Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-5364

Ability to monitor SSL-enabled MongoDB by passing certificate parameters in 'pmm-admin add' command

    XMLWordPrintable

Details

    • 3
    • Yes
    • Yes
    • Yes

    Description

      The problem: 

      There is no ability in PMM2 to pass  SSL certificates to connect PMM. 

      Original report:

      Hello

      • Mongo Community Server 4.0
      • pmm2-client-2.2.1-6.el7.x86_64
      • SSL Part in mongodb.conf:

      sslOnNormalPorts = true
      sslPEMKeyFile = /etc/mongodb/ssl/psmdb2.pem
      sslCAFile = /etc/mongodb/ssl/mongoCA.crt
      sslPEMKeyPassword = <pw>
      sslClusterFile = /etc/mongodb/ssl/psmdb2.pem
      clusterAuthMode = x509

      https://jira.percona.com/browse/PMM-4702 mentions "fixed" but does not work on my config.

      I tried to connect pmm2 client to a mongo 4.0 with SSL enabled.
      User generated in mongob like this:

      idb.getSiblingDB("admin").createUser(

      { user: "mongodb_exporter", pwd: "$PASSWORD", roles: [

      { role: "clusterMonitor", db: "admin" }

      , { role: "read", db: "local" }],
      mechanisms: [ "SCRAM-SHA-256" ]
      })

      simple connect vi mongo is ok:

      mongo --ssl --sslCAFile /etc/mongodb/ssl/mongoCA.crt \
      --sslPEMKeyFile /etc/mongodb/ssl/psmdb2.pem \
      --host $HOST.$DOMAIN \
      --authenticationDatabase "admin" \
      -u "mongodb_exporter" -p $PASSWORD
      MongoDB shell version v4.0.14
      rs0:PRIMARY>

      https://www.percona.com/doc/percona-monitoring-and-management/2.x/setting-up/client/mongodb.html#passing-ssl-parameters-to-the-mongodb-monitoring-service

      mentions options "pmm-admin add mongodb --help" does not show, but this does not help:

      1. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca /etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert /etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected /etc/mongodb/ssl/mongoCA.crt, try --help
      2. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      3. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        pmm-admin: error: unexpected --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem, try --help
      4. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt # --mongodb.tls-cert=/etc/mongodb/ssl/psmdb2.pem
        address --mongodb.tls-ca=/etc/mongodb/ssl/mongoCA.crt: missing port in address
      5. pmm-admin add mongodb --username=mongodb_exporter --password=$PASSWORD --host=$HOST.$DOMAIN – --mongodb.tls
        Connection check failed: timeout (context deadline exceeded).

      And this note in the mentioned URL makes the usage off SSL quite useless:

      "PMM does not support passing SSL/TLS related parameters to mongodb:queries."

      Without SSL enables pmm2-client runs fine.

      Please add SSL support to pmm2-client for mongo (and postgresql / mysql) and all options and correct the documentation and "--help" output to show the needed options

       

      Suggested implementation:

      • Add new fields to add MongoDB API in pmm-managed.
        • client certificate key file
        • client certificate key file password
        • CA Cert file
      • Add new fields in DB for Agents Table.
      • Add new flags to add mongodb CLI commands in pmm-admin
        • tlsCertificateKeyFile
        • tlsCertificateKeyFilePassword
        • tlsCAFile
      • PMM-admin should read body of tlsCertificateKeyFile and tlsCAFile and send them to the pmm-managed
      • While running mongodb action commands on pmm-agent side
      • While running mongodb_exporter
        • Pass correct flags required for SSL based on mongodb_exporter version
      • QAN should be able to get data from the secured server too

       

      How to test:

      • Test with these versions
        • 4.0
        • 4.2
      1. Start mongodb via docker-compose file from mongodb-ssl.tar.gz attached to the ticket
      2. Start PMM server
      3. pmm-admin add mongodb localhost:27017 --tls --tls-certificate-key-file=PATHTOCERT --tls-certificate-key-file-password=IFPASSWORDTOCERTISSET --tls-ca-file=PATHTOCACERT
        1. certificate passed in archive file doesn't have password, so it can be ignored.
      4. Check if all of agents, exporters and etc running on this node properly.
      5. Check if mongodb explain works correctly
      6. Check if Security Threat Tool can connect to db

       

      Documentation: 

      • update ref. manual with new flags  

      new flags added to `pmm-admin add mongo`

      • --tls-certificate-key-file=PATHTOCERT - Path to TLS certificate file
      • --tls-certificate-key-file=IFPASSWORDTOCERTISSET - Password for certificate
      • --tls-ca-file=PATHTOCACERT - Path to certificate authority file

       

      Note

      • Should we update new mongodb_exporter to make it support ssl?
        No, mongodb_exporter support it by passing new parameters in URI *

      Attachments

        1. mongo-ssl.tar.gz
          6 kB
          Nurlan Moldomurov

        Issue Links

          is cloned by

          QA Automation - PMM-7115 Cannot Add MongoDB with configured SSL - Additional testing

          • High - Significant issues that affect core functionality and should be resolved relatively soon.
          • Open
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. PMM-5794 Provide Mutual SSL/TLS parameters for PMM2 client 2.40

          • Medium - Important issues that need attention but do not significantly disrupt the system's core functionality.
          • Done

          New Feature - A new feature of the product, which has yet to be developed. PMM-3474 mongodb:queries with ssl

          • High - Significant issues that affect core functionality and should be resolved relatively soon.
          • Done

          Improvement - An improvement or enhancement to an existing feature or task. PMM-4449 QAN not support ssl mode for mongodb

          • High - Significant issues that affect core functionality and should be resolved relatively soon.
          • Done

          Activity

            People

              Unassigned Unassigned
              hubi_oediv Hubertus Krogmann
              Votes:
              2 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 1 day, 3 hours, 20 minutes
                  1d 3h 20m

                  Smart Checklist