Skip to content

PMM-14184 enable kerberos by default #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: v3
Choose a base branch
from
Draft

PMM-14184 enable kerberos by default #155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
efac0d6
PMM-14184 enable kerberos for default setup
yurkovychv Jul 31, 2025
74c06d1
remove test kerberos script
yurkovychv Jul 31, 2025
2a94ae4
PMM-14184 Enable Kerberos authentication in extra profile setup by mo…
yurkovychv Jul 31, 2025
a4b18d1
PMM-14184 update gitignore
yurkovychv Jul 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ yarn-debug.log*
yarn-error.log*
lerna-debug.log*

pmm_framework
certs
pki

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

Expand Down
3 changes: 2 additions & 1 deletion pmm_psmdb-pbm_setup/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,8 @@ RUN if [[ "$PMM_CLIENT_VERSION" == http* ]]; then \
curl -Lf -o /tmp/mgodatagen.tar.gz https://github.com/feliixx/mgodatagen/releases/download/v0.11.2/mgodatagen_0.11.2_Linux_x86_64.tar.gz && \
tar -xf /tmp/mgodatagen.tar.gz -C /usr/bin && \
dnf clean all; \
rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db;
rm -rf /var/cache/dnf /var/cache/dnf /data/db && mkdir -p /data/db; \
dnf -y install krb5-workstation

COPY conf/sysconfig/mongod /etc/sysconfig/
COPY keyfile /etc/keyfile
Expand Down
63 changes: 63 additions & 0 deletions pmm_psmdb-pbm_setup/conf/configure_krb5.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash

# Configure Kerberos for replicaset setup
set -e

# Create krb5.conf
cat > /etc/krb5.conf << EOL
[libdefaults]
default_realm = PERCONATEST.COM
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false
ignore_acceptor_hostname = true
rdns = false
[realms]
PERCONATEST.COM = {
kdc_ports = 88
kdc = kerberos
admin_server = kerberos
}
[domain_realm]
.perconatest.com = PERCONATEST.COM
perconatest.com = PERCONATEST.COM
kerberos = PERCONATEST.COM
EOL

# Initialize Kerberos database only if it doesn't exist
if [ ! -f /var/lib/krb5kdc/principal ]; then
kdb5_util -P password create -s
fi
# Add principals (ignore if they already exist)
kadmin.local -q "addprinc -pw password root/admin" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/rs101" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/rs102" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/rs103" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/127.0.0.1" 2>/dev/null || true
kadmin.local -q "addprinc -pw password1 pmm-test" 2>/dev/null || true

# Create extra replicaset member principals if needed
if [ "${COMPOSE_PROFILES}" = "extra" ]; then
kadmin.local -q "addprinc -pw mongodb mongodb/rs201" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/rs202" 2>/dev/null || true
kadmin.local -q "addprinc -pw mongodb mongodb/rs203" 2>/dev/null || true
fi

kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs101@PERCONATEST.COM"
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs102@PERCONATEST.COM"
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs103@PERCONATEST.COM"
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/127.0.0.1@PERCONATEST.COM"

if [ "${COMPOSE_PROFILES}" = "extra" ]; then
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs201@PERCONATEST.COM"
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs202@PERCONATEST.COM"
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/rs203@PERCONATEST.COM"
fi

# Add pmm-test principal to keytab
kadmin.local -q "ktadd -k /keytabs/mongodb.keytab pmm-test@PERCONATEST.COM"

# Start KDC and keep it running
krb5kdc -n &
kadmind &
tail -f /dev/null
1 change: 1 addition & 0 deletions pmm_psmdb-pbm_setup/conf/krb/krb5.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
PERCONATEST.COM = {
kdc_ports = 88
kdc = kerberos
admin_server = kerberos
}
[domain_realm]
.perconatest.com = PERCONATEST.COM
Expand Down
4 changes: 4 additions & 0 deletions pmm_psmdb-pbm_setup/conf/mongod-rs/mongod.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,7 @@ operationProfiling:

security:
keyFile: /etc/keyfile
authorization: enabled

setParameter:
authenticationMechanisms: SCRAM-SHA-1,GSSAPI
76 changes: 76 additions & 0 deletions pmm_psmdb-pbm_setup/docker-compose-rs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ services:
rs101:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["classic", "extra"]
ports:
Expand All @@ -34,6 +35,7 @@ services:
- ./conf/datagen:/etc/datagen:ro
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -44,10 +46,17 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs101
hostname: rs101
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

rs102:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["classic", "extra"]
networks:
Expand All @@ -61,6 +70,7 @@ services:
- ./conf/mongod-rs:/etc/mongod
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -71,10 +81,17 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs102
hostname: rs102
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

