[PMM-7278] `mongo_exporter` fails to authorize when MongoDB running with `authMechanism=MONGODB-X509` - Percona JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: High
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.21.0
Component/s: MongoDB_Exporter, PMM Admin
Labels:
- bug-blitz
- tech/MongoDB

Story Points:
0
Epic Link:
TLS support for all Agents
Sprint:
10 - Core, 07 - Core
Needs Review:
Yes
Needs QA:
Yes
Needs Doc:
Yes
Platform Team:
C/S Core

Description

pmm-admin version: 2.13.0

mongo version: 4.4 - Percona

mongo_exporter is able to connect to mongo with --tls, --tls-certificate-key-file and --tls-ca-file, but then gets errors on Mongo side because of missing authorization.

"error getting cluster ID: (Unauthorized)"

Straight connection to mongo shell works with same flags when following mongo flags are added:

--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509

I do not see that pmm supports these flags.

How to test:

This repo contains files to generate and test mongo with auth x509 https://github.com/askomorokhov/mongo-x509-auth-ssl

clone repo https://github.com/askomorokhov/mongo-x509-auth-ssl
gen certificate ./generate-certs mongo-x509
build container docker build -t my-mongo-x509 --no-cache .
run pmm docker-compose up -d pmm-client-bin mongo-x509
Copy certificates: https://github.com/askomorokhov/mongo-x509-auth-ssl/blob/master/docker-compose.yaml#L41-L50
1. docker cp mongo-x509:/etc/ssl/mongodb-CA.pem mongodb-CA.pem
  docker cp mongo-x509:/etc/ssl/mongodb-client.pem mongodb-client.pem
  docker cp mongodb-client.pem pmm-client:/etc/ssl/mongodb-client.pem
  docker cp mongodb-CA.pem pmm-client:/etc/ssl/mongodb-CA.pem
go into pmm-client container: docker exec -ti pmm-client bash
login into mongo:
mongo mongo-x509:27017/admin --ssl --sslPEMKeyFile /etc/ssl/mongodb-client.pem --sslCAFile /etc/ssl/mongodb-CA.pem --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --username "C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin"
configure mongo https://www.percona.com/doc/percona-monitoring-and-management/2.x/setting-up/client/mongodb.html
run some load
start mongo monitoring:
pmm-admin add mongodb --tls --tls-certificate-key-file=/etc/ssl/mongodb-client.pem --tls-ca-file=/etc/ssl/mongodb-CA.pem --authentication-mechanism='MONGODB-X509' --authentication-database='$external' --host=mongo-x509 MyMongoX509

Attachments

Issue Links

blocks

PMM-7477 Support custom TLS certificates when monitoring remote MongoDB instances

Done

has to be finished together with

PMM-7115 Cannot Add MongoDB with configured SSL - Additional testing

Open

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Activity

People

Assignee:: Carlos Salguero (Inactive)

Reporter:: Lena D

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 06/Jan/21 12:28 PM

Updated:: 30/Aug/21 1:58 PM

Resolved:: 09/Aug/21 12:07 PM