Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-5364

Cannot Add MongoDB with configured SSL

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: 2.2.1, 2.6.0
    • Fix Version/s: None
    • Labels:
      None
    • Story Points:
      3
    • Sprint:
      Platform Sprint 29

      Description

      The problem: 

      There is no ability in PMM2 to pass  SSL certificates to connect PMM. 

      Original report:

      Hello

      • Mongo Community Server 4.0
      • pmm2-client-2.2.1-6.el7.x86_64
      • SSL Part in mongodb.conf:

      sslOnNormalPorts = true
      sslPEMKeyFile = /etc/mongodb/ssl/psmdb2.pem
      sslCAFile = /etc/mongodb/ssl/mongoCA.crt
      sslPEMKeyPassword = <pw>
      sslClusterFile = /etc/mongodb/ssl/psmdb2.pem
      clusterAuthMode = x509

      https://jira.percona.com/browse/PMM-4702 mentions "fixed" but does not work on my config.

      I tried to connect pmm2 client to a mongo 4.0 with SSL enabled.
      User generated in mongob like this:

      idb.getSiblingDB("admin").createUser(

      { user: "mongodb_exporter", pwd: "$PASSWORD", roles: [

      { role: "clusterMonitor", db: "admin" }

      , { role: "read", db: "local" }],
      mechanisms: [ "SCRAM-SHA-256" ]
      })

      simple connect vi mongo is ok:

      mongo --ssl --sslCAFile /etc/mongodb/ssl/mongoCA.crt \
      --sslPEMKeyFile /etc/mongodb/ssl/psmdb2.pem \
      --host $HOST.$DOMAIN \
      --authenticationDatabase "admin" \
      -u "mongodb_exporter" -p $PASSWORD
      MongoDB shell version v4.0.14
      rs0:PRIMARY>

      https://www.percona.com/doc/percona-monitoring-and-management/2.x/manage/client-mongodb-ssl.html#pmm-pmm-admin-mongodb-pass-ssl-parameter

      mentions options "pmm-admin add mongodb --help" does not show, but this does not help:

      1. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca /etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert /etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected /etc/mongodb/ssl/mongoCA.crt, try --help
      2. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      3. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      4. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt # --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        address --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt: missing port in address
      5. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls
        Connection check failed: timeout (context deadline exceeded).

      And this note in the mentioned URL makes the usage off SSL quite useless:

      "PMM does not support passing SSL/TLS related parameters to mongodb:queries."

      Without SSL enables pmm2-client runs fine.

      Please add SSL support to pmm2-client for mongo (and postgresql / mysql) and all options and correct the documentation and "--help" output to show the needed options

       

      Suggested implementation:

      • Add new fields to add MongoDB API in pmm-managed.
        • client certificate key file
        • client certificate key file password
        • CA Cert file
      • Add new fields in DB for Agents Table.
      • Add new flags to add mongodb CLI commands in pmm-admin
        • tlsCertificateKeyFile
        • tlsCertificateKeyFilePassword
        • tlsCAFile
      • PMM-admin should read body of tlsCertificateKeyFile and tlsCAFile and send them to the pmm-managed
      • While running mongodb action commands on pmm-agent side
      • While running mongodb_exporter
        • Pass correct flags required for SSL based on mongodb_exporter version

       

      Note

      • Should we update new mongodb_exporter to make it support ssl?
        *

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                nurlan.moldomurov Nurlan Moldomurov
                Reporter:
                hubi_oediv Hubertus Krogmann
                Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                  Dates

                  Created:
                  Updated:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 20 minutes
                    20m