SASL authentication is not configured properly
kurik opened this issue · comments
I am using the following playbook:
# SPDX-License-Identifier: MIT
---
- name: Ensure that authentication is configured
hosts: all
roles:
- role: linux-system-roles.metrics
vars:
metrics_from_bpftrace: yes
metrics_username: pcptest
metrics_password: tdlendle
tasks:
- name: Check if authentication functionality works
shell: sasldblistusers2 -f /etc/pcp/passwd.db | grep -wq pcptest
- name: Check if a client can access metrics
command: pminfo -f -h "pcp://127.0.0.1?username=pcptest&password=tdlendle" disk.dev.read
Issue # 1
The expectation is, the role will set SASL password for the pcptest
user. Unfortunately this does not happen and the /etc/pcp/passwd.db
file is not created. When digging a bit deeper into the role, the problem is IMO in the file roles/performancecopilot_metrics_pcp/tasks/pmcd.yml
, namely in its section Ensure performance metric collector SASL accounts are configured.
.
In this section the name of a SASL user is expected to be stored in a field saslname
, however there is no such field defined. The role uses field sasluser
instead, which is set to the expected value.
When I change the field saslname
to sasluser
in the roles/performancecopilot_metrics_pcp/tasks/pmcd.yml
file, then the role generates the expected /etc/pcp/passwd.db
file.
Issue # 2
Even if I apply the change, I have just described above (issue # 1), the created /etc/pcp/passwd.db
file is empty (contains no users). That is because the password for the user in roles/performancecopilot_metrics_pcp/tasks/pmcd.yml
file is set using saslpasswd2
command. But the saslpasswd2
command uses -n
switch which prevents the command from storing credentials. Removing the -n
switch from saslpasswd2
command fixes the issue and /etc/pcp/passwd.db
file now contains the password for the user and command sasldblistusers2 -f /etc/pcp/passwd.db | grep -wq pcptest
on the host machine succeeds.
Issue # 3
After I apply fixes described above (issue # 1 and # 2) there is still one problem, why command pminfo -f -h "pcp://127.0.0.1?username=pcptest&password=tdlendle" disk.dev.read
fails.
On the host system, there is no cyrus-sasl-scram
package installed. When I install this package manually, then everything start to work as expected.
The cyrus-sasl-scram
package is defined in the role, in file roles/performancecopilot_metrics_pcp/vars/RedHat.yml
as a variable __pcp_packages_sasl
. However this variable is not used anywhere else, as far I can see.
@kurik thanks Jan. I suspect issue #2 and #3 are the same thing - we should not be installing the password in plaintext (removing -n is not the right thing to do). If the correct packages had been installed at the time (#3), I think #2 may not have happened.
I'll check it and resolve the package variable naming issues shortly which should sort this out. And some new regression tests are sorely needed here obviously.
I'll be opening a PR shortly with these issues fixed. For the record, you were right about -n too @kurik :) - I mis-remembered and mis-read the docs.