rs103:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["classic", "extra"]
networks:
Expand All @@ -88,6 +105,7 @@ services:
- ./conf/mongod-rs:/etc/mongod
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -98,10 +116,17 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs103
hostname: rs103
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

rs201:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["extra"]
ports:
Expand All @@ -117,6 +142,7 @@ services:
- ./conf/mongod-rs:/etc/mongod
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -127,10 +153,17 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs201
hostname: rs201
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

rs202:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["extra"]
networks:
Expand All @@ -144,6 +177,7 @@ services:
- ./conf/mongod-rs:/etc/mongod
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -154,10 +188,17 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs202
hostname: rs202
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

rs203:
depends_on:
- build_member
- kerberos
image: replica_member/local
profiles: ["extra"]
networks:
Expand All @@ -171,6 +212,7 @@ services:
- ./conf/mongod-rs:/etc/mongod
- /sys/fs/cgroup:/sys/fs/cgroup:rw
- /tmp/backup_data:/tmp/backup_data:rw
- keytabs:/keytabs
privileged: true
cgroup: host
environment:
Expand All @@ -181,6 +223,12 @@ services:
PMM_AGENT_SERVER_INSECURE_TLS: 1
container_name: rs203
hostname: rs203
entrypoint:
- bash
- -c
- |
chown -R mongod:mongod /keytabs
exec /usr/sbin/init

minio:
image: minio/minio
Expand Down Expand Up @@ -218,6 +266,30 @@ services:
entrypoint: >
/bin/sh -c " sleep 5; /usr/bin/mc alias set myminio http://minio:9000 minio1234 minio1234; /usr/bin/mc mb myminio/bcp; exit 0; "

kerberos:
image: kerberos/local
build:
dockerfile: ../pmm_psmdb_diffauth_setup/Dockerfile-kerberos
context: .
container_name: kerberos
hostname: kerberos
profiles: ["classic", "extra"]
networks:
- pmm-qa
- pmm-ui-tests1
- qa-integration
- pmm-ui-tests2
- pmm-ui-tests3
environment:
- "KRB5_TRACE=/dev/stderr"
volumes:
- keytabs:/keytabs
healthcheck:
test: ["CMD", "kadmin.local", "-q", "listprincs"]
interval: 2s
timeout: 1s
retries: 5

networks:
qa-integration:
external: true
Expand All @@ -233,3 +305,7 @@ networks:
pmm-qa:
name: pmm-qa
external: true

volumes:
keytabs:
driver: local
28 changes: 28 additions & 0 deletions pmm_psmdb-pbm_setup/start-rs-only.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,37 @@ if [ $mongo_setup_type == "pss" ]; then
else
bash -e ./configure-psa.sh
fi

# Enable authorization first
echo "Enabling authorization..."
docker exec rs101 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf
docker exec rs101 systemctl restart mongod
sleep 10

# Setup Kerberos users after authorization is enabled
echo "Setting up Kerberos authentication users..."
# Wait for MongoDB to be ready
sleep 5
# Direct command to create Kerberos user
docker exec rs101 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})"
echo "✓ Kerberos user setup completed"

bash -x ./configure-agents.sh

if [ $profile = "extra" ]; then
# Enable authorization first
echo "Enabling authorization..."
docker exec rs201 sed -i 's/authorization: disabled/authorization: enabled/' /etc/mongod/mongod.conf
docker exec rs201 systemctl restart mongod
sleep 10

# Setup Kerberos users after authorization is enabled
echo "Setting up Kerberos authentication users..."
# Wait for MongoDB to be ready
sleep 5
# Direct command to create Kerberos user
docker exec rs201 mongo --quiet -u root -p root --authenticationDatabase admin --eval "db.getSiblingDB('\$external').createUser({user: 'pmm-test@PERCONATEST.COM', roles: [{role: 'explainRole', db: 'admin'}, {role: 'clusterMonitor', db: 'admin'}, {role: 'userAdminAnyDatabase', db: 'admin'}, {role: 'dbAdminAnyDatabase', db: 'admin'}, {role: 'readWriteAnyDatabase', db: 'admin'}, {role: 'read', db: 'local'}]})"
echo "✓ Kerberos user setup completed"
if [ $mongo_setup_type == "pss" ]; then
bash -x ./configure-extra-replset.sh
else
Expand Down
2 changes: 1 addition & 1 deletion pmm_psmdb_diffauth_setup/Dockerfile-kerberos
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ FROM alpine
RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit
COPY conf/configure_krb5.sh /var/lib/krb5kdc/
EXPOSE 88/udp
ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"]
ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"]
Loading