Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-7421

Add support for using SSL certificates between pmm-admin and monitored MySQL databases

    XMLWordPrintable

    Details

    • Story Points:
      1
    • Sprint:
      08 - Core, 07 - Core
    • Needs Review:
      Yes
    • Needs QA:
      Yes
    • Needs Doc:
      Yes
    • Platform Team:
      C/S Core

      Description

      User story:

      • As a DBA I need to be able to connect my MySQL service to the PMM specifying TLS options so that PMM can connect and collect metrics

      UI/UX:
      >pmm-admin add mysql --ssl-ca=....

      Acceptance criteria

      1. user able to specify --ssl-ca flag and it's parameters
      2. user able to specify --ssl-cert flag and it's parameters
      3. user able to specify --ssl-key flag and it's parameters
      4. PMM added to monitoring and collecting metrics and queries

      Out of scope:

      • Adding TLS parameters for Remote instances
      • making TLS flags consistent across all technologies. we'll do this later but we need to come to the same UI

       

      Suggested implementation:

      • Add new fields required for certificate to add mysql DB API in pmm-managed.
      • Add new fields in DB for Agents Table.
      • Add new flags (mention above) to add mysql CLI commands in pmm-admin.
      • PMM-admin should read body of certificate and send it to pmm-managed.
      • PMM-managed should generate my.cnf from provided certificates.
      • Reload, use this config for all conections by call mysql.RegisterTLSConfig

       

      How to test:
      See how to test here please: https://jira.percona.com/browse/PMM-7847 

      Details:

      -ssl-ca: The path name of the Certificate Authority (CA) certificate file. This option, if used, must specify the same certificate used by the server. (-ssl-capath is similar but specifies the path name of a directory of CA certificate files.)

      --ssl-cert: The path name of the client public key certificate file.

      --ssl-key: The path name of the client private key file.
      ----------------

      There is no way to tell pmm-admin to use a particular set of SSL certificates for connecting to the DB. We do have --tls and --tls-skip-verify, but we can't use custom certificates for client connections with these arguments only.

      Additionally, as far as I know, pmm-admin will not try to parse configuration files available (for other options other than user/pass and basic DSN), and try to use the SSL settings from the [client] section.

      For MySQL, for instance, you can find more information on this here:

      https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration 

      and here:

      https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#encrypted-connection-options 

      There is no need to add all variables supported, but at least a basic subset that can allow to have pmm-admin use certificates with a DB.

      PMM v1 used to have something like this for the MongoDB exporter.

      Additionally, we should think of adding these to the "Add Remote Instance" menu within the web UI.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jiri.ctvrtka Jiří Čtvrtka
              Reporter:
              agustin.gallego Agustín Gallego
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Smart Checklist