[Pulp-list] Fwd: Pulp (MongoDB) Security Configuration

Fri Feb 12 14:02:05 UTC 2016

---------- Forwarded message ----------
From: Lesley Kimmel <lesley.j.kimmel at gmail.com>
Date: Fri, Feb 12, 2016 at 8:00 AM
Subject: Re: [Pulp-list] Pulp (MongoDB) Security Configuration
To: Kodiak Firesmith <kfiresmith at gmail.com>

FYI, here's the steps I took to get a very basic, self-signed SSL
configuration in place:

$ openssl req -new -x509 -days 3650 -nodes -out mongodb-cert.crt -keyout
mongodb-cert.key
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mongodb
Email Address []:
$ cat mongodb-cert.* >> mongodb.pem

Add 'sslOnNormalPorts = 1' and 'sslPemKeyFile = /etc/ssl/mongodb.pem' to
/etc/mongodb.conf

Add 'ssl: true' and 'verify_ssl: true' to [database] section of
/etc/pulp/server.conf
BONUS: Because I used 'mongodb' in the certificate above and using
'verify_ssl' in the Pulp configuration Pulp expects it's request to match
the returned CN. In order to do this, do the following:
-Add 'seeds: mongodb:27017' to the [database] section of
/etc/pulp/server.conf
-Add 'mongodb' to the '127.0.0.1' line of /etc/hosts

On Wed, Jan 27, 2016 at 4:13 PM, Kodiak Firesmith <kfiresmith at gmail.com>
wrote:

> I deprioritized that part for now because they are on the same host and
> wanted to get more practical security components in place first.  AD
> integration is next and we'll see how that goes.
> On Jan 27, 2016 5:04 PM, "Lesley Kimmel" <lesley.j.kimmel at gmail.com>
> wrote:
>
>> Did you discover the magic to communicate from Pulp to  MongoDB over SSL?
>>
>> On Wed, Jan 27, 2016 at 12:52 PM, Kodiak Firesmith <kfiresmith at gmail.com>
>> wrote:
>>
>>> I dumped Sat6/Katello in favor of using Pulp for everything we can't
>>> already do with our Puppet 4 cluster.  The final result should be:
>>> * Puppet4 cluster (dns round robin, integrated with R10K)
>>> * Pulp for all non-Puppet content, including using the "ISO" repo
>>> function of Pulp to host Kickstarts for https net booting (since we don't
>>> use PXE we don't need cobbler, one less attack surface).
>>> Next steps now that I'm pulling in cdn.redhat.com content fine and
>>> whatnot are getting internal ssl connections for mongo and qpid, and
>>> getting Active Directory integration for pulp activities sorted out.
>>>
>>> Things are really looking up.
>>>
>>> On Wed, Jan 27, 2016 at 1:45 PM, Lesley Kimmel <
>>> lesley.j.kimmel at gmail.com> wrote:
>>>
>>>> What kind of overall progress have you made on securing
>>>> Satellite6/Katello?
>>>>
>>>> On Wed, Jan 27, 2016 at 12:29 PM, Kodiak Firesmith <
>>>> kfiresmith at gmail.com> wrote:
>>>>
>>>>> Hi Lesley,
>>>>> I just had to do this during my setup.  Well, part b at least -
>>>>> haven't throttled the # connections.
>>>>>
>>>>> Here is what is working for me, YMMV as I'm hardly an expert:
>>>>>
>>>>> > use pulp_database
>>>>> switched to db pulp_database
>>>>> > show users
>>>>> {
>>>>> "_id" : "pulp_database.pulpAdministrator",
>>>>> "user" : "pulpAdministrator",
>>>>> "db" : "pulp_database",
>>>>> "roles" : [
>>>>> {
>>>>> "role" : "dbAdmin",
>>>>> "db" : "pulp_database"
>>>>> },
>>>>> {
>>>>> "role" : "readWrite",
>>>>> "db" : "pulp_database"
>>>>> }
>>>>> ]
>>>>> }
>>>>>
>>>>>
>>>>> Hit me up on #pulp if you have any trouble and I'll see if your errors
>>>>> match any of the ones I hit during my struggle to get mongo auth set up :)
>>>>>
>>>>> On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel <
>>>>> lesley.j.kimmel at gmail.com> wrote:
>>>>>
>>>>>> All;
>>>>>>
>>>>>> I am attempting to secure Satellite/Katello per DoD security
>>>>>> guidance. The first few items I need to do is to limit incoming connections
>>>>>> and to enable access control. Along those lines can anyone answer:
>>>>>>
>>>>>> a) How many connections to MongoDB does Pulp require? Is it
>>>>>> configurable?
>>>>>> b) Out of the box there is no access control between Pulp and
>>>>>> MongoDB. What are the minimum permissions/roles needed for a user to allow
>>>>>> Pulp do do what it needs to do?
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pulp-list mailing list
>>>>>> Pulp-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pulp-list
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160212/5ffede18/attachment.htm>