From efac0d60ec0179526dca8e8002cb95b5830019cb Mon Sep 17 00:00:00 2001 From: yurkovychv Date: Thu, 31 Jul 2025 20:09:33 +0300 Subject: [PATCH 1/4] PMM-14184 enable kerberos for default setup --- pmm_psmdb-pbm_setup/Dockerfile | 3 +- pmm_psmdb-pbm_setup/conf/configure_krb5.sh | 63 +++++++++++ pmm_psmdb-pbm_setup/conf/krb/krb5.conf | 1 + .../conf/mongod-rs/mongod.conf | 4 + pmm_psmdb-pbm_setup/docker-compose-rs.yaml | 76 +++++++++++++ pmm_psmdb-pbm_setup/start-rs-only.sh | 15 +++ pmm_psmdb-pbm_setup/test-kerberos.sh | 103 ++++++++++++++++++ pmm_psmdb_diffauth_setup/Dockerfile-kerberos | 2 +- 8 files changed, 265 insertions(+), 2 deletions(-) create mode 100644 pmm_psmdb-pbm_setup/conf/configure_krb5.sh create mode 100755 pmm_psmdb-pbm_setup/test-kerberos.sh diff --git a/pmm_psmdb-pbm_setup/Dockerfile b/pmm_psmdb-pbm_setup/Dockerfile index 2c302fe8..f5e1805e 100644 --- a/pmm_psmdb-pbm_setup/Dockerfile +++ b/pmm_psmdb-pbm_setup/Dockerfile @@ -84,7 +84,8 @@ RUN if [[ "$PMM_CLIENT_VERSION" == http* ]]; then \ curl -Lf -o /tmp/mgodatagen.tar.gz https://github.com/feliixx/mgodatagen/releases/download/v0.11.2/mgodatagen_0.11.2_Linux_x86_64.tar.gz && \ tar -xf /tmp/mgodatagen.tar.gz -C /usr/bin && \ dnf clean all; \ - rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db; + rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db; \ + dnf -y install krb5-workstation COPY conf/sysconfig/mongod /etc/sysconfig/ COPY keyfile /etc/keyfile diff --git a/pmm_psmdb-pbm_setup/conf/configure_krb5.sh b/pmm_psmdb-pbm_setup/conf/configure_krb5.sh new file mode 100644 index 00000000..395193df --- /dev/null +++ b/pmm_psmdb-pbm_setup/conf/configure_krb5.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Configure Kerberos for replicaset setup +set -e + +# Create krb5.conf +cat > /etc/krb5.conf << EOL +[libdefaults] + default_realm = PERCONATEST.COM + forwardable = true + dns_lookup_realm = false + dns_lookup_kdc = false + ignore_acceptor_hostname = true + rdns = false +[realms] + PERCONATEST.COM = { + kdc_ports = 88 + kdc = kerberos + admin_server = kerberos + } +[domain_realm] + .perconatest.com = PERCONATEST.COM + perconatest.com = PERCONATEST.COM + kerberos = PERCONATEST.COM +EOL + +# Initialize Kerberos database only if it doesn't exist +if [ ! -f /var/lib/krb5kdc/principal ]; then + kdb5_util -P password create -s +fi +# Add principals (ignore if they already exist) +kadmin.local -q "addprinc -pw password root/admin" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs101" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs102" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/rs103" 2>/dev/null || true +kadmin.local -q "addprinc -pw mongodb mongodb/127.0.0.1" 2>/dev/null || true +kadmin.local -q "addprinc -pw password1 pmm-test" 2>/dev/null || true + +# Create extra replicaset member principals if needed +if [ "${COMPOSE_PROFILES}" = "extra" ]; then + kadmin.local -q "addprinc -pw mongodb mongodb/rs201" 2>/dev/null || true + kadmin.local -q "addprinc -pw mongodb mongodb/rs202" 2>/dev/null || true + kadmin.local -q "addprinc -pw mongodb mongodb/rs203" 2>/dev/null || true +fi + +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs101@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs102@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs103@PERCONATEST.COM" +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/127.0.0.1@PERCONATEST.COM" + +if [ "${COMPOSE_PROFILES}" = "extra" ]; then + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs201@PERCONATEST.COM" + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs202@PERCONATEST.COM" + kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs203@PERCONATEST.COM" +fi + +# Add pmm-test principal to keytab +kadmin.local -q "ktadd -k /keytabs/mongodb.keytab pmm-test@PERCONATEST.COM" + +# Start KDC and keep it running +krb5kdc -n & +kadmind & +tail -f /dev/null \ No newline at end of file diff --git a/pmm_psmdb-pbm_setup/conf/krb/krb5.conf b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf index 527d6078..4535f121 100644 --- a/pmm_psmdb-pbm_setup/conf/krb/krb5.conf +++ b/pmm_psmdb-pbm_setup/conf/krb/krb5.conf @@ -9,6 +9,7 @@ PERCONATEST.COM = { kdc_ports = 88 kdc = kerberos + admin_server = kerberos } [domain_realm] .perconatest.com = PERCONATEST.COM diff --git a/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf b/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf index 7ecaf250..0db88e01 100644 --- a/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf +++ b/pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf @@ -22,3 +22,7 @@ operationProfiling: security: keyFile: /etc/keyfile + authorization: enabled + +setParameter: + authenticationMechanisms: SCRAM-SHA-1,GSSAPI diff --git a/pmm_psmdb-pbm_setup/docker-compose-rs.yaml b/pmm_psmdb-pbm_setup/docker-compose-rs.yaml index a90b92ea..f1fc1f1e 100644 --- a/pmm_psmdb-pbm_setup/docker-compose-rs.yaml +++ b/pmm_psmdb-pbm_setup/docker-compose-rs.yaml @@ -18,6 +18,7 @@ services: rs101: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] ports: @@ -34,6 +35,7 @@ services: - ./conf/datagen:/etc/datagen:ro - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -44,10 +46,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs101 hostname: rs101 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs102: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] networks: @@ -61,6 +70,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -71,10 +81,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs102 hostname: rs102 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs103: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["classic", "extra"] networks: @@ -88,6 +105,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -98,10 +116,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs103 hostname: rs103 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs201: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] ports: @@ -117,6 +142,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -127,10 +153,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs201 hostname: rs201 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs202: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] networks: @@ -144,6 +177,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -154,10 +188,17 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs202 hostname: rs202 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init rs203: depends_on: - build_member + - kerberos image: replica_member/local profiles: ["extra"] networks: @@ -171,6 +212,7 @@ services: - ./conf/mongod-rs:/etc/mongod - /sys/fs/cgroup:/sys/fs/cgroup:rw - /tmp/backup_data:/tmp/backup_data:rw + - keytabs:/keytabs privileged: true cgroup: host environment: @@ -181,6 +223,12 @@ services: PMM_AGENT_SERVER_INSECURE_TLS: 1 container_name: rs203 hostname: rs203 + entrypoint: + - bash + - -c + - | + chown -R mongod:mongod /keytabs + exec /usr/sbin/init minio: image: minio/minio @@ -218,6 +266,30 @@ services: entrypoint: > /bin/sh -c " sleep 5; /usr/bin/mc alias set myminio http://minio:9000 minio1234 minio1234; /usr/bin/mc mb myminio/bcp; exit 0; " + kerberos: + image: kerberos/local + build: + dockerfile: ../pmm_psmdb_diffauth_setup/Dockerfile-kerberos + context: . + container_name: kerberos + hostname: kerberos + profiles: ["classic", "extra"] + networks: + - pmm-qa + - pmm-ui-tests1 + - qa-integration + - pmm-ui-tests2 + - pmm-ui-tests3 + environment: + - "KRB5_TRACE=/dev/stderr" + volumes: + - keytabs:/keytabs + healthcheck: + test: ["CMD", "kadmin.local", "-q", "listprincs"] + interval: 2s + timeout: 1s + retries: 5 + networks: qa-integration: external: true @@ -233,3 +305,7 @@ networks: pmm-qa: name: pmm-qa