Bug 1132609 - Pulp cannot use MongoDB authentication with its task result backend
Summary: Pulp cannot use MongoDB authentication with its task result backend
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: async/tasks
Version: 2.4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: 2.5.0
Assignee: Michael Hrivnak
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks: 1132607
TreeView+ depends on / blocked
 
Reported: 2014-08-21 16:05 UTC by Randy Barlow
Modified: 2014-11-24 21:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-24 21:33:34 UTC
Embargoed:

Attachments (Terms of Use)

Description Randy Barlow 2014-08-21 16:05:05 UTC 
Description of problem:
Pulp uses MongoDB for its task result backend*. Pulp itself can authenticate to MongoDB, but it uses the wrong config key ("user" instead of "username") from server.conf for the username when configuring Celery to use Mongo as a result backend. This means that Celery gets an authentication failure whenever Mongo is configured to require permissions on the Pulp database.

* The task result backend is what stores return values for tasks that need to return something. For example, all of Pulp's tasks that reserve resources rely on this to know which queue to put the work in. This means that many important tasks, such as sync, cannot work with MongoDB authentication.


Version-Release number of selected component (if applicable):
2.4.0-1 and greater

How reproducible:
Very


Steps to Reproduce:
1. Configure MongoDB for authenticated access, and disallow anonymous connections.
2. Configure the pulp user as the DB owner for full access
3. Restart Pulp.
4. Try to sync a repo

Actual results:
Observe that the sync fails, with a Mongo permission traceback in the server logs. Other tasks that do not use the results backend (like a repo list) will still work.

Expected results:
The sync should succeed.
Comment 1 Randy Barlow 2014-08-21 16:07:30 UTC 
For users encountering this issue, there is a simple workaround:

1) Edit your /etc/pulp/server.conf
2) Add a new "user" setting in your [database] section with the same value as you used in your "username" setting.
3) Save the file.

Once we fix this issue, you should remove the "user" field as it will be extraneous.
Comment 2 Michael Hrivnak 2014-08-29 22:02:54 UTC 
https://github.com/pulp/pulp/pull/1141
Comment 3 Chris Duryee 2014-09-30 13:52:45 UTC 
build: 2.5.0-0.6.beta
Comment 4 Randy Barlow 2014-10-14 15:41:06 UTC 
Preethi,

Since we moved this from 2.4 to 2.5, I believe we can change step 2 to say that Pulp needs dbAdmin and readWrite, instead of dbOwner.

Here is a tutorial about how to add users to databases:

http://docs.mongodb.org/manual/tutorial/add-user-to-database/

Here is the documentation about the various roles available:

http://docs.mongodb.org/manual/reference/built-in-roles/#dbOwner
Comment 5 Preethi Thomas 2014-10-14 17:01:43 UTC 
verified

Configured MongoDB for authenticated access, and disallow anonymous connections.

Followed the above docs
And this
http://docs.mongodb.org/manual/tutorial/enable-authentication-without-bypass/

used this to add

[root@cloud-qe-12 ~]# mongo pulp_database
MongoDB shell version: 2.4.6
connecting to: pulp_database
> db.addUser({user: "pulpuser", pwd:"pulppass", roles: [ "readWrite", "dbAdmin" ]})
{
	"user" : "pulpuser",
	"pwd" : "1b512d0236d75c586c5d65423f59b225",
	"roles" : [
		"readWrite",
		"dbAdmin"
	],
	"_id" : ObjectId("543d383dab7f088df0756127")
}
> ^C
bye
[root@cloud-qe-12 ~]# vi /etc/pulp/server.conf
update database section with the above pulpuser

restart services


Repo create/sync works fine.
Comment 6 Preethi Thomas 2014-10-14 17:02:08 UTC 
[root@cloud-qe-12 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.7.beta.el6.noarch
[root@cloud-qe-12 ~]#
Note You need to log in before you can comment on or make changes to this bug.