Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL parameters (#127) #524

Merged
merged 3 commits into from
Sep 26, 2017
Merged

Support SSL parameters (#127) #524

merged 3 commits into from
Sep 26, 2017

Conversation

ajdavis
Copy link
Collaborator

@ajdavis ajdavis commented Sep 22, 2017

No description provided.

ajdavis
ajdavis commented Sep 22, 2017
View reviewed changes
Copy link
Collaborator Author

@ajdavis ajdavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mlaunch init --help now includes:

SSL Options:
  --sslCAFile SSLCAFILE
                        Certificate Authority file for SSL
  --sslCRLFile SSLCRLFILE
                        Certificate Revocation List file for SSL
  --sslAllowInvalidHostnames
                        allow client and server certificates to provide non-
                        matching hostnames
  --sslAllowInvalidCertificates
                        allow client or server connections with invalid
                        certificates

Server SSL Options:
  --sslOnNormalPorts    use ssl on configured ports
  --sslMode {disabled,allowSSL,preferSSL,requireSSL}
                        set the SSL operation mode
  --sslPEMKeyFile SSLPEMKEYFILE
                        PEM file for ssl
  --sslPEMKeyPassword SSLPEMKEYPASSWORD
                        PEM file password
  --sslClusterFile SSLCLUSTERFILE
                        key file for internal SSL authentication
  --sslClusterPassword SSLCLUSTERPASSWORD
                        internal authentication key file password
  --sslDisabledProtocols SSLDISABLEDPROTOCOLS
                        comma separated list of TLS protocols to disable
                        [TLS1_0,TLS1_1,TLS1_2]
  --sslWeakCertificateValidation
                        allow client to connect without presenting a
                        certificate
  --sslAllowConnectionsWithoutCertificates
                        allow client to connect without presenting a
                        certificate
  --sslFIPSMode         activate FIPS 140-2 mode

Client SSL Options:
  --sslClientCertificate SSLCLIENTCERTIFICATE
                        client certificate file for ssl
  --sslClientPEMKeyFile SSLCLIENTPEMKEYFILE
                        client PEM file for ssl
  --sslClientPEMKeyPassword SSLCLIENTPEMKEYPASSWORD
                        client PEM file password

mtools/mlaunch/mlaunch.py
import sys
import threading
import time
import warnings
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the imports are changing, I'm taking the opportunity to fix their style.

mtools/mlaunch/mlaunch.py
@@ -369,7 +416,7 @@ def init(self):
if first_init:
# add shards
mongos = sorted(self.get_tagged(['mongos']))
con = MongoConnection('localhost:%i'%mongos[0])
con = self.client('localhost:%i' % mongos[0])
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the MongoConnection calls need SSL options so I'm refactoring.

@stennie stennie requested a review from kevinadi September 22, 2017 22:17
@stennie stennie added this to the 1.3.1 milestone Sep 22, 2017
@kevinadi
Copy link
Collaborator

Thanks for the PR Jessie. We've been looking forward to adding SSL support to mlaunch 👍

I found a peculiar issue, though. It seems that mlaunch cannot register nodes are up and running if I use requireSSL, and thus mlaunch stop won't stop anything. This doesn't seem to happen if I use preferSSL or allowSSL This is what I see:

$ mlaunch init --replicaset --sslMode preferSSL --sslCAFile ca.crt --sslPEMKeyFile server.pem --sslClientCertificate client.pem
launching: mongod on port 27017
launching: mongod on port 27018
launching: mongod on port 27019
replica set 'replset' initialized.

$ mlaunch list

PROCESS    PORT     STATUS     PID

mongod     27017    running    66871
mongod     27018    running    66874
mongod     27019    running    66877

However, using requireSSL:

$ mlaunch init --replicaset --sslMode requireSSL --sslCAFile ca.crt --sslPEMKeyFile server.pem --sslClientCertificate client.pem
launching: mongod on port 27017
launching: mongod on port 27018
launching: mongod on port 27019
replica set 'replset' initialized.

$ mlaunch list

PROCESS    PORT     STATUS    PID

mongod     27017    down      -
mongod     27018    down      -
mongod     27019    down      -

Could you confirm that you're seeing the same behaviour? Sorry I can't dig deeper into the cause at the moment, but I'll be happy to help you with this.

Kevin

@ajdavis
Copy link
Collaborator Author

ajdavis commented Sep 25, 2017

Thanks for testing this! I added a commit that fixes the issue with "list". mlaunch hadn't been using the loaded SSL client parameters to connect to the servers and check them.

@kevinadi kevinadi merged commit 7e2dfe3 into rueckstiess:develop Sep 26, 2017
kevinadi
kevinadi reviewed Sep 26, 2017
View reviewed changes
Copy link
Collaborator

@kevinadi kevinadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@p-mongo p-mongo mentioned this pull request Sep 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinadi kevinadi kevinadi left review comments

Assignees
No one assigned
Labels
improvement mlaunch
Projects
None yet
Milestone
1.3.1
Development

Successfully merging this pull request may close these issues.
3 participants
@ajdavis @kevinadi @stennie