MODULES-5483: Auth and FQDN certs => Fail#369
Conversation
hunner
left a comment
hunner
left a comment
There was a problem hiding this comment.
Some comments, and needs a rebase. Looks like a great PR though!
| if $?.success? | ||
| mongo_output = Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.isMaster())\"") | ||
| JSON.parse(mongo_output.gsub(/\w+\(.+?\)/, '"foo"'))['ismaster'] ||= false | ||
| Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}db.isMaster().ismaster\"") |
There was a problem hiding this comment.
It looks like this changes behavior such that previously it returned true or false and now would return 'true' or 'false' as strings. Is this intended?
There was a problem hiding this comment.
This logic was implemented by #348 and i just copied it.
All i can say is that it works as expected:
[root@grldb01vp ~]# puppet facts | grep is_mas
"mongodb_is_master": "false",
[root@grldb02vp ~]# puppet facts | grep is_mas
"mongodb_is_master": "false",
[root@grldb03vp ~]# puppet facts | grep is_mas
"mongodb_is_master": "true",
|
|
||
| #Hack to avoid non-json empty sets | ||
| output = "{}" if output == "null\n" | ||
| output = "{}" if output == "\nnull\n" |
There was a problem hiding this comment.
What is the purpose of this change? Could you describe it as part of the commit message?
There was a problem hiding this comment.
If a mongo connection with --sslAllowInvalidHostnames is made, it prints a warning like:
2017-05-16T10:56:27.679+0200 warning: The server certificate does not match the host name 127.0.0.1
This warning gets filtered but there is still a newline and if the return is null, the content will be:
"\nnull\n"
So this just extends the already implemented logic to still work with the new feature.
| $ssl_key = undef, | ||
| $ssl_ca = undef, | ||
| $ssl_weak_cert = false, | ||
| $ssl_invalid_hostnames = false, |
There was a problem hiding this comment.
It looks like there are double spaces, and the = signs are not in alignment.
There was a problem hiding this comment.
Fixed in #dc7754a
| $ssl_key = $mongodb::server::ssl_key | ||
| $ssl_ca = $mongodb::server::ssl_ca | ||
| $ssl_weak_cert = $mongodb::server::ssl_weak_cert | ||
| $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames |
There was a problem hiding this comment.
Fixed in #dc7754a
| Set to true to disable mandatory SSL client authentication | ||
| Default: False | ||
|
|
||
| #####`ssl_invalid_hostnames` |
There was a problem hiding this comment.
Could you put a space after the ##### to render the markdown correctly?
- sslAllowInvalidHostnames AUTH and SSL support added
|
@tphoney Can you remove the needs rebase label, i rebased it to actual master. |
|
Hi, will this be merged soon? |
ThoTischner
changed the title
ThoTischner
changed the title
MODULES-5483: Auth and FQDN certs => Fail
4 participants
This Pull request will add the following feature:
If SSL is enabled and the certs have the FQDN as DN, some mongo calls from this module will fail.
It is not possible to refactor the calls to use the FQDN, cause if AUTH is enabled the admin user will be created via 127.0.0.1 which will connect as admin by default without credentials.
Now it is possible to ignore such cert FQDN warnings.
The pull request #348 is also included for the ismaster fact and modified for the right selection of mongo parameters.