled.
      User generated in mongob like this:

      idb.getSiblingDB("admin").createUser(

      { user: "mongodb_exporter", pwd: "$PASSWORD", roles: [

      { role: "clusterMonitor", db: "admin" }

      , { role: "read", db: "local" }],
      mechanisms: [ "SCRAM-SHA-256" ]
      })

      simple connect vi mongo is ok:

      mongo --ssl --sslCAFile /etc/mongodb/ssl/mongoCA.crt \
      --sslPEMKeyFile /etc/mongodb/ssl/psmdb2.pem \
      --host $HOST.$DOMAIN \
      --authenticationDatabase "admin" \
      -u "mongodb_exporter" -p $PASSWORD
      MongoDB shell version v4.0.14
      rs0:PRIMARY>

      https://www.percona.com/doc/percona-monitoring-and-management/2.x/setting-up/client/mongodb.html#passing-ssl-parameters-to-the-mongodb-monitoring-service

      mentions options "pmm-admin add mongodb --help" does not show, but this does not help:

      1. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca /etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert /etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected /etc/mongodb/ssl/mongoCA.crt, try --help
      2. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      3. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      4. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt # --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        address --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt: missing port in address
      5. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls
        Connection check failed: timeout (context deadline exceeded).

      And this note in the mentioned URL makes the usage off SSL quite useless:

      "PMM does not support passing SSL/TLS related parameters to mongodb:queries."

      Without SSL enables pmm2-client runs fine.

      Please add SSL support to pmm2-client for mongo (and postgresql / mysql) and all options and correct the documentation and "--help" output to show the needed options

       

      Suggested implementation:

      • Add new fields to add MongoDB API in pmm-managed.
        • client certificate key file
        • client certificate key file password
        • CA Cert file
      • Add new fields in DB for Agents Table.
      • Add new flags to add mongodb CLI commands in pmm-admin
        • tlsCertificateKeyFile
        • tlsCertificateKeyFilePassword
        • tlsCAFile
      • PMM-admin should read body of tlsCertificateKeyFile and tlsCAFile and send them to the pmm-managed
      • While running mongodb action commands on pmm-agent side
      • While running mongodb_exporter
        • Pass correct flags required for SSL based on mongodb_exporter version
      • QAN should be able to get data from the secured server too

       

      How to test:

      • Test with these versions
        • 4.0
        • 4.2
      1. Start mongodb via docker-compose file from mongodb-ssl.tar.gz attached to the ticket
      2. Start PMM server
      3. pmm-admin add mongodb localhost:27017 --tls --tls-certificate-key-file=PATHTOCERT --tls-certificate-key-file-password=IFPASSWORDTOCERTISSET --tls-ca-file=PATHTOCACERT
        1. certificate passed in archive file doesn't have password, so it can be ignored.
      4. Check if all of agents, exporters and etc running on this node properly.
      5. Check if mongodb explain works correctly
      6. Check if Security Threat Tool can connect to db

       

      Documentation: 

      • update ref. manual with new flags  

      new flags added to `pmm-admin add mongo`

      • --tls-certificate-key-file=PATHTOCERT - Path to TLS certificate file
      • --tls-certificate-key-file=IFPASSWORDTOCERTISSET - Password for certificate
      • --tls-ca-file=PATHTOCACERT - Path to certificate authority file

       

      Note

      • Should we update new mongodb_exporter to make it support ssl?
        No, mongodb_exporter support it by passing new parameters in URI *

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              hubi_oediv Hubertus Krogmann
              Votes:
              2 Vote for this issue
              Watchers:
              14 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 1 day, 3 hours, 20 minutes
                  1d 3h 20m

                    Smart Checklist