diff --git a/.gitignore b/.gitignore index 403daa91..5d7d5d07 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,10 @@ yarn-debug.log* yarn-error.log* lerna-debug.log* +pmm_framework +certs +pki + # Diagnostic reports (https://nodejs.org/api/report.html) report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json diff --git a/pmm_psmdb-pbm_setup/Dockerfile b/pmm_psmdb-pbm_setup/Dockerfile index 2c302fe8..f5e1805e 100644 --- a/pmm_psmdb-pbm_setup/Dockerfile +++ b/pmm_psmdb-pbm_setup/Dockerfile @@ -84,7 +84,8 @@ RUN if [[ "$PMM_CLIENT_VERSION" == http* ]]; then \ curl -Lf -o /tmp/mgodatagen.tar.gz https://github.com/feliixx/mgodatagen/releases/download/v0.11.2/mgodatagen_0.11.2_Linux_x86_64.tar.gz && \ tar -xf /tmp/mgodatagen.tar.gz -C /usr/bin && \ dnf clean all; \ - rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db; + rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db; \ + dnf -y install krb5-workstation COPY conf/sysconfig/mongod /etc/sysconfig/ COPY keyfile /etc/keyfile diff --git a/pmm_psmdb-pbm_setup/conf/configure_krb5.sh b/pmm_psmdb-pbm_setup/conf/configure_krb5.sh new file mode 100644 index 00000000..395193df --- /dev/null +++ b/pmm_psmdb-pbm_setup/conf/configure_krb5.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Configure Kerberos for replicaset setup +set -e + +# Create krb5.conf +cat > /etc/krb5.conf << EOL +[libdefaults] + default_realm = PERCONATEST.COM + forwardable = true + dns_lookup_realm = false + dns_lookup_kdc = false + ignore_acceptor_hostname = true + rdns = false +[realms] + PERCONATEST.COM = { + kdc_ports = 88 + kdc = kerberos + admin_server = kerberos + } +[domain_realm] + .perconatest.com = PERCONATEST.COM + perconatest.com = PERCONATEST.COM + kerberos = PERCONATEST.COM +EOL + +# Initialize Kerberos database only if it doesn't exist +if [ ! -f /var/lib/krb5kdc/principal ]; then + kdb5_util -P password create -s +fi +# Add principals (ignore if they already exist) +kadmin.local -q "addprinc -pw password root/admin" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs101" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs102" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs103" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/127.0.0.1" 2>/dev/null || true +kadmin.local -q "addprinc -pw password1 pmm-test" 2>/dev/null || true + +# Create extra replicaset member principals if needed +if [ "${COMPOSE_PROFILES}" = "extra" ]; then + kadmin.local -q "addprinc -pw mongodb mongodb/rs201" 2>/dev/null || true + kadmin.local -q "addprinc -pw mongodb mongodb/rs202" 2>/dev/null || true + kadmin.local -q "addprinc -pw mongodb mongodb/rs203" 2>/dev/null || true +fi + +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs101@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs102@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs103@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/127.0.0.1@PERCONATEST.COM" + +if [ "${COMPOSE_PROFILES}" = "extra" ]; then + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs201@PERCONATEST.COM" + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs202@PERCONATEST.COM" + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs203@PERCONATEST.COM" +fi + +# Add pmm-test principal to keytab +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab pmm-test@PERCONATEST.COM" + +# Start KDC and keep it running +krb5kdc -n & +kadmind & +tail -f /dev/null \ No newline at end of file diff --git a/pmm_psmdb-pbm_setup/conf/krb/krb5.conf b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf index 527d6078..4535f121 100644 --- a/pmm_psmdb-pbm_setup/conf/krb/krb5.conf +++ b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf @@ -9,6 +9,7 @@ PERCONATEST.COM = { kdc_ports = 88 kdc = kerberos + admin_server = kerberos } [domain_realm] .perconatest.com = PERCONATEST.COM diff --git a/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf b/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf index 7ecaf250..0db88e01 100644 --- a/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf +++ b/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf @@ -22,3 +22,7 @@ operationProfiling: security: keyFile: /etc/keyfile + authorization: enabled + +setParameter: + authenticationMechanisms: SCRAM-SHA-1,GSSAPI diff --git a/pmm_psmdb-pbm_setup/docker-compose-rs.yaml b/pmm_psmdb-pbm_setup/docker-compose-rs.yaml index a90b92ea..f1fc1f1e 100644 --- a/pmm_psmdb-pbm_setup/docker-compose-rs.yaml +++ b/pmm_psmdb-pbm_setup/docker-compose-rs.yaml @@ -18,6 +18,7 @@ services: rs101: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] ports: @@ -34,6 +35,7 @@ services: - ./conf/datagen:/etc/datagen:ro - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -44,10 +46,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs101 hostname: rs101 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs102: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] networks: @@ -61,6 +70,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -71,10 +81,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs102 hostname: rs102 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs103: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] networks: @@ -88,6 +105,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -98,10 +116,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs103 hostname: rs103 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs201: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] ports: @@ -117,6 +142,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -127,10 +153,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs201 hostname: rs201 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs202: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] networks: @@ -144,6 +177,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -154,10 +188,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs202 hostname: rs202 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs203: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] networks: @@ -171,6 +212,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -181,6 +223,12 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs203 hostname: rs203 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init minio: image: minio/minio @@ -218,6 +266,30 @@ services: entrypoint: > /bin/sh -c " sleep 5; /usr/bin/mc alias set myminio http://minio:9000 minio1234 minio1234; /usr/bin/mc mb myminio/bcp; exit 0; " + kerberos: + image: kerberos/local + build: + dockerfile: ../pmm_psmdb_diffauth_setup/Dockerfile-kerberos + context: . + container_name: kerberos + hostname: kerberos + profiles: ["classic", "extra"] + networks: + - pmm-qa + - pmm-ui-tests1 + - qa-integration + - pmm-ui-tests2 + - pmm-ui-tests3 + environment: + - "KRB5_TRACE=/dev/stderr" + volumes: + - keytabs:/keytabs + healthcheck: + test: ["CMD", "kadmin.local", "-q", "listprincs"] + interval: 2s + timeout: 1s + retries: 5 + networks: qa-integration: external: true @@ -233,3 +305,7 @@ networks: pmm-qa: name: pmm-qa external: true + +volumes: + keytabs: + driver: local diff --git a/pmm_psmdb-pbm_setup/start-rs-only.sh b/pmm_psmdb-pbm_setup/start-rs-only.sh index 7f88ad95..d2c9b196 100755 --- a/pmm_psmdb-pbm_setup/start-rs-only.sh +++ b/pmm_psmdb-pbm_setup/start-rs-only.sh @@ -27,9 +27,37 @@ if [ $mongo_setup_type == "pss" ]; then else bash -e ./configure-psa.sh fi + +# Enable authorization first +echo "Enabling authorization..." +docker exec rs101 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf +docker exec rs101 systemctl restart mongod +sleep 10 + +# Setup Kerberos users after authorization is enabled +echo "Setting up Kerberos authentication users..." +# Wait for MongoDB to be ready +sleep 5 +# Direct command to create Kerberos user +docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})" +echo "✓ Kerberos user setup completed" + bash -x ./configure-agents.sh if [ $profile = "extra" ]; then +# Enable authorization first +echo "Enabling authorization..." + docker exec rs201 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf + docker exec rs201 systemctl restart mongod + sleep 10 + + # Setup Kerberos users after authorization is enabled + echo "Setting up Kerberos authentication users..." + # Wait for MongoDB to be ready + sleep 5 + # Direct command to create Kerberos user + docker exec rs201 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})" + echo "✓ Kerberos user setup completed" if [ $mongo_setup_type == "pss" ]; then bash -x ./configure-extra-replset.sh else diff --git a/pmm_psmdb_diffauth_setup/Dockerfile-kerberos b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos index 97e412ba..beecc25b 100644 --- a/pmm_psmdb_diffauth_setup/Dockerfile-kerberos +++ b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos @@ -2,4 +2,4 @@ FROM alpine RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit COPY conf/configure_krb5.sh /var/lib/krb5kdc/ EXPOSE 88/udp -ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"] +ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"] \ No newline at end of file