Bug 1153344 - [RFE] Add support for SSL protected MongoDB connections
Summary: [RFE] Add support for SSL protected MongoDB connections
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: API/integration
Version: 2.4.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
: 2.5.0
Assignee: Randy Barlow
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks: 1155694
TreeView+ depends on / blocked
 
Reported: 2014-10-15 19:55 UTC by Randy Barlow
Modified: 2014-11-24 21:33 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-11-24 21:33:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Randy Barlow 2014-10-15 19:55:36 UTC
Description of problem:
Pulp cannot connect to MongoDB using SSL. It would be superior if Pulp could connect to Mongo using SSL. pymongo does have the ability to do this[0].

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time.

Steps to Reproduce:
1. Try to get Pulp to connect to Mongo using SSL.

Actual results:
Note that you failed because Pulp doesn't have any setting to express that the user wants an SSL protected MongoDB connection.

Expected results:
You should have succeeded.

Additional info:
[0] http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#pymongo

Comment 1 Randy Barlow 2014-10-24 14:48:18 UTC
I've submitted a pull request[0] to add this feature. There are several new settings in the [database] section of server.conf. There are a number of potential QE test cases:

1) Make sure that non-SSL connections still work.

2) Configure MongoDB to do SSL, and give it a self-signed certificate:

   2a) With Pulp's [database] --> verify_ssl set to false and ssl set to true, Pulp should connect just fine to this.

   2b) Setting verify_ssl to True should cause a connection failure in Pulp.

3) Configure MongoDB to do SSL and give it a properly signed cert. Pulp should connect to it with verify_ssl set to True.

[0] https://github.com/pulp/pulp/pull/1263

Comment 2 Randy Barlow 2014-10-27 19:30:31 UTC
Fixed in 2.5.0-0.12.beta.

Comment 3 Randy Barlow 2014-10-28 17:36:58 UTC
I just discovered that I had forgotten about the Mongo connection that's used for the results backend ☹

Comment 4 Randy Barlow 2014-10-28 18:00:37 UTC
https://github.com/pulp/pulp/pull/1271

Comment 5 Randy Barlow 2014-10-28 18:27:14 UTC
https://github.com/pulp/pulp/pull/1272

Comment 6 Preethi Thomas 2014-10-30 18:03:41 UTC
verified
[root@cloud-qe-17 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.14.beta.el6.noarch
[root@cloud-qe-17 ~]# 

1. Created CA & Certs for testing

2. 

Updated mongod.conf

 In mongodb.conf
(for mong 2.4)


#Configure SSL support
#sslMode = requireSSL (this is 2.6)
sslOnNormalPorts = true
#sslPEMKeyFile = /etc/pki/tls/private/mongo-cert.pem
sslPEMKeyFile = /etc/pki/tls/private/mongodb.pem
sslCAFile = /etc/pki/tls/private/CA.crt
#sslWeakCertificateValidation = true

3. Updated server.conf


[database]
# name: pulp_database
seeds: localhost:27017
# operation_retries: 2
# username:
# password:
# replica_set:
ssl: true
#ssl_keyfile:
ssl_certfile:/etc/pki/tls/private/mongodb.pem
verify_ssl: true
ca_path: /etc/pki/tls/private/CA.crt

Restarted mongo & httpd

And pulp works without any issues

Tested with a different set of certs in the server.conf
with turning
sslWeakCertificateValidation = false in mongodb.conf

Also tested different scenarios mentioned in

https://bugzilla.redhat.com/show_bug.cgi?id=1153344#c1


Note You need to log in before you can comment on or make changes to this bug.