Bug 1951342

Summary: [RFE] pmdamssql could share credentials with the Assessment API
Product: Red Hat Enterprise Linux 8 Reporter: Nathan Scott <nathans>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED ERRATA QA Contact: Jan Kurik <jkurik>
Severity: low Docs Contact: Apurva Bhide <abhide>
Priority: low    
Version: CentOS StreamCC: agerstmayr, briasmit, jkurik, limershe, nathans
Target Milestone: betaKeywords: FutureFeature, Reopened, Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcp-5.3.5-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 13:30:36 UTC Type: Enhancement
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Scott 2021-04-20 00:30:10 UTC 
The SQL Server metrics in PCP require authentication to access the database to extract metrics.  To set ourselves up for success in more situations, we could make use of the username/password available from the filesystem setup for the SQL Server Assessment API as (planned to be) used by Insights.

Some notes from SQL Server google chat room follow.


Louis Imershein> @Nathan Scott one improvement to PCP might be to teach it to use the same password file as the assessment API
We're still finalizing the file name but a user name and password will be in /var/opt/mssql/secrets/ - accessing it will require either root or the mssql user account for security purposes.  Permissions on the file will be 0600.

Nathan Scott> @Louis Imershein definitely - what will the file names and file formats be in that secrets directory?

Louis Imershein> assuming it's like the ha file, it will just be a username separated from a password by a newline
as soon as i know the file name i will share it with you

Nathan Scott> too easy - I'll open an RFE BZ to get PCP updated

Louis Imershein> Let's make sure Insights team as well as @Brian Smith and @Karl Abbott are aware of our plan, but I think this makes the most sense.
I want something more secure, like principals that automatically authenticate to AD at startup via protected credentials but we need a solution for that for several areas with SQL Server.  At least this in no way adds to the problems in that dept, in fact it's arguably better than some of the other options.
Comment 2 Nathan Scott 2021-07-13 04:51:28 UTC 
Louis, any updates on this one?  We're planning next couple of RHEL releases worth of work, it'd be helpful to know if things have progressed here (esp. re: 'as soon as i know the file name i will share it with you' etc - the nitty gritty details that'll let us share configuration here).

Thanks!
Comment 3 Nathan Scott 2021-10-20 23:16:27 UTC 
There doesn't seem to have been any progress on the Assessments API credentials, and the quest for further clarity on the situation hasn't been fruitful.  Closing for now, and happy re-open this BZ if/when that situation changes.
Comment 4 Nathan Scott 2021-10-25 22:07:35 UTC 
Louis has sent me details now - it's described in this draft blog post:
https://docs.google.com/document/d/1u71-zEylq-V13DfTNXedrUj4ndNtyAjrpfgfJVIIh4g
and this is supported from RHEL 8.5.

I'll work on the PCP support for this now targetting 8.6.
Comment 6 Nathan Scott 2021-10-25 23:59:53 UTC 
This is working  now and will shortly be merged in upstream PCP:

commit 2f89d86567a7a35582a93a61774a51a676f5ae89
Author: Nathan Scott <nathans>
Date:   Tue Oct 26 10:39:23 2021 +1100

    pmdamssql: share username/password with the Assessments API
    
    For admin simplicity, if a SQL Server Assessments API install
    is detected we now use the username/password combo setup for
    this service so that no PCP mssql configuration is required.
    
    Resolves Red Hat BZ #1951342
Comment 13 errata-xmlrpc 2022-05-10 13:30:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1765