[Pulp-list] MongoDB Users

Jay Dobies jason.dobies at redhat.com
Wed Sep 21 19:31:57 UTC 2011 

>> I think a basic level of support may be working,
>> if the username:password are including in a URI as described here:
>> http://www.mongodb.org/display/DOCS/Connections
>>
>> The configuration change to pulp would be to update 'seeds' under
>> [database].
>> That string is passed into the pymongo connection, so
>> username/password settings should be obeyed.

Curiosity and lack of focus today led me to test this. It kinda works.

First off, configuring Mongo for auth is wonky. The relevant config file 
snippet:

# Turn on/off security.  Off is currently the default
#noauth = true
#auth = true

That leaves 4 possible permutations of values for what amounts to only a 
binary decision*. I didn't play around with the odd potentials (for 
instance, both auth and noauth set to true) and just went with the 
obvious two values.

* The flags are the same; if you wanted, you could run "mongod --auth 
--noauth".

Even then, auth is silently not enabled even if you have a user on the 
database you want to protect. You need a user on the admin database as 
well, otherwise you don't get auth anywhere. I won't go into user 
add/remove here, but ping me if you want, it's pretty easy if you know 
about that gotcha.

So that said, I restarted Pulp and when trying to do a repo list I got 
errors in ssl_error_log, similar to the following(I snipped out the rest 
of it but trust me, it was coming from pymongo):

[Wed Sep 21 15:15:47 2011] [error] [client 192.168.0.201] 
OperationFailure: unauthorized

No surprise there. So I added the user/pass to the seeds in pulp.conf:

seeds: jdob:awesome at localhost

That made the apache logs happy, but I got errors in Pulp's log this time:

   File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 94, in user
     users = self.users({'login': login}, fields)
   File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 87, in 
users
     users = list(self.collection.find(spec=spec, fields=fields))
[jdob: snip]
     error_object["$err"])
OperationFailure: database error: unauthorized db:pulp_database lock 
type:-1 client:127.0.
0.1

I did a quick check and it looks like the users collection is coming out 
of our normal database connection code, which means it should have the 
credentials and be authenticated with mongo. I know that user can write 
to, at very least, the repos collection, which I did in the shell itself.

So it's possible we need a little bit of work, or just that I'm missing 
something in the mongo configuration. Either way, I'm done looking at 
this for now. We can revisit when it comes up in a sprint.


-- 
Jay Dobies
RHCE# 805008743336126
Freenode: jdob @ #pulp
http://pulpproject.org | http://blog.pulpproject.org

More information about the Pulp-list mailing list