From 38acc639f25dc88a1157f1233c680acc5d709dce Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Fri, 22 Jun 2018 18:44:27 +0200 Subject: [PATCH 1/3] Metricbeat: MongoDB TLS connection support --- CHANGELOG.asciidoc | 1 + metricbeat/docs/modules/mongodb.asciidoc | 17 +++++ metricbeat/include/fields.go | 2 +- metricbeat/metricbeat.reference.yml | 15 ++++ .../module/mongodb/_meta/config.reference.yml | 15 ++++ metricbeat/module/mongodb/_meta/config.yml | 15 ++++ metricbeat/module/mongodb/_meta/fields.yml | 1 + .../module/mongodb/collstats/collstats.go | 18 ++--- metricbeat/module/mongodb/dbstats/dbstats.go | 16 ++--- metricbeat/module/mongodb/metricset.go | 70 +++++++++++++++++++ metricbeat/module/mongodb/status/status.go | 15 ++-- metricbeat/modules.d/mongodb.yml.disabled | 15 ++++ 12 files changed, 163 insertions(+), 37 deletions(-) create mode 100644 metricbeat/module/mongodb/metricset.go diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 6cd7c595c0e..d695f9bba49 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -279,6 +279,7 @@ https://github.com/elastic/beats/compare/v6.2.3...master[Check the HEAD diff] - Add postgresql statement metricset. {issue}7048[7048] {pull}7060[7060] - Update `state_container` metricset to support latest `kube-state-metrics` version. {pull}7216[7216] - Collect accumulated docker network metrics and mark old ones as deprecated. {pull}7253[7253] +- Add TLS support to MongoDB module. {pull}7401[7401] *Packetbeat* diff --git a/metricbeat/docs/modules/mongodb.asciidoc b/metricbeat/docs/modules/mongodb.asciidoc index 6ecd0517dd2..44dc8407a44 100644 --- a/metricbeat/docs/modules/mongodb.asciidoc +++ b/metricbeat/docs/modules/mongodb.asciidoc @@ -77,6 +77,21 @@ metricbeat.modules: # password configuration options. hosts: ["localhost:27017"] + # Optional SSL. By default is off. + #ssl.enabled: true + + # Mode of verification of server certificate ('none' or 'full') + #ssl.verification_mode: 'full' + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + # Username to use when connecting to MongoDB. Empty by default. #username: user @@ -84,6 +99,8 @@ metricbeat.modules: #password: pass ---- +This module supports TLS connection when using `ssl` config field, as described in <>. It also supports the options described in <>. + [float] === Metricsets diff --git a/metricbeat/include/fields.go b/metricbeat/include/fields.go index 42c31f8ca9a..ee5fc4be5f2 100644 --- a/metricbeat/include/fields.go +++ b/metricbeat/include/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "" + return "" } diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 1b4be104c26..12ca2f08683 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -427,6 +427,21 @@ metricbeat.modules: # password configuration options. hosts: ["localhost:27017"] + # Optional SSL. By default is off. + #ssl.enabled: true + + # Mode of verification of server certificate ('none' or 'full') + #ssl.verification_mode: 'full' + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + # Username to use when connecting to MongoDB. Empty by default. #username: user diff --git a/metricbeat/module/mongodb/_meta/config.reference.yml b/metricbeat/module/mongodb/_meta/config.reference.yml index 8f2386a21f1..5dc37cb250c 100644 --- a/metricbeat/module/mongodb/_meta/config.reference.yml +++ b/metricbeat/module/mongodb/_meta/config.reference.yml @@ -10,6 +10,21 @@ # password configuration options. hosts: ["localhost:27017"] + # Optional SSL. By default is off. + #ssl.enabled: true + + # Mode of verification of server certificate ('none' or 'full') + #ssl.verification_mode: 'full' + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + # Username to use when connecting to MongoDB. Empty by default. #username: user diff --git a/metricbeat/module/mongodb/_meta/config.yml b/metricbeat/module/mongodb/_meta/config.yml index 18589bb4ef7..926ff907b3a 100644 --- a/metricbeat/module/mongodb/_meta/config.yml +++ b/metricbeat/module/mongodb/_meta/config.yml @@ -11,6 +11,21 @@ # password configuration options. hosts: ["localhost:27017"] + # Optional SSL. By default is off. + #ssl.enabled: true + + # Mode of verification of server certificate ('none' or 'full') + #ssl.verification_mode: 'full' + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + # Username to use when connecting to MongoDB. Empty by default. #username: user diff --git a/metricbeat/module/mongodb/_meta/fields.yml b/metricbeat/module/mongodb/_meta/fields.yml index 8ed17fb6399..a69721ffca7 100644 --- a/metricbeat/module/mongodb/_meta/fields.yml +++ b/metricbeat/module/mongodb/_meta/fields.yml @@ -4,6 +4,7 @@ Metrics collected from MongoDB servers. short_config: false release: ga + settings: ["ssl"] fields: - name: mongodb type: group diff --git a/metricbeat/module/mongodb/collstats/collstats.go b/metricbeat/module/mongodb/collstats/collstats.go index fdb123bddff..d3ed7b2da0a 100644 --- a/metricbeat/module/mongodb/collstats/collstats.go +++ b/metricbeat/module/mongodb/collstats/collstats.go @@ -24,8 +24,6 @@ import ( "github.com/elastic/beats/libbeat/logp" "github.com/elastic/beats/metricbeat/mb" "github.com/elastic/beats/metricbeat/module/mongodb" - - "gopkg.in/mgo.v2" ) var debugf = logp.MakeDebug("mongodb.collstats") @@ -42,24 +40,18 @@ func init() { // additional entries. These variables can be used to persist data or configuration between // multiple fetch calls. type MetricSet struct { - mb.BaseMetricSet - dialInfo *mgo.DialInfo + *mongodb.MetricSet } -// New create a new instance of the MetricSet +// New creates a new instance of the MetricSet // Part of new is also setting up the configuration by processing additional // configuration entries if needed. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - dialInfo, err := mgo.ParseURL(base.HostData().URI) + ms, err := mongodb.NewMetricSet(base) if err != nil { return nil, err } - dialInfo.Timeout = base.Module().Config().Timeout - - return &MetricSet{ - BaseMetricSet: base, - dialInfo: dialInfo, - }, nil + return &MetricSet{ms}, nil } // Fetch methods implements the data gathering and data conversion to the right format @@ -70,7 +62,7 @@ func (m *MetricSet) Fetch() ([]common.MapStr, error) { var events []common.MapStr // instantiate direct connections to each of the configured Mongo hosts - mongoSession, err := mongodb.NewDirectSession(m.dialInfo) + mongoSession, err := mongodb.NewDirectSession(m.DialInfo) if err != nil { return nil, err } diff --git a/metricbeat/module/mongodb/dbstats/dbstats.go b/metricbeat/module/mongodb/dbstats/dbstats.go index 96459c16954..626d1b7b135 100644 --- a/metricbeat/module/mongodb/dbstats/dbstats.go +++ b/metricbeat/module/mongodb/dbstats/dbstats.go @@ -20,8 +20,6 @@ package dbstats import ( "errors" - "gopkg.in/mgo.v2" - "github.com/elastic/beats/libbeat/common" "github.com/elastic/beats/libbeat/logp" "github.com/elastic/beats/metricbeat/mb" @@ -44,24 +42,18 @@ func init() { // additional entries. These variables can be used to persist data or configuration between // multiple fetch calls. type MetricSet struct { - mb.BaseMetricSet - dialInfo *mgo.DialInfo + *mongodb.MetricSet } // New creates a new instance of the MetricSet // Part of new is also setting up the configuration by processing additional // configuration entries if needed. