Details
-
New Feature
-
Status: Done
-
High
-
Resolution: Done
-
None
-
0.5
-
10 - Core, 07 - Core
-
Yes
-
Yes
-
Yes
-
Impediment
-
C/S Core
Description
User story:
As a PMM user, I need to be able to specify the authentication mechanism for MongoDB when I'm adding Mongo to the PMM so that pmm will be using this mechanism to connect to PMM
UI/UX:
- additional field on adding Remote Mongo for monitoring
Acceptance criteria
- User able to select or type mechanism during the remote instance adding
- the mechanism used for connection to mongo
Important note:
When using certificates and the $external db, it is not possible to set a password.
The user can be set to the certificate's domain information like C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin but it is not mandatory so, we need to make user and password fields not mandatory.
Example connection command:
mongo localhost/admin --ssl \ --sslPEMKeyFile mongodb-client.pem \ --sslCAFile mongodb-CA.pem \ --authenticationDatabase '$external' \ --authenticationMechanism MONGODB-X509 \ --username "C=US,ST=CA,L=San Francisco,O=Jaspersoft,OU=JSDev,CN=admin"
Without specifying the user, it also works because you are using certificates:
mongo localhost/admin --ssl \
--sslPEMKeyFile mongodb-client.pem \
--sslCAFile mongodb-CA.pem \
--authenticationDatabase '$external' \
--authenticationMechanism MONGODB-X509
2021-04-08T12:52:02.254-0300 W CONTROL [main] Option: ssl is deprecated. Please use tls instead.
2021-04-08T12:52:02.254-0300 W CONTROL [main] Option: sslPEMKeyFile is deprecated. Please use tlsCertificateKeyFile instead.
2021-04-08T12:52:02.254-0300 W CONTROL [main] Option: sslCAFile is deprecated. Please use tlsCAFile instead.
MongoDB shell version v4.2.10
connecting to: mongodb://localhost:27017/admin?authMechanism=MONGODB-X509&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("e41be153-d921-48a1-bdf3-fe161a372fc4") }
MongoDB server version: 3.6.23
WARNING: shell and server versions do not match
For example, if you try to set a password when creating the user in MongoDB you will get:
{
"ok" : 0,
"errmsg" : "Cannot set the password for users defined on the '$external' database",
"code" : 2,
"codeName" : "BadValue"
}
Out of scope:
TBD
Suggested implementation:
TBD
How to test:
TBD
Details:
TBD
Original report:
pmm-admin version: 2.13.0
mongo version: 4.4 - Percona
mongo_exporter is able to connect to mongo with --tls, --tls-certificate-key-file and --tls-ca-file, but then gets errors on Mongo side because of missing authorization.
"error getting cluster ID: (Unauthorized)"
Straight connection to mongo shell works with same flags when following mongo flags are added:
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
I do not see that pmm supports these flags.
