diff --git a/README.md b/README.md index e4b411ba5..7beccfbcc 100644 --- a/README.md +++ b/README.md @@ -501,6 +501,10 @@ Default: <> Set to true to disable mandatory SSL client authentication Default: False +##### `ssl_invalid_hostnames` +Set to true to disable fqdn SSL cert check +Default: False + ##### `service_manage` Whether or not the MongoDB service resource should be part of the catalog. Default: true diff --git a/lib/facter/is_master.rb b/lib/facter/is_master.rb index d3ac0d669..5d2a53766 100644 --- a/lib/facter/is_master.rb +++ b/lib/facter/is_master.rb @@ -20,6 +20,18 @@ def get_mongod_conf_file unless config['net.port'].nil? mongoPort = "--port #{config['net.port']}" end + if config['net.ssl.mode'] == "requireSSL" + ssl = "--ssl --host #{Facter.value(:fqdn)}" + end + unless config['net.ssl.PEMKeyFile'].nil? + sslkey = "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}" + end + unless config['net.ssl.CAFile'].nil? + sslca = "--sslCAFile #{config['net.ssl.CAFile']}" + end + unless config['net.ipv6'].nil? + ipv6 = "--ipv6" + end else # It has to be a key-value config file config = {} File.readlines(file).collect do |line| @@ -29,15 +41,26 @@ def get_mongod_conf_file unless config['port'].nil? mongoPort = "--port #{config['port']}" end + if config['ssl'] == "requireSSL" + ssl = "--ssl --host #{Facter.value(:fqdn)}" + end + unless config['sslcert'].nil? + sslkey = "--sslPEMKeyFile #{config['sslcert']}" + end + unless config['sslca'].nil? + sslca = "--sslCAFile #{config['sslca']}" + end + unless config['ipv6'].nil? + ipv6 = "--ipv6" + end end e = File.exists?('/root/.mongorc.js') ? 'load(\'/root/.mongorc.js\'); ' : '' # Check if the mongodb server is responding: - Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"") + Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"") if $?.success? - mongo_output = Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.isMaster())\"") - JSON.parse(mongo_output.gsub(/\w+\(.+?\)/, '"foo"'))['ismaster'] ||= false + Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}db.isMaster().ismaster\"") else 'not_responding' end diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb index ebfb69f73..10ed8010c 100644 --- a/lib/puppet/provider/mongodb.rb +++ b/lib/puppet/provider/mongodb.rb @@ -41,6 +41,7 @@ def self.get_mongo_conf config_hash['bindip'] = config['net.bindIp'] config_hash['port'] = config['net.port'] config_hash['ipv6'] = config['net.ipv6'] + config_hash['allowInvalidHostnames'] = config['net.ssl.allowInvalidHostnames'] config_hash['ssl'] = config['net.ssl.mode'] config_hash['sslcert'] = config['net.ssl.PEMKeyFile'] config_hash['sslca'] = config['net.ssl.CAFile'] @@ -57,6 +58,7 @@ def self.get_mongo_conf config_hash['port'] = config['port'] config_hash['ipv6'] = config['ipv6'] config_hash['ssl'] = config['sslOnNormalPorts'] + config_hash['allowInvalidHostnames'] = config['allowInvalidHostnames'] config_hash['sslcert'] = config['sslPEMKeyFile'] config_hash['sslca'] = config['sslCAFile'] config_hash['auth'] = config['auth'] @@ -78,11 +80,17 @@ def self.ssl_is_enabled(config=nil) ssl_mode.nil? ? false : ssl_mode != 'disabled' end + def self.ssl_invalid_hostnames(config=nil) + config ||= get_mongo_conf + config['allowInvalidHostnames'] + end + def self.mongo_cmd(db, host, cmd) config = get_mongo_conf args = [db, '--quiet', '--host', host] args.push('--ipv6') if ipv6_is_enabled(config) + args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config) if ssl_is_enabled(config) args.push('--ssl') @@ -180,6 +188,8 @@ def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil) out.gsub!(/#{data_type}\(([^)]*)\)/, '\1') end out.gsub!(/^Error\:.+/, '') + out.gsub!(/^.*warning\:.+/, '') # remove warnings if sslAllowInvalidHostnames is true + out.gsub!(/^.*The server certificate does not match the host name.