PSMDB. Add kerberos auth to RS setup (#156)

Author: sandraromanchenko

pmm_psmdb-pbm_setup/Dockerfile-kerberos

@@ -0,0 +1,5 @@
+FROM alpine
+RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit
+COPY conf/configure_krb5.sh /var/lib/krb5kdc/
+EXPOSE 88/udp
+ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"]

pmm_psmdb-pbm_setup/conf/configure_krb5.sh

@@ -0,0 +1,33 @@
+#! /env/sh
+
+cat > /etc/krb5.conf << EOL
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = kerberos
+        admin_server = kerberos
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM
+EOL
+
+kdb5_util -P password create -s
+kadmin.local -q "addprinc -pw password root/admin"
+for i in 101 102 103 201 202 203; do
+    kadmin.local -q "addprinc -pw mongodb mongodb/rs$i"
+done
+kadmin.local -q "addprinc -pw password1 pmm"
+for i in 101 102 103 201 202 203; do
+    kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs$i@PERCONATEST.COM"
+done
+
+krb5kdc -n

pmm_psmdb-pbm_setup/conf/mongod-cfg/mongod.conf

@@ -25,3 +25,6 @@ operationProfiling:
 
 security:
   keyFile: /etc/keyfile
+  authorization: enabled
+setParameter:
+  authenticationMechanisms: SCRAM-SHA-1,GSSAPI

pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf

@@ -22,3 +22,6 @@ operationProfiling:
 
 security:
   keyFile: /etc/keyfile
+  authorization: enabled
+setParameter:
+  authenticationMechanisms: SCRAM-SHA-1,GSSAPI

pmm_psmdb-pbm_setup/conf/mongod-rs1/mongod.conf

@@ -25,3 +25,6 @@ operationProfiling:
 
 security:
   keyFile: /etc/keyfile
+  authorization: enabled
+setParameter:
+  authenticationMechanisms: SCRAM-SHA-1,GSSAPI

pmm_psmdb-pbm_setup/conf/mongod-rs2/mongod.conf

@@ -25,3 +25,6 @@ operationProfiling:
 
 security:
   keyFile: /etc/keyfile
+  authorization: enabled
+setParameter:
+  authenticationMechanisms: SCRAM-SHA-1,GSSAPI

pmm_psmdb-pbm_setup/configure-replset.sh

@@ -84,7 +84,7 @@ db.getSiblingDB("admin").createUser({
 });
 EOF
 echo
-echo "creating pmm user"
+echo "creating pmm regular user"
 docker compose -f docker-compose-rs.yaml exec -T rs101 mongo "mongodb://root:root@localhost/?replicaSet=rs" --quiet << EOF
 db.getSiblingDB("admin").createUser({
     user: "${pmm_mongo_user}",
@@ -100,4 +100,19 @@ db.getSiblingDB("admin").createUser({
         { "db" : "admin", "role" : "pbmAnyAction" }
     ]
 });
+echo "creating pmm kerberos user"
+docker compose -f docker-compose-rs.yaml exec -T rs101 mongo "mongodb://root:root@localhost/?replicaSet=rs" --quiet << EOF
+db.getSiblingDB("\$external").createUser({
+    user: "${pmm_mongo_user}@PERCONATEST.COM",
+    roles: [
+        { role: "explainRole", db: "admin" },
+        { role: "clusterMonitor", db: "admin" },
+        { role: "read", db: "local" },
+        { "db" : "admin", "role" : "readWrite", "collection": "" },
+        { "db" : "admin", "role" : "backup" },
+        { "db" : "admin", "role" : "clusterMonitor" },
+        { "db" : "admin", "role" : "restore" },
+        { "db" : "admin", "role" : "pbmAnyAction" }
+    ]
+});
 EOF

pmm_psmdb-pbm_setup/docker-compose-rs.yaml

@@ -17,7 +17,10 @@ services:
 
   rs101:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["classic", "extra"]
     ports:
@@ -34,6 +37,7 @@ services:
       - ./conf/datagen:/etc/datagen:ro
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -44,10 +48,14 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs101
     hostname: rs101
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   rs102:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["classic", "extra"]
     networks:
@@ -61,6 +69,7 @@ services:
       - ./conf/mongod-rs:/etc/mongod
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -71,10 +80,14 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs102
     hostname: rs102
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   rs103:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["classic", "extra"]
     networks:
@@ -88,6 +101,7 @@ services:
       - ./conf/mongod-rs:/etc/mongod
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -98,10 +112,14 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs103
     hostname: rs103
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   rs201:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["extra"]
     ports:
@@ -117,6 +135,7 @@ services:
       - ./conf/mongod-rs:/etc/mongod
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -127,10 +146,14 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs201
     hostname: rs201
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   rs202:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["extra"]
     networks:
@@ -144,6 +167,7 @@ services:
       - ./conf/mongod-rs:/etc/mongod
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -154,10 +178,14 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs202
     hostname: rs202
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   rs203:
     depends_on:
-      - build_member
+      build_member:
+        condition: service_started
+      kerberos:
+        condition: service_healthy
     image: replica_member/local
     profiles: ["extra"]
     networks:
@@ -171,6 +199,7 @@ services:
       - ./conf/mongod-rs:/etc/mongod
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - /tmp/backup_data:/tmp/backup_data:rw
+      - keytabs:/keytabs
     privileged: true
     cgroup: host
     environment:
@@ -181,6 +210,7 @@ services:
       PMM_AGENT_SERVER_INSECURE_TLS: 1
     container_name: rs203
     hostname: rs203
+    entrypoint: bash -c "chown -R mongod:mongod /keytabs && exec /usr/sbin/init"
 
   minio:
     image: minio/minio
@@ -218,6 +248,29 @@ services:
     entrypoint: >
       /bin/sh -c " sleep 5; /usr/bin/mc alias set myminio http://minio:9000 minio1234 minio1234; /usr/bin/mc mb myminio/bcp; exit 0; "
 
+  kerberos:
+    image: kerberos/local
+    build:
+      dockerfile: ./Dockerfile-kerberos
+      context: .
+    container_name: kerberos
+    hostname: kerberos
+    networks:
+      - pmm-qa
+      - pmm-ui-tests1
+      - qa-integration
+      - pmm-ui-tests3
+      - pmm-ui-tests2
+    environment:
+      - "KRB5_TRACE=/dev/stderr"
+    volumes:
+      - keytabs:/keytabs
+    healthcheck:
+      test: ["CMD", "kadmin.local", "-q", "listprincs"]
+      interval: 2s
+      timeout: 1s
+      retries: 5
+
 networks:
   qa-integration:
     external: true
@@ -233,3 +286,7 @@ networks:
   pmm-qa:
     name: pmm-qa
     external: true
+
+volumes:
+  keytabs:
+    driver: local