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - dialInfo, err := mgo.ParseURL(base.HostData().URI) + ms, err := mongodb.NewMetricSet(base) if err != nil { return nil, err } - dialInfo.Timeout = base.Module().Config().Timeout - - return &MetricSet{ - BaseMetricSet: base, - dialInfo: dialInfo, - }, nil + return &MetricSet{ms}, nil } // Fetch methods implements the data gathering and data conversion to the right format @@ -72,7 +64,7 @@ func (m *MetricSet) Fetch() ([]common.MapStr, error) { var events []common.MapStr // instantiate direct connections to each of the configured Mongo hosts - mongoSession, err := mongodb.NewDirectSession(m.dialInfo) + mongoSession, err := mongodb.NewDirectSession(m.DialInfo) if err != nil { return nil, err } diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go new file mode 100644 index 00000000000..27e74450b6d --- /dev/null +++ b/metricbeat/module/mongodb/metricset.go @@ -0,0 +1,70 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mongodb + +import ( + "crypto/tls" + "net" + + "gopkg.in/mgo.v2" + + "github.com/elastic/beats/libbeat/common/transport/tlscommon" + "github.com/elastic/beats/metricbeat/mb" +) + +// ModuleConfig contains the common configuration for this module +type ModuleConfig struct { + TLS *tlscommon.Config `config:"ssl"` +} + +// MetricSet type defines all fields of the MetricSet +type MetricSet struct { + mb.BaseMetricSet + DialInfo *mgo.DialInfo +} + +// NewMetricSet creates a new instance of the MetricSet +func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { + var config ModuleConfig + err := base.Module().UnpackConfig(&config) + if err != nil { + return nil, err + } + + dialInfo, err := mgo.ParseURL(base.HostData().URI) + if err != nil { + return nil, err + } + dialInfo.Timeout = base.Module().Config().Timeout + + if config.TLS.IsEnabled() { + tlsConfig, err := tlscommon.LoadTLSConfig(config.TLS) + if err != nil { + return nil, err + } + + dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) { + return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig("")) + } + } + + return &MetricSet{ + BaseMetricSet: base, + DialInfo: dialInfo, + }, nil +} diff --git a/metricbeat/module/mongodb/status/status.go b/metricbeat/module/mongodb/status/status.go index 44d7e3c1734..07e643ef4ca 100644 --- a/metricbeat/module/mongodb/status/status.go +++ b/metricbeat/module/mongodb/status/status.go @@ -23,7 +23,6 @@ import ( "github.com/elastic/beats/metricbeat/mb" "github.com/elastic/beats/metricbeat/module/mongodb" - "gopkg.in/mgo.v2" "gopkg.in/mgo.v2/bson" ) @@ -47,24 +46,18 @@ func init() { // additional entries. These variables can be used to persist data or configuration between // multiple fetch calls. type MetricSet struct { - mb.BaseMetricSet - dialInfo *mgo.DialInfo + *mongodb.MetricSet } // New creates a new instance of the MetricSet // Part of new is also setting up the configuration by processing additional // configuration entries if needed. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - dialInfo, err := mgo.ParseURL(base.HostData().URI) + ms, err := mongodb.NewMetricSet(base) if err != nil { return nil, err } - dialInfo.Timeout = base.Module().Config().Timeout - - return &MetricSet{ - BaseMetricSet: base, - dialInfo: dialInfo, - }, nil + return &MetricSet{ms}, nil } // Fetch methods implements the data gathering and data conversion to the right format @@ -73,7 +66,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch() (common.MapStr, error) { // instantiate direct connections to each of the configured Mongo hosts - mongoSession, err := mongodb.NewDirectSession(m.dialInfo) + mongoSession, err := mongodb.NewDirectSession(m.DialInfo) if err != nil { return nil, err } diff --git a/metricbeat/modules.d/mongodb.yml.disabled b/metricbeat/modules.d/mongodb.yml.disabled index b9bfe31b814..7ba8f66a9fb 100644 --- a/metricbeat/modules.d/mongodb.yml.disabled +++ b/metricbeat/modules.d/mongodb.yml.disabled @@ -14,6 +14,21 @@ # password configuration options. hosts: ["localhost:27017"] + # Optional SSL. By default is off. + #ssl.enabled: true + + # Mode of verification of server certificate ('none' or 'full') + #ssl.verification_mode: 'full' + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + # Username to use when connecting to MongoDB. Empty by default. #username: user From b37a82f3f8ca862745100a692291412d459bbca5 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 25 Jun 2018 10:39:31 +0200 Subject: [PATCH 2/3] Set server name in tls config --- metricbeat/module/mongodb/metricset.