external: true + +volumes: + keytabs: + driver: local diff --git a/pmm_psmdb-pbm_setup/start-rs-only.sh b/pmm_psmdb-pbm_setup/start-rs-only.sh index 7f88ad95..8e992809 100755 --- a/pmm_psmdb-pbm_setup/start-rs-only.sh +++ b/pmm_psmdb-pbm_setup/start-rs-only.sh @@ -27,6 +27,21 @@ if [ $mongo_setup_type == "pss" ]; then else bash -e ./configure-psa.sh fi + +# Enable authorization first +echo "Enabling authorization..." +docker exec rs101 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf +docker exec rs101 systemctl restart mongod +sleep 10 + +# Setup Kerberos users after authorization is enabled +echo "Setting up Kerberos authentication users..." +# Wait for MongoDB to be ready +sleep 5 +# Direct command to create Kerberos user +docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})" +echo "✓ Kerberos user setup completed" + bash -x ./configure-agents.sh if [ $profile = "extra" ]; then diff --git a/pmm_psmdb-pbm_setup/test-kerberos.sh b/pmm_psmdb-pbm_setup/test-kerberos.sh new file mode 100755 index 00000000..0f2f77f8 --- /dev/null +++ b/pmm_psmdb-pbm_setup/test-kerberos.sh @@ -0,0 +1,103 @@ +#!/bin/bash + +# Test script for Kerberos authentication in replicaset +set -e + +echo "Testing Kerberos authentication in replicaset..." + +# Test 1: Check if Kerberos container is running +echo "1. Checking Kerberos container..." +if docker ps | grep -q kerberos; then + echo "✓ Kerberos container is running" +else + echo "✗ Kerberos container is not running" + exit 1 +fi + +# Test 2: Check if keytabs are available +echo "2. Checking keytabs..." +if docker exec rs101 ls -la /keytabs/mongodb.keytab > /dev/null 2>&1; then + echo "✓ Keytabs are available" +else + echo "✗ Keytabs are not available" + exit 1 +fi + +# Test 3: Check if Kerberos principals are created +echo "3. Checking Kerberos principals..." +if docker exec kerberos kadmin.local -q "listprincs" | grep -q "mongodb/rs101"; then + echo "✓ Kerberos principals are created" +else + echo "✗ Kerberos principals are not created" + exit 1 +fi + +# Test 4: Check if MongoDB is configured for Kerberos +echo "4. Checking MongoDB Kerberos configuration..." +if docker exec rs101 grep -q "GSSAPI" /etc/mongod/mongod.conf; then + echo "✓ MongoDB is configured for Kerberos" +else + echo "✗ MongoDB is not configured for Kerberos" + exit 1 +fi + +# Test 5: Check replicaset status (using authenticated connection) +echo "5. Checking replicaset status..." +if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "rs.status().ok" | grep -q "1"; then + echo "✓ Replicaset is healthy" +else + echo "✗ Replicaset is not healthy" + exit 1 +fi + +# Test 6: Test Kerberos authentication +echo "6. Testing Kerberos authentication..." +# Test if Kerberos user exists in MongoDB +if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').getUsers()" | grep -q "pmm-test@PERCONATEST.COM"; then + echo "✓ Kerberos user is configured in MongoDB" +else + echo "✗ Kerberos user is not configured in MongoDB" + exit 1 +fi + +# Test if GSSAPI authentication mechanism is enabled +if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.adminCommand({getParameter: 1, authenticationMechanisms: 1})" | grep -q "GSSAPI"; then + echo "✓ GSSAPI authentication mechanism is enabled" +else + echo "✗ GSSAPI authentication mechanism is not enabled" + exit 1 +fi + +# Test actual Kerberos authentication (if keytab is available) +echo "7. Testing actual Kerberos authentication..." +if docker exec rs101 ls -la /keytabs/mongodb.keytab > /dev/null 2>&1; then + # Copy keytab and test authentication + docker exec rs101 cp /keytabs/mongodb.keytab /tmp/pmm-test.keytab + docker exec rs101 chmod 600 /tmp/pmm-test.keytab + if docker exec rs101 kinit -kt /tmp/pmm-test.keytab pmm-test@PERCONATEST.COM 2>/dev/null; then + echo "✓ Kerberos ticket obtained successfully" + # Test MongoDB connection with Kerberos + if docker exec rs101 mongo --quiet --authenticationMechanism=GSSAPI --gssapiServiceName=mongodb --username="pmm-test@PERCONATEST.COM" --eval "db.runCommand({connectionStatus: 1})" 2>/dev/null | grep -q "authenticatedUsers"; then + echo "✓ Kerberos authentication to MongoDB works" + else + echo "⚠️ Kerberos authentication to MongoDB failed (this is expected without proper client setup)" + fi + else + echo "⚠️ Could not obtain Kerberos ticket (this is expected without proper client setup)" + fi +else + echo "⚠️ Keytab not available in MongoDB container" +fi + +echo "✓ Kerberos authentication setup is complete and ready for use" + +# Test 8: Test root user authentication +echo "8. Testing root user authentication..." +if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.runCommand({connectionStatus: 1})" | grep -q "authenticatedUsers"; then + echo "✓ Root user authentication works" +else + echo "✗ Root user authentication failed" + exit 1 +fi + +echo "✓ All Kerberos authentication tests passed!" \ No newline at end of file diff --git a/pmm_psmdb_diffauth_setup/Dockerfile-kerberos b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos index 97e412ba..beecc25b 100644 --- a/pmm_psmdb_diffauth_setup/Dockerfile-kerberos +++ b/pmm_psmdb_diffauth_setup/Dockerfile-kerberos @@ -2,4 +2,4 @@ FROM alpine RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit COPY conf/configure_krb5.sh /var/lib/krb5kdc/ EXPOSE 88/udp -ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"] +ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"] \ No newline at end of file From 74c06d1a8e87c315a22f9eb1450c8164dd2de7d9 Mon Sep 17 00:00:00 2001 From: yurkovychv Date: Thu, 31 Jul 2025 20:12:39 +0300 Subject: [PATCH 2/4] remove test kerberos script --- pmm_psmdb-pbm_setup/test-kerberos.sh | 103 --------------------------- 1 file changed, 103 deletions(-) delete mode 100755 pmm_psmdb-pbm_setup/test-kerberos.sh diff --git a/pmm_psmdb-pbm_setup/test-kerberos.sh b/pmm_psmdb-pbm_setup/test-kerberos.sh deleted file mode 100755 index 0f2f77f8..00000000 --- a/pmm_psmdb-pbm_setup/test-kerberos.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -# Test script for Kerberos authentication in replicaset -set -e - -echo "Testing Kerberos authentication in replicaset..." - -# Test 1: Check if Kerberos container is running -echo "1. Checking Kerberos container..." -if docker ps | grep -q kerberos; then - echo "✓ Kerberos container is running" -else - echo "✗ Kerberos container is not running" - exit 1 -fi - -# Test 2: Check if keytabs are available -echo "2. Checking keytabs..." -if docker exec rs101 ls -la /keytabs/mongodb.keytab > /dev/null 2>&1; then - echo "✓ Keytabs are available" -else - echo "✗ Keytabs are not available" - exit 1 -fi - -# Test 3: Check if Kerberos principals are created -echo "3. Checking Kerberos principals..." -if docker exec kerberos kadmin.local -q "listprincs" | grep -q "mongodb/rs101"; then - echo "✓ Kerberos principals are created" -else - echo "✗ Kerberos principals are not created" - exit 1 -fi - -# Test 4: Check if MongoDB is configured for Kerberos -echo "4. Checking MongoDB Kerberos configuration..." -if docker exec rs101 grep -q "GSSAPI" /etc/mongod/mongod.conf; then - echo "✓ MongoDB is configured for Kerberos" -else - echo "✗ MongoDB is not configured for Kerberos" - exit 1 -fi - -# Test 5: Check replicaset status (using authenticated connection) -echo "5. Checking replicaset status..." -if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "rs.status().ok" | grep -q "1"; then - echo "✓ Replicaset is healthy" -else - echo "✗ Replicaset is not healthy" - exit 1 -fi - -# Test 6: Test Kerberos authentication -echo "6. Testing Kerberos authentication..." -# Test if Kerberos user exists in MongoDB -if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').getUsers()" | grep -q "pmm-test@PERCONATEST.COM"; then - echo "✓ Kerberos user is configured in MongoDB" -else - echo "✗ Kerberos user is not configured in MongoDB" - exit 1 -fi - -# Test if GSSAPI authentication mechanism is enabled -if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.adminCommand({getParameter: 1, authenticationMechanisms: 1})" | grep -q "GSSAPI"; then - echo "✓ GSSAPI authentication mechanism is enabled" -else - echo "✗ GSSAPI authentication mechanism is not enabled" - exit 1 -fi - -# Test actual Kerberos authentication (if keytab is available) -echo "7. Testing actual Kerberos authentication..." -if docker exec rs101 ls -la /keytabs/mongodb.keytab > /dev/null 2>&1; then - # Copy keytab and test authentication - docker exec rs101 cp /keytabs/mongodb.keytab /tmp/pmm-test.keytab - docker exec rs101 chmod 600 /tmp/pmm-test.keytab - if docker exec rs101 kinit -kt /tmp/pmm-test.keytab pmm-test@PERCONATEST.COM 2>/dev/null; then - echo "✓ Kerberos ticket obtained successfully" - # Test MongoDB connection with Kerberos - if docker exec rs101 mongo --quiet --authenticationMechanism=GSSAPI --gssapiServiceName=mongodb --username="pmm-test@PERCONATEST.COM" --eval "db.runCommand({connectionStatus: 1})" 2>/dev/null | grep -q "authenticatedUsers"; then - echo "✓ Kerberos authentication to MongoDB works" - else - echo "⚠️ Kerberos authentication to MongoDB failed (this is expected without proper client setup)" - fi - else - echo "⚠️ Could not obtain Kerberos ticket (this is expected without proper client setup)" - fi -else - echo "⚠️ Keytab not available in MongoDB container" -fi - -echo "✓ Kerberos authentication setup is complete and ready for use" - -# Test 8: Test root user authentication -echo "8. Testing root user authentication..." -if docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.runCommand({connectionStatus: 1})" | grep -q "authenticatedUsers"; then - echo "✓ Root user authentication works" -else - echo "✗ Root user authentication failed" - exit 1 -fi - -echo "✓ All Kerberos authentication tests passed!" \ No newline at end of file From 2a94ae497d81a061a973681328d88d2181c719a4 Mon Sep 17 00:00:00 2001 From: yurkovychv Date: Thu, 31 Jul 2025 21:11:39 +0300 Subject: [PATCH 3/4] PMM-14184 Enable Kerberos authentication in extra profile setup by modifying MongoDB configuration and creating a test Kerberos user. --- pmm_psmdb-pbm_setup/start-rs-only.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pmm_psmdb-pbm_setup/start-rs-only.sh b/pmm_psmdb-pbm_setup/start-rs-only.sh index 8e992809..d2c9b196 100755 --- a/pmm_psmdb-pbm_setup/start-rs-only.sh +++ b/pmm_psmdb-pbm_setup/start-rs-only.sh @@ -45,6 +45,19 @@ echo "✓ Kerberos user setup completed" bash -x ./configure-agents.sh if [ $profile = "extra" ]; then +# Enable authorization first +echo "Enabling authorization..." + docker exec rs201 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf + docker exec rs201 systemctl restart mongod + sleep 10 + + # Setup Kerberos users after authorization is enabled + echo "Setting up Kerberos authentication users..." + # Wait for MongoDB to be ready + sleep 5 + # Direct command to create Kerberos user + docker exec rs201 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})" + echo "✓ Kerberos user setup completed" if [ $mongo_setup_type == "pss" ]; then bash -x ./configure-extra-replset.sh else From a4b18d1334e31d3c9319594217da20cbab322f44 Mon Sep 17 00:00:00 2001 From: yurkovychv Date: Thu, 31 Jul 2025 21:12:04 +0300 Subject: [PATCH 4/4] PMM-14184 update gitignore --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 403daa91..5d7d5d07 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,10 @@ yarn-debug.log* yarn-error.log* lerna-debug.log* +pmm_framework +certs +pki + # Diagnostic reports (https://nodejs.org/api/report.html) report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json