As a member of the Percona cloud team, I run a lot of databases in Kubernetes and our Percona Operator for MongoDB in particular. Most of us feel comfortable with rather small and tidy infrastructure, which is easy to control and operate. However, the natural growth of the organization brings a lot of challenges to be tackled, especially in the context of access management. We’ve all been there – every new account requires platform-specific efforts adding to the operational cost of your infrastructure support. Such a burden could be solved by LDAP-based software like OpenLDAP, Microsoft Active Directory, etc., as a source of truth for the authentication/authorization process. Let’s dive into the details of how Percona Distribution for MongoDB managed by the Kubernetes operator could be connected to the LDAP server.
Environment
Our scenario is based on the integration of the OpenLDAP server and Percona Distribution for MongoDB and the corresponding Kubernetes Operator. We are going to keep the setup as simple as possible thus no complicated domain relationships will be listed here.
OpenLDAP
On the OpenLDAP side the following settings may be used:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | 0-percona-ous.ldif: |- dn: ou=perconadba,dc=ldap,dc=local objectClass: organizationalUnit ou: perconadba 1-percona-users.ldif: |- dn: uid=percona,ou=perconadba,dc=ldap,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: percona uid: percona uidNumber: 1100 gidNumber: 100 homeDirectory: /home/percona loginShell: /bin/bash gecos: percona userPassword: {crypt}x shadowLastChange: -1 shadowMax: -1 shadowWarning: -1 2-group-cn.ldif: |- dn: cn=admin,ou=perconadba,dc=ldap,dc=local cn: admin objectClass: groupOfUniqueNames objectClass: top ou: perconadba uniqueMember: uid=percona,ou=perconadba,dc=ldap,dc=local |
Also, a read-only user should be created for database-issued user lookups.
If everything is done correctly, the following command should work
1 | $ ldappasswd -s percona -D "cn=admin,dc=ldap,dc=local" -w password -x "uid=percona,ou=perconadba,dc=ldap,dc=local" |
Database
Percona Operator for MongoDB will do all the work inside the Kubernetes. You can use any supported platform from System Requirements.
In order to get MongoDB connected with OpenLDAP we need to configure both:
- Mongod
- Internal mongodb role
As for mongod you may use the following configuration snippet:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | security: authorization: "enabled" ldap: authz: queryTemplate: '{USER}?memberOf?base' servers: "openldap" transportSecurity: none bind: queryUser: "cn=readonly,dc=ldap,dc=local" queryPassword: "password" userToDNMapping: '[ { match : "(.+)", ldapQuery: "OU=perconadba,DC=ldap,DC=local??sub?(uid={0})" } ]' setParameter: authenticationMechanisms: 'PLAIN,SCRAM-SHA-1' |
The internals of the snippet is a topic for another blog post, though. Basically, we are providing mongod with ldap-specific parameters like domain name of ldap server (‘server’), explicit lookup user, domain rules, etc.
Put the snippet on your local machine and create Kubernetes secret object named after the MongoDB cluster name from Install Percona server for MongoDB on Kubernetes.
1 | $ kubectl create secret generic <your_cluster_name>-rs0-mongod --from-file=mongod.conf=<path-to-mongod-ldap-configuration> |
Percona Operator for MongoDB is able to pass through a custom configuration from these Kubernetes objects: Custom Resource, ConfigMap, Secret. Since we are to use some security-sensitive information, we’ve picked the Kubernetes Secret.
The next step is to start the MongoDB cluster up as it’s described in Install Percona Server for MongoDB on Kubernetes.
On successful completion of the steps from the doc, we are to proceed with setting the LDAP users’ roles inside the MongoDB. Let’s log in to MongoDB as administrator and execute:
1 2 3 4 5 6 7 8 | var admin = db.getSiblingDB("admin") admin.createRole( { role: "ou=perconadba,dc=ldap,dc=local", privileges: [], roles: [ "userAdminAnyDatabase" ] } ) |
Now our percona user created inside OpenLDAP is able to login to MongoDB as administrator. Please replace <mongodb-rs-endpoint> with a valid replica set domain name.
1 | $ mongo --username percona --password 'percona' --authenticationMechanism 'PLAIN' --authenticationDatabase '$external' --host <mongodb-rs-endpoint> --port 27017 |
Limitations
Percona Operator for MongoDB supports unencrypted only transport between mongodb and LDAP servers at the moment of writing this blog post. We’ll do our best to bring such a feature in the future, in the meantime feel free to use it in security relaxed scenarios.
Conclusion
This very blog post describes only one possible case out of a huge variety of possible combinations. It’s rather simple and does not bring for discussion topics like TLS secured transport setup, directory design, etc. We encourage you to try the MongoDB LDAP integration described for proof of concept, development environment setup, etc., where security concerns are not so demanding. Don’t hesitate to bring more complexity with sophisticated directory structures, user privileges schemes, etc. If you find your own configuration interesting and worth sharing with the community, please visit our Percona Community Forum. We’ll be glad to check your outcomes.
Have fun with Percona Operator for MongoDB!