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go index 27e74450b6d..cc75df8048e 100644 --- a/metricbeat/module/mongodb/metricset.go +++ b/metricbeat/module/mongodb/metricset.go @@ -24,6 +24,7 @@ import ( "gopkg.in/mgo.v2" "github.com/elastic/beats/libbeat/common/transport/tlscommon" + "github.com/elastic/beats/libbeat/logp" "github.com/elastic/beats/metricbeat/mb" ) @@ -59,7 +60,12 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { } dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) { - return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig("")) + hostname, _, err := net.SplitHostPort(base.HostData().Host) + if err != nil { + logp.Warn("Failed to obtain hostname from `%s`: %s", hostname, err) + hostname = "" + } + return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig(hostname)) } } From 280223a8bf1058878acbefefc8c6b5c4d90dc4db Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 26 Jun 2018 16:29:36 +0200 Subject: [PATCH 3/3] Remove references to HTTP in mongodb configs --- metricbeat/docs/modules/mongodb.asciidoc | 2 +- metricbeat/metricbeat.reference.yml | 2 +- metricbeat/module/mongodb/_meta/config.reference.yml | 2 +- metricbeat/module/mongodb/_meta/config.yml | 2 +- metricbeat/modules.d/mongodb.yml.disabled | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/metricbeat/docs/modules/mongodb.asciidoc b/metricbeat/docs/modules/mongodb.asciidoc index 44dc8407a44..0b9129ee2ee 100644 --- a/metricbeat/docs/modules/mongodb.asciidoc +++ b/metricbeat/docs/modules/mongodb.asciidoc @@ -83,7 +83,7 @@ metricbeat.modules: # Mode of verification of server certificate ('none' or 'full') #ssl.verification_mode: 'full' - # List of root certificates for HTTPS server verifications + # List of root certificates for TLS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 12ca2f08683..19ce5429999 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -433,7 +433,7 @@ metricbeat.modules: # Mode of verification of server certificate ('none' or 'full') #ssl.verification_mode: 'full' - # List of root certificates for HTTPS server verifications + # List of root certificates for TLS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication diff --git a/metricbeat/module/mongodb/_meta/config.reference.yml b/metricbeat/module/mongodb/_meta/config.reference.yml index 5dc37cb250c..d99d2938b94 100644 --- a/metricbeat/module/mongodb/_meta/config.reference.yml +++ b/metricbeat/module/mongodb/_meta/config.reference.yml @@ -16,7 +16,7 @@ # Mode of verification of server certificate ('none' or 'full') #ssl.verification_mode: 'full' - # List of root certificates for HTTPS server verifications + # List of root certificates for TLS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication diff --git a/metricbeat/module/mongodb/_meta/config.yml b/metricbeat/module/mongodb/_meta/config.yml index 926ff907b3a..e92b3d5f513 100644 --- a/metricbeat/module/mongodb/_meta/config.yml +++ b/metricbeat/module/mongodb/_meta/config.yml @@ -17,7 +17,7 @@ # Mode of verification of server certificate ('none' or 'full') #ssl.verification_mode: 'full' - # List of root certificates for HTTPS server verifications + # List of root certificates for TLS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication diff --git a/metricbeat/modules.d/mongodb.yml.disabled b/metricbeat/modules.d/mongodb.yml.disabled index 7ba8f66a9fb..36b4669095c 100644 --- a/metricbeat/modules.d/mongodb.yml.disabled +++ b/metricbeat/modules.d/mongodb.yml.disabled @@ -20,7 +20,7 @@ # Mode of verification of server certificate ('none' or 'full') #ssl.verification_mode: 'full' - # List of root certificates for HTTPS server verifications + # List of root certificates for TLS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication