Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose TLS and authentication options in mongodb_uri field #287

Closed
wants to merge 10 commits into from

Conversation

alcaeus
Copy link
Member

@alcaeus alcaeus commented Apr 8, 2021

Fixes #268.

This PR refactors the generation of the URI returned after starting a cluster. Previously, mongodb_uri and mongodb_auth_uri had to be checked depending on whether auth was enabled. As indicated in the ticket above, TLS options also weren't added automatically. The goal is to get mongo-orchestration to return a mongodb_uri that can be used to connect to the cluster, without having to append other options.

This PR changes mongodb_uri to include both TLS and auth options. The mongodb_auth_uri field is kept for backward compatibility, but it always contains the same value as mongodb_uri. I'm not sure if this change is kosher, as somebody may be relying on mongodb_uri not containing auth information to test authentication failures. Please let me know if I should separate those changes.

mongo_orchestration/common.py Outdated Show resolved Hide resolved
@ShaneHarvey ShaneHarvey self-requested a review April 8, 2021 16:51
mongo_orchestration/common.py Outdated Show resolved Hide resolved
"""Append TLS options"""
if self.ssl_params:
ssl_params = self.ssl_params
ssl_params.update(DEFAULT_SSL_OPTIONS)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This modifies the self.ssl_params property. Why do we need to use DEFAULT_SSL_OPTIONS here? Isn't that already the default for self.ssl_params?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I wasn't aware that this modifies the reference. sslParams for example doesn't contain ssl=true, it only contains the parameters necessary for the server (see sample orchestration files). DEFAULT_SSL_OPTIONS is applied to self.kwargs but not self.ssl_params. What would be the right way to apply these default options?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh thanks for explaining that. In this case I don't think we should add any of the self.ssl_params to the client URI since those are ssl params for the server itself. I think we should do this:

        if self.ssl_params:  # Server ssl params.
            ssl_params = DEFAULT_SSL_OPTIONS.copy()  # Client ssl params
            ....

The above approach would need to add the tlsInsecure=true option to match the ssl_cert_reqs=ssl.CERT_NONE in DEFAULT_SSL_OPTIONS.

Alternatively we can keep your current approach but make a copy of self.ssl_params to avoid modifying it:

        if self.ssl_params:
            ssl_params = self.ssl_params.copy()
            ssl_params.update(DEFAULT_SSL_OPTIONS)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update to copy the params. DEFAULT_SSL_OPTIONS by itself is not enough, as there are additional settings that come into play. The new SSL_TO_TLS_OPTION_MAPPINGS variable indicates which of the fields from the configuration's sslParams and DEFAULT_SSL_OPTIONS map to URI options for SSL. I can add additional tests to ensure we're not adding unknown or wrong URI options if you'd like.

Copy link
Collaborator

@ShaneHarvey ShaneHarvey Apr 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self.ssl_params.copy() SGTM

mongo_orchestration/common.py Outdated Show resolved Hide resolved
Copy link
Collaborator

@ShaneHarvey ShaneHarvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this change is kosher, as somebody may be relying on mongodb_uri not containing auth information to test authentication failures. Please let me know if I should separate those changes.

I think this is okay but could you document this in the changelog at the bottom of the readme? You can add a new section:

Changes in Version 0.8.0 (TBD)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

@alcaeus
Copy link
Member Author

alcaeus commented Apr 14, 2021

I've kept it concise, noting that we now expose TLS and auth options. I've also reached out in #driver-devs to double-check before breaking somebody's workflow.

@alcaeus
Copy link
Member Author

alcaeus commented Apr 14, 2021

On second thought, changing mongodb_uri will break the setup for any driver that tests against ssl clusters as they'll be adding uri options manually. I'll change the PR to expose this as a new field and deprecate existing fields. Is there a way to deprecate these?

@ShaneHarvey
Copy link
Collaborator

There's no way to deprecate an api response field. Let's just keep the existing ones. Perhaps we can note that they are deprecated in the wiki: https://github.com/10gen/mongo-orchestration/search?q=mongodb_uri&type=wikis

As for the name of the new field, anything you come up with is fine. Maybe mongodb_full_uri or mongodb_tls_uri?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

tls=true is not added to URI
3 participants