No Authentification on TLS Connection #64
Description
The script fails to make a proper authentification on MongoDB with active TLS and certificate based authentication.
setup
- MongoDB with mongod.conf:
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
...
security:
authorization: enabled
clusterAuthMode: x509
- user created with proper subject based on client cert on $external
- Python2 with PyMongo 3.8
executing
Executing any variant of the sensu plugin with an "action" result in:
CRITICAL - General MongoDB Error: command SON([('serverStatus', 1)]) on namespace admin.$cmd failed: command serverStatus requires authentication
Example:
check-mongodb.rb -s --host=localhost --port=27017 -e /etc/sensu/conf.d/tls/mongodb-dev_monitor-sensu.crt -k /etc/sensu/conf.d/tls/mongodb-dev_monitor-sensu.key -a /usr/share/ca-certificates/ca.crt --all-databases --warning=2 --critical=5 --action=memory
I debugged the python script and found the reason.
The initiation of the PyMongo MongoClient is incorrect.
con = pymongo.MongoClient(host, port, ssl=ssl_enabled, ssl_certfile=ssl_certfile, ssl_keyfile=ssl_keyfile, ssl_ca_certs=ssl_ca_certs)
It is missing the authMechanism parameter.When I add it like the following:
con = pymongo.MongoClient(host, port, ssl=ssl_enabled, ssl_certfile=ssl_certfile, ssl_keyfile=ssl_keyfile, ssl_ca_certs=ssl_ca_certs, authMechanism='MONGODB-X509')
It works like a charm:
OK - Memory Usage: 0.11GB resident, 1.45GB virtual, 0.00GB mapped, 0.00GB mappedWithJournal