[Pulp-list] MongoDB Users
Jay Dobies
jason.dobies at redhat.com
Wed Sep 21 19:31:57 UTC 2011
>> I think a basic level of support may be working,
>> if the username:password are including in a URI as described here:
>> http://www.mongodb.org/display/DOCS/Connections
>>
>> The configuration change to pulp would be to update 'seeds' under
>> [database].
>> That string is passed into the pymongo connection, so
>> username/password settings should be obeyed.
Curiosity and lack of focus today led me to test this. It kinda works.
First off, configuring Mongo for auth is wonky. The relevant config file
snippet:
# Turn on/off security. Off is currently the default
#noauth = true
#auth = true
That leaves 4 possible permutations of values for what amounts to only a
binary decision*. I didn't play around with the odd potentials (for
instance, both auth and noauth set to true) and just went with the
obvious two values.
* The flags are the same; if you wanted, you could run "mongod --auth
--noauth".
Even then, auth is silently not enabled even if you have a user on the
database you want to protect. You need a user on the admin database as
well, otherwise you don't get auth anywhere. I won't go into user
add/remove here, but ping me if you want, it's pretty easy if you know
about that gotcha.
So that said, I restarted Pulp and when trying to do a repo list I got
errors in ssl_error_log, similar to the following(I snipped out the rest
of it but trust me, it was coming from pymongo):
[Wed Sep 21 15:15:47 2011] [error] [client 192.168.0.201]
OperationFailure: unauthorized
No surprise there. So I added the user/pass to the seeds in pulp.conf:
seeds: jdob:awesome at localhost
That made the apache logs happy, but I got errors in Pulp's log this time:
File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 94, in user
users = self.users({'login': login}, fields)
File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 87, in
users
users = list(self.collection.find(spec=spec, fields=fields))
[jdob: snip]
error_object["$err"])
OperationFailure: database error: unauthorized db:pulp_database lock
type:-1 client:127.0.
0.1
I did a quick check and it looks like the users collection is coming out
of our normal database connection code, which means it should have the
credentials and be authenticated with mongo. I know that user can write
to, at very least, the repos collection, which I did in the shell itself.
So it's possible we need a little bit of work, or just that I'm missing
something in the mongo configuration. Either way, I'm done looking at
this for now. We can revisit when it comes up in a sprint.
--
Jay Dobies
RHCE# 805008743336126
Freenode: jdob @ #pulp
http://pulpproject.org | http://blog.pulpproject.org
More information about the Pulp-list
mailing list