[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] MongoDB Users

I think a basic level of support may be working,
if the username:password are including in a URI as described here:

The configuration change to pulp would be to update 'seeds' under
That string is passed into the pymongo connection, so
username/password settings should be obeyed.

Curiosity and lack of focus today led me to test this. It kinda works.

First off, configuring Mongo for auth is wonky. The relevant config file snippet:

# Turn on/off security.  Off is currently the default
#noauth = true
#auth = true

That leaves 4 possible permutations of values for what amounts to only a binary decision*. I didn't play around with the odd potentials (for instance, both auth and noauth set to true) and just went with the obvious two values.

* The flags are the same; if you wanted, you could run "mongod --auth --noauth".

Even then, auth is silently not enabled even if you have a user on the database you want to protect. You need a user on the admin database as well, otherwise you don't get auth anywhere. I won't go into user add/remove here, but ping me if you want, it's pretty easy if you know about that gotcha.

So that said, I restarted Pulp and when trying to do a repo list I got errors in ssl_error_log, similar to the following(I snipped out the rest of it but trust me, it was coming from pymongo):

[Wed Sep 21 15:15:47 2011] [error] [client] OperationFailure: unauthorized

No surprise there. So I added the user/pass to the seeds in pulp.conf:

seeds: jdob:awesome localhost

That made the apache logs happy, but I got errors in Pulp's log this time:

  File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 94, in user
    users = self.users({'login': login}, fields)
File "/home/jdob/code/pulp/src/pulp/server/api/user.py", line 87, in users
    users = list(self.collection.find(spec=spec, fields=fields))
[jdob: snip]
OperationFailure: database error: unauthorized db:pulp_database lock type:-1 client:127.0.

I did a quick check and it looks like the users collection is coming out of our normal database connection code, which means it should have the credentials and be authenticated with mongo. I know that user can write to, at very least, the repos collection, which I did in the shell itself.

So it's possible we need a little bit of work, or just that I'm missing something in the mongo configuration. Either way, I'm done looking at this for now. We can revisit when it comes up in a sprint.

Jay Dobies
RHCE# 805008743336126
Freenode: jdob @ #pulp
http://pulpproject.org | http://blog.pulpproject.org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]