[Pulp-list] Pulp (MongoDB) Security Configuration

Lesley Kimmel lesley.j.kimmel at gmail.com
Fri Feb 12 14:03:27 UTC 2016 

FYI, here's the steps I took to get a very basic, self-signed SSL
configuration in place:

$ openssl req -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout
mongodb-cert.key
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mongodb
Email Address []:
$ cat mongodb-cert.* >> mongodb.pem

Add 'sslOnNormalPorts = 1' and 'sslPemKeyFile = /etc/ssl/mongodb.pem' to
/etc/mongodb.conf

Add 'ssl: true' and 'verify_ssl: true' to [database] section of
/etc/pulp/server.conf
BONUS: Because I used 'mongodb' in the certificate above and using
'verify_ssl' in the Pulp configuration Pulp expects it's request to match
the returned CN. In order to do this, do the following:
-Add 'seeds: mongodb:27017' to the [database] section of
/etc/pulp/server.conf
-Add 'mongodb' to the '127.0.0.1' line of /etc/hosts

On Wed, Jan 27, 2016 at 12:29 PM, Kodiak Firesmith <kfiresmith at gmail.com>
wrote:

> Hi Lesley,
> I just had to do this during my setup.  Well, part b at least - haven't
> throttled the # connections.
>
> Here is what is working for me, YMMV as I'm hardly an expert:
>
> > use pulp_database
> switched to db pulp_database
> > show users
> {
> "_id" : "pulp_database.pulpAdministrator",
> "user" : "pulpAdministrator",
> "db" : "pulp_database",
> "roles" : [
> {
> "role" : "dbAdmin",
> "db" : "pulp_database"
> },
> {
> "role" : "readWrite",
> "db" : "pulp_database"
> }
> ]
> }
>
>
> Hit me up on #pulp if you have any trouble and I'll see if your errors
> match any of the ones I hit during my struggle to get mongo auth set up :)
>
> On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel <lesley.j.kimmel at gmail.com>
> wrote:
>
>> All;
>>
>> I am attempting to secure Satellite/Katello per DoD security guidance.
>> The first few items I need to do is to limit incoming connections and to
>> enable access control. Along those lines can anyone answer:
>>
>> a) How many connections to MongoDB does Pulp require? Is it configurable?
>> b) Out of the box there is no access control between Pulp and MongoDB.
>> What are the minimum permissions/roles needed for a user to allow Pulp do
>> do what it needs to do?
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160212/e2b0e26c/attachment.htm>

More information about the Pulp-list mailing list