PSMDB. Add kerberos to setup and test to check PMM GSSAPI support + fix for LDAP group on latest openldap

Author: sandraromanchenko

pmm_psmdb-pbm_setup/Dockerfile

@@ -81,6 +81,7 @@ RUN if [[ "$PMM_CLIENT_VERSION" == http* ]]; then \
 
 COPY conf/sysconfig/mongod /etc/sysconfig/
 COPY keyfile /etc/keyfile
+COPY conf/krb/krb5.conf /etc/krb5.conf
 RUN ln -s /usr/bin/mongosh /usr/bin/mongo || true
 RUN chown mongod /etc/keyfile && chmod 400 /etc/keyfile
 EXPOSE 27017

pmm_psmdb-pbm_setup/conf/krb/krb5.conf

@@ -0,0 +1,16 @@
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = kerberos
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM

pmm_psmdb-pbm_setup/conf/sysconfig/mongod

@@ -1,3 +1,4 @@
 OPTIONS="-f /etc/mongod/mongod.conf"
 STDOUT="/var/log/mongo/mongod.stdout"
 STDERR="/var/log/mongo/mongod.stderr"
+KRB5_KTNAME=/keytabs/mongodb.keytab

pmm_psmdb_diffauth_setup/Dockerfile-kerberos

@@ -0,0 +1,5 @@
+FROM alpine
+RUN apk add --no-cache bash krb5 krb5-server krb5-pkinit
+COPY conf/configure_krb5.sh /var/lib/krb5kdc/
+EXPOSE 88/udp
+ENTRYPOINT [ "sh", "/var/lib/krb5kdc/configure_krb5.sh"]

pmm_psmdb_diffauth_setup/conf/configure_krb5.sh

@@ -0,0 +1,29 @@
+#! /env/sh
+
+cat > /etc/krb5.conf << EOL
+[libdefaults]
+    default_realm = PERCONATEST.COM
+    forwardable = true
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+    ignore_acceptor_hostname = true
+    rdns = false
+[realms]
+    PERCONATEST.COM = {
+        kdc_ports = 88
+        kdc = kerberos
+        admin_server = kerberos
+    }
+[domain_realm]
+    .perconatest.com = PERCONATEST.COM
+    perconatest.com = PERCONATEST.COM
+    kerberos = PERCONATEST.COM
+EOL
+
+kdb5_util -P password create -s
+kadmin.local -q "addprinc -pw password root/admin"
+kadmin.local -q "addprinc -pw mongodb mongodb/psmdb-server"
+kadmin.local -q "addprinc -pw password1 pmm-test"
+kadmin.local -q "ktadd -k /keytabs/mongodb.keytab mongodb/[email protected]"
+
+krb5kdc -n

pmm_psmdb_diffauth_setup/conf/mongod.conf

@@ -26,11 +26,11 @@ security:
     validateLDAPServerConfig: false
     transportSecurity: none
     servers: ldap-server:1389
-    userToDNMapping: '[{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)", substitution: "cn={1}{2},ou=users,dc=example,dc=org"}]'
+    userToDNMapping: '[{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)|([^@]+)@PERCONATEST.COM", substitution: "cn={1}{2}{3},ou=users,dc=example,dc=org"}]'
     authz:
        queryTemplate: 'dc=example,dc=org??sub?(&(objectClass=groupOfNames)(member={USER}))'
 setParameter:
-  authenticationMechanisms: SCRAM-SHA-1,PLAIN,MONGODB-X509,MONGODB-AWS
+  authenticationMechanisms: SCRAM-SHA-1,PLAIN,MONGODB-X509,MONGODB-AWS,GSSAPI
 
 replication:
   replSetName: rs0

pmm_psmdb_diffauth_setup/docker-compose-pmm-psmdb.yml

@@ -42,12 +42,14 @@ services:
       - -c
       - |
          cp /mongodb_certs/ca-certs.pem /etc/pki/tls/certs/
+         chown -R mongod:mongod /keytabs
          exec /usr/sbin/init
     volumes:
       - ./conf:/etc/mongod
       - ./certs:/mongodb_certs
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       - 'psmdb-server-data:/data/db'
+      - keytabs:/keytabs
       - ../pmm_psmdb-pbm_setup/conf/datagen:/etc/datagen:ro
     privileged: true
     cgroup: host
@@ -62,6 +64,8 @@ services:
     depends_on:
       pmm-server:
        condition: service_healthy
+      kerberos:
+       condition: service_healthy
 
   pmm-server:
     container_name: pmm-server
@@ -84,7 +88,7 @@ services:
   ldap-server:
     container_name: ldap-server
     hostname: ldap-server
-    image: bitnami/openldap:2
+    image: bitnami/openldap
     environment:
       - LDAP_ADMIN_USERNAME=admin
       - LDAP_ADMIN_PASSWORD=adminpassword
@@ -96,6 +100,23 @@ services:
     volumes:
       - 'openldap-data:/bitnami/openldap'
 
+  kerberos:
+    image: kerberos/local
+    build:
+      dockerfile: ./Dockerfile-kerberos
+      context: .
+    container_name: kerberos
+    hostname: kerberos
+    environment:
+      - "KRB5_TRACE=/dev/stderr"
+    volumes:
+      - keytabs:/keytabs
+    healthcheck:
+      test: ["CMD", "kadmin.local", "-q", "listprincs"]
+      interval: 2s
+      timeout: 1s
+      retries: 5
+
   minio:
     image: minio/minio
     container_name: minio
@@ -128,3 +149,5 @@ volumes:
     driver: local
   openldap-data:
     driver: local
+  keytabs:
+    driver: local

pmm_psmdb_diffauth_setup/init/setup_psmdb.js

@@ -26,7 +26,7 @@ db.getSiblingDB("admin").createRole({
     roles:[]
 });
 db.getSiblingDB("admin").createRole({
-     role: "cn=readers,ou=users,dc=example,dc=org",
+     role: "cn=readers,ou=groups,dc=example,dc=org",
      privileges: [],
      roles: [
        { role: "explainRole", db: "admin" },

pmm_psmdb_diffauth_setup/test/test.py

@@ -58,6 +58,19 @@ def test_simple_auth_tls():
              '--tls --tls-certificate-key-file=/mongodb_certs/client.pem --tls-ca-file=/mongodb_certs/ca-certs.pem '
              '--cluster=mycluster')
 
+#####
+# All tests for external authentication methods (X509, LDAP, Kerberos, AWS) rely on the `mongod` configuration to handle
+# authentication using the selected method, followed by authorization via LDAP.
+#
+# Therefore, no users are added to `$external` database before testing. Instead, after successful authentication
+# against the selected service, the username is transformed based on the pattern below to match LDAP user
+# `cn=pmm-test,ou=users,dc=example,dc=org`.
+# This user is preconfigured on LDAP server and, after authorization, inherits the privileges assigned in
+# MongoDB to its default group, `cn=readers,ou=users,dc=example,dc=org`.
+#
+# Transformation pattern from `mongod` configuration:
+# [{match: "arn:aws:iam::(.+):user/(.+)|CN=(.+)|([^@]+)@PERCONATEST.COM", substitution: "cn={1}{2}{3},ou=users,dc=example,dc=org"}]
+#####
 
 def test_x509_auth():
     run_test('pmm-admin add mongodb psmdb-server --host=psmdb-server --port 27017 '
@@ -80,6 +93,18 @@ def test_ldap_auth_tls():
              '--tls --tls-certificate-key-file=/mongodb_certs/client.pem --tls-ca-file=/mongodb_certs/ca-certs.pem '
              '--cluster=mycluster')
 
+def test_kerberos_auth_wo_tls():
+    run_test('pmm-admin add mongodb psmdb-server --username="[email protected]" --password=password1 '
+             '--host=psmdb-server --port 27017 '
+             '--authentication-mechanism=GSSAPI --authentication-database=\'$external\' '
+             '--cluster=mycluster')
+
+def test_kerberos_auth_tls():
+    run_test('pmm-admin add mongodb psmdb-server --username="[email protected]" --password=password1 '
+             '--host=psmdb-server --port 27017 '
+             '--authentication-mechanism=GSSAPI --authentication-database=\'$external\' '
+             '--tls --tls-certificate-key-file=/mongodb_certs/client.pem --tls-ca-file=/mongodb_certs/ca-certs.pem '
+             '--cluster=mycluster')
 
 @pytest.mark.skipif(
     any(not os.environ.get(var) for var in env_vars) or os.environ.get('SKIP_AWS_TESTS') == 'true',