+/, '') # remove warnings if sslAllowInvalidHostnames is true mongo 3.x out end diff --git a/lib/puppet/provider/mongodb_replset/mongo.rb b/lib/puppet/provider/mongodb_replset/mongo.rb index 006a7f41a..196e5ae62 100644 --- a/lib/puppet/provider/mongodb_replset/mongo.rb +++ b/lib/puppet/provider/mongodb_replset/mongo.rb @@ -275,6 +275,7 @@ def self.mongo_command(command, host=nil, retries=4) #Hack to avoid non-json empty sets output = "{}" if output == "null\n" + output = "{}" if output == "\nnull\n" # Parse the JSON output and return JSON.parse(output) diff --git a/manifests/server.pp b/manifests/server.pp index e584091d3..9fc17cd80 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,103 +1,105 @@ # This installs a MongoDB server. See README.md for more details. class mongodb::server ( - $ensure = $mongodb::params::ensure, - - $user = $mongodb::params::user, - $group = $mongodb::params::group, - - $config = $mongodb::params::config, - $dbpath = $mongodb::params::dbpath, - $dbpath_fix = $mongodb::params::dbpath_fix, - $pidfilepath = $mongodb::params::pidfilepath, - $pidfilemode = $mongodb::params::pidfilemode, - $manage_pidfile = $mongodb::params::manage_pidfile, - $rcfile = $mongodb::params::rcfile, - - $service_manage = $mongodb::params::service_manage, - $service_provider = $mongodb::params::service_provider, - $service_name = $mongodb::params::service_name, - $service_enable = $mongodb::params::service_enable, - $service_ensure = $mongodb::params::service_ensure, - $service_status = $mongodb::params::service_status, - - $package_ensure = $mongodb::params::package_ensure, - $package_name = $mongodb::params::server_package_name, - - $logpath = $mongodb::params::logpath, - $bind_ip = $mongodb::params::bind_ip, - $ipv6 = undef, - $logappend = true, - $system_logrotate = undef, - $fork = $mongodb::params::fork, - $port = undef, - $journal = $mongodb::params::journal, - $nojournal = undef, - $smallfiles = undef, - $cpu = undef, - $auth = false, - $noauth = undef, - $verbose = undef, - $verbositylevel = undef, - $objcheck = undef, - $quota = undef, - $quotafiles = undef, - $diaglog = undef, - $directoryperdb = undef, - $profile = undef, - $maxconns = undef, - $oplog_size = undef, - $nohints = undef, - $nohttpinterface = undef, - $noscripting = undef, - $notablescan = undef, - $noprealloc = undef, - $nssize = undef, - $mms_token = undef, - $mms_name = undef, - $mms_interval = undef, - $replset = undef, - $replset_config = undef, - $replset_members = undef, - $configsvr = undef, - $shardsvr = undef, - $rest = undef, - $quiet = undef, - $slowms = undef, - $keyfile = undef, - $key = undef, - $set_parameter = undef, - $syslog = undef, - $config_content = undef, - $config_template = undef, - $ssl = undef, - $ssl_key = undef, - $ssl_ca = undef, - $ssl_weak_cert = false, - $restart = $mongodb::params::restart, - $storage_engine = undef, - - $create_admin = $mongodb::params::create_admin, - $admin_username = $mongodb::params::admin_username, - $admin_password = undef, - $handle_creds = $mongodb::params::handle_creds, - $store_creds = $mongodb::params::store_creds, - $admin_roles = ['userAdmin', 'readWrite', 'dbAdmin', - 'dbAdminAnyDatabase', 'readAnyDatabase', - 'readWriteAnyDatabase', 'userAdminAnyDatabase', - 'clusterAdmin', 'clusterManager', 'clusterMonitor', - 'hostManager', 'root', 'restore'], + $ensure = $mongodb::params::ensure, + + $user = $mongodb::params::user, + $group = $mongodb::params::group, + + $config = $mongodb::params::config, + $dbpath = $mongodb::params::dbpath, + $dbpath_fix = $mongodb::params::dbpath_fix, + $pidfilepath = $mongodb::params::pidfilepath, + $pidfilemode = $mongodb::params::pidfilemode, + $manage_pidfile = $mongodb::params::manage_pidfile, + $rcfile = $mongodb::params::rcfile, + + $service_manage = $mongodb::params::service_manage, + $service_provider = $mongodb::params::service_provider, + $service_name = $mongodb::params::service_name, + $service_enable = $mongodb::params::service_enable, + $service_ensure = $mongodb::params::service_ensure, + $service_status = $mongodb::params::service_status, + + $package_ensure = $mongodb::params::package_ensure, + $package_name = $mongodb::params::server_package_name, + + $logpath = $mongodb::params::logpath, + $bind_ip = $mongodb::params::bind_ip, + $ipv6 = undef, + $logappend = true, + $system_logrotate = undef, + $fork = $mongodb::params::fork, + $port = undef, + $journal = $mongodb::params::journal, + $nojournal = undef, + $smallfiles = undef, + $cpu = undef, + $auth = false, + $noauth = undef, + $verbose = undef, + $verbositylevel = undef, + $objcheck = undef, + $quota = undef, + $quotafiles = undef, + $diaglog = undef, + $directoryperdb = undef, + $profile = undef, + $maxconns = undef, + $oplog_size = undef, + $nohints = undef, + $nohttpinterface = undef, + $noscripting = undef, + $notablescan = undef, + $noprealloc = undef, + $nssize = undef, + $mms_token = undef, + $mms_name = undef, + $mms_interval = undef, + $replset = undef, + $replset_config = undef, + $replset_members = undef, + $configsvr = undef, + $shardsvr = undef, + $rest = undef, + $quiet = undef, + $slowms = undef, + $keyfile = undef, + $key = undef, + $set_parameter = undef, + $syslog = undef, + $config_content = undef, + $config_template = undef, + $ssl = undef, + $ssl_key = undef, + $ssl_ca = undef, + $ssl_weak_cert = false, + $ssl_invalid_hostnames = false, + $restart = $mongodb::params::restart, + $storage_engine = undef, + + $create_admin = $mongodb::params::create_admin, + $admin_username = $mongodb::params::admin_username, + $admin_password = undef, + $handle_creds = $mongodb::params::handle_creds, + $store_creds = $mongodb::params::store_creds, + $admin_roles = ['userAdmin', 'readWrite', 'dbAdmin', + 'dbAdminAnyDatabase', 'readAnyDatabase', + 'readWriteAnyDatabase', 'userAdminAnyDatabase', + 'clusterAdmin', 'clusterManager', 'clusterMonitor', + 'hostManager', 'root', 'restore'], # Deprecated parameters - $master = undef, - $slave = undef, - $only = undef, - $source = undef, + $master = undef, + $slave = undef, + $only = undef, + $source = undef, ) inherits mongodb::params { if $ssl { validate_string($ssl_key, $ssl_ca) validate_bool($ssl_weak_cert) + validate_bool($ssl_invalid_hostnames) } if ($ensure == 'present' or $ensure == true) { diff --git a/manifests/server/config.pp b/manifests/server/config.pp index d1885cfe9..a2cf98eca 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -67,6 +67,7 @@ $ssl_key = $mongodb::server::ssl_key $ssl_ca = $mongodb::server::ssl_ca $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames $storage_engine = $mongodb::server::storage_engine $version = $mongodb::server::version @@ -146,6 +147,7 @@ # - $ssl_ca # - $ssl_key # - $ssl_weak_cert + # - $ssl_invalid_hostnames # - $syslog # - $system_logrotate # - $verbose @@ -202,6 +204,7 @@ # - $ssl_ca # - $ssl_key # - $ssl_weak_cert + # - $ssl_invalid_hostnames # - storage_engine_internal # - $syslog # - $verbose diff --git a/templates/mongodb.conf.2.6.erb b/templates/mongodb.conf.2.6.erb index cb4d58de5..48e4ffe18 100644 --- a/templates/mongodb.conf.2.6.erb +++ b/templates/mongodb.conf.2.6.erb @@ -117,6 +117,9 @@ net.ssl.CAFile: <%= @ssl_ca %> <% if @ssl_weak_cert -%> net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %> <% end -%> +<% if @ssl_invalid_hostnames -%> +net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> +<% end -%> <% end -%> #Replication diff --git a/templates/mongodb.conf.erb b/templates/mongodb.conf.erb index 7dbdc1c20..4639ab7f4 100644 --- a/templates/mongodb.conf.erb +++ b/templates/mongodb.conf.erb @@ -196,4 +196,7 @@ sslCAFile = <%= @ssl_ca %> # - after 3.0.0: sslAllowConnectionsWithoutCertificates sslWeakCertificateValidation = <%= @ssl_weak_cert %> <% end -%> +<% if @ssl_invalid_hostnames -%> +net.ssl.allowInvalidHostnames = <%= @ssl_invalid_hostnames %> +<% end -%> <% end -%>