Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-7477

Support custom TLS certificates when monitoring remote MongoDB instances

Details

    • 0.5
    • Yes
    • Yes
    • Yes
    • Impediment
    • [obsolete] C/S Core

    Description

      User story:
      As a PMM user, I need to be able to specify the authentication mechanism for MongoDB when I'm adding Mongo to the PMM so that pmm will be using this mechanism to connect to PMM

      UI/UX:

      • additional field on adding Remote Mongo for monitoring

      Acceptance criteria

      • User able to select or type mechanism during the remote instance adding
      • the mechanism used for connection to mongo

      Important note: 
      When using certificates and the $external db, it is not possible to set a password.
      The user can be set to the certificate's domain information like C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin but it is not mandatory so, we need to make user and password fields not mandatory. 

      Example connection command:

      mongo localhost/admin --ssl \ 
       --sslPEMKeyFile mongodb-client.pem \ 
       --sslCAFile mongodb-CA.pem \ 
       --authenticationDatabase '$external' \ 
       --authenticationMechanism MONGODB-X509 \ 
       --username "C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin"
      

      Without specifying the user, it also works because you are using certificates:

      mongo localhost/admin --ssl \
           --sslPEMKeyFile mongodb-client.pem \
           --sslCAFile mongodb-CA.pem \
           --authenticationDatabase '$external' \
           --authenticationMechanism MONGODB-X509
      
      2021-04-08T12:52:02.254-0300 W  CONTROL  [main] Option: ssl is deprecated. Please use tls instead.
      2021-04-08T12:52:02.254-0300 W  CONTROL  [main] Option: sslPEMKeyFile is deprecated. Please use tlsCertificateKeyFile instead.
      2021-04-08T12:52:02.254-0300 W  CONTROL  [main] Option: sslCAFile is deprecated. Please use tlsCAFile instead.
      MongoDB shell version v4.2.10
      connecting to: mongodb://localhost:27017/admin?authMechanism=MONGODB-X509&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
      Implicit session: session { "id" : UUID("e41be153-d921-48a1-bdf3-fe161a372fc4") }
      MongoDB server version: 3.6.23
      WARNING: shell and server versions do not match
      

      For example, if you try to set a password when creating the user in MongoDB you will get:

      {
      "ok" : 0,
      "errmsg" : "Cannot set the password for users defined on the '$external' database",
      "code" : 2,
      "codeName" : "BadValue"
      } 

       


      Out of scope:
      TBD

      Suggested implementation:
      TBD

      How to test:
      TBD

      Details:  
      TBD

      Original report:
       

      pmm-admin version: 2.13.0

      mongo version: 4.4 - Percona

      mongo_exporter is able to connect to mongo with --tls, --tls-certificate-key-file and --tls-ca-file, but then gets errors on Mongo side because of missing authorization.

      "error getting cluster ID: (Unauthorized)"

      Straight connection to mongo shell works with same flags when following mongo flags are added:

      --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509

      I do not see that pmm supports these flags.

      Attachments

        Issue Links

          Activity

            People

              tiago.mota Tiago Mota (Inactive)
              roma.novikov Roma Novikov
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 2 hours
                  2h

                  Smart Checklist