Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1153344

Summary: [RFE] Add support for SSL protected MongoDB connections
Product: [Retired] Pulp Reporter: Randy Barlow <rbarlow>
Component: API/integrationAssignee: Randy Barlow <rbarlow>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: medium Docs Contact:
Priority: high    
Version: 2.4.0CC: jortel, pthomas
Target Milestone: ---Keywords: Triaged
Target Release: 2.5.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-24 21:33:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1155694    

Description Randy Barlow 2014-10-15 19:55:36 UTC 
Description of problem:
Pulp cannot connect to MongoDB using SSL. It would be superior if Pulp could connect to Mongo using SSL. pymongo does have the ability to do this[0].

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time.

Steps to Reproduce:
1. Try to get Pulp to connect to Mongo using SSL.

Actual results:
Note that you failed because Pulp doesn't have any setting to express that the user wants an SSL protected MongoDB connection.

Expected results:
You should have succeeded.

Additional info:
[0] http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#pymongo
Comment 1 Randy Barlow 2014-10-24 14:48:18 UTC 
I've submitted a pull request[0] to add this feature. There are several new settings in the [database] section of server.conf. There are a number of potential QE test cases:

1) Make sure that non-SSL connections still work.

2) Configure MongoDB to do SSL, and give it a self-signed certificate:

   2a) With Pulp's [database] --> verify_ssl set to false and ssl set to true, Pulp should connect just fine to this.

   2b) Setting verify_ssl to True should cause a connection failure in Pulp.

3) Configure MongoDB to do SSL and give it a properly signed cert. Pulp should connect to it with verify_ssl set to True.

[0] https://github.com/pulp/pulp/pull/1263
Comment 2 Randy Barlow 2014-10-27 19:30:31 UTC 
Fixed in 2.5.0-0.12.beta.
Comment 3 Randy Barlow 2014-10-28 17:36:58 UTC 
I just discovered that I had forgotten about the Mongo connection that's used for the results backend ☹
Comment 4 Randy Barlow 2014-10-28 18:00:37 UTC 
https://github.com/pulp/pulp/pull/1271
Comment 5 Randy Barlow 2014-10-28 18:27:14 UTC 
https://github.com/pulp/pulp/pull/1272
Comment 6 Preethi Thomas 2014-10-30 18:03:41 UTC 
verified
[root@cloud-qe-17 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.14.beta.el6.noarch
[root@cloud-qe-17 ~]# 

1. Created CA & Certs for testing

2. 

Updated mongod.conf

 In mongodb.conf
(for mong 2.4)


#Configure SSL support
#sslMode = requireSSL (this is 2.6)
sslOnNormalPorts = true
#sslPEMKeyFile = /etc/pki/tls/private/mongo-cert.pem
sslPEMKeyFile = /etc/pki/tls/private/mongodb.pem
sslCAFile = /etc/pki/tls/private/CA.crt
#sslWeakCertificateValidation = true

3. Updated server.conf


[database]
# name: pulp_database
seeds: localhost:27017
# operation_retries: 2
# username:
# password:
# replica_set:
ssl: true
#ssl_keyfile:
ssl_certfile:/etc/pki/tls/private/mongodb.pem
verify_ssl: true
ca_path: /etc/pki/tls/private/CA.crt

Restarted mongo & httpd

And pulp works without any issues

Tested with a different set of certs in the server.conf
with turning
sslWeakCertificateValidation = false in mongodb.conf

Also tested different scenarios mentioned in

https://bugzilla.redhat.com/show_bug.cgi?id=1153344#c1