Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-7278

`mongo_exporter` fails to authorize when MongoDB running with `authMechanism=MONGODB-X509`

Details

    • 0
    • 10 - Core, 07 - Core
    • Yes
    • Yes
    • Yes
    • C/S Core

    Description

      pmm-admin version: 2.13.0

      mongo version: 4.4 - Percona

      mongo_exporter is able to connect to mongo with --tls, --tls-certificate-key-file and --tls-ca-file, but then gets errors on Mongo side because of missing authorization.

      "error getting cluster ID: (Unauthorized)"

      Straight connection to mongo shell works with same flags when following mongo flags are added:

      --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509

      I do not see that pmm supports these flags.

       

      How to test:

      This repo contains files to generate and test mongo with auth x509 https://github.com/askomorokhov/mongo-x509-auth-ssl

      1. clone repo https://github.com/askomorokhov/mongo-x509-auth-ssl
      2. gen certificate ./generate-certs mongo-x509
      3. build container docker build -t my-mongo-x509 --no-cache .
      4. run pmm docker-compose up -d pmm-client-bin mongo-x509
      5. Copy certificates: https://github.com/askomorokhov/mongo-x509-auth-ssl/blob/master/docker-compose.yaml#L41-L50
        1. docker cp mongo-x509:/etc/ssl/mongodb-CA.pem mongodb-CA.pem
          docker cp mongo-x509:/etc/ssl/mongodb-client.pem mongodb-client.pem
          docker cp mongodb-client.pem pmm-client:/etc/ssl/mongodb-client.pem
          docker cp mongodb-CA.pem pmm-client:/etc/ssl/mongodb-CA.pem
           
           

      6. go into pmm-client container: docker exec -ti pmm-client bash
      7. login into mongo:
        mongo mongo-x509:27017/admin --ssl --sslPEMKeyFile /etc/ssl/mongodb-client.pem --sslCAFile /etc/ssl/mongodb-CA.pem --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --username "C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin"
         

      8. configure mongo https://www.percona.com/doc/percona-monitoring-and-management/2.x/setting-up/client/mongodb.html
      9.  run some load

      10. start mongo monitoring:
        pmm-admin add mongodb --tls --tls-certificate-key-file=/etc/ssl/mongodb-client.pem --tls-ca-file=/etc/ssl/mongodb-CA.pem --authentication-mechanism='MONGODB-X509' --authentication-database='$external' --host=mongo-x509 MyMongoX509
          

      Attachments

        Issue Links

          Activity

            People

              carlos.salguero Carlos Salguero
              lenad Lena D
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Smart Checklist