Giters

linux-system-roles / metrics

An ansible role which configures metrics collection.

Home Page:https://linux-system-roles.github.io/metrics/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SASL authentication is not configured properly

kurik opened this issue · comments

commented

I am using the following playbook:

# SPDX-License-Identifier: MIT
---
- name: Ensure that authentication is configured
  hosts: all

  roles:
    - role: linux-system-roles.metrics
      vars:
        metrics_from_bpftrace: yes
        metrics_username: pcptest
        metrics_password: tdlendle

  tasks:
    - name: Check if authentication functionality works
      shell: sasldblistusers2 -f /etc/pcp/passwd.db | grep -wq pcptest

    - name: Check if a client can access metrics
      command: pminfo -f -h "pcp://127.0.0.1?username=pcptest&password=tdlendle" disk.dev.read

Issue # 1

The expectation is, the role will set SASL password for the pcptest user. Unfortunately this does not happen and the /etc/pcp/passwd.db file is not created. When digging a bit deeper into the role, the problem is IMO in the file roles/performancecopilot_metrics_pcp/tasks/pmcd.yml, namely in its section Ensure performance metric collector SASL accounts are configured..

In this section the name of a SASL user is expected to be stored in a field saslname, however there is no such field defined. The role uses field sasluser instead, which is set to the expected value.

When I change the field saslname to sasluser in the roles/performancecopilot_metrics_pcp/tasks/pmcd.yml file, then the role generates the expected /etc/pcp/passwd.db file.

Issue # 2

Even if I apply the change, I have just described above (issue # 1), the created /etc/pcp/passwd.db file is empty (contains no users). That is because the password for the user in roles/performancecopilot_metrics_pcp/tasks/pmcd.yml file is set using saslpasswd2 command. But the saslpasswd2 command uses -n switch which prevents the command from storing credentials. Removing the -n switch from saslpasswd2 command fixes the issue and /etc/pcp/passwd.db file now contains the password for the user and command sasldblistusers2 -f /etc/pcp/passwd.db | grep -wq pcptest on the host machine succeeds.

Issue # 3

After I apply fixes described above (issue # 1 and # 2) there is still one problem, why command pminfo -f -h "pcp://127.0.0.1?username=pcptest&password=tdlendle" disk.dev.read fails.
On the host system, there is no cyrus-sasl-scram package installed. When I install this package manually, then everything start to work as expected.

The cyrus-sasl-scram package is defined in the role, in file roles/performancecopilot_metrics_pcp/vars/RedHat.yml as a variable __pcp_packages_sasl. However this variable is not used anywhere else, as far I can see.

commented

@kurik thanks Jan. I suspect issue #2 and #3 are the same thing - we should not be installing the password in plaintext (removing -n is not the right thing to do). If the correct packages had been installed at the time (#3), I think #2 may not have happened.

I'll check it and resolve the package variable naming issues shortly which should sort this out. And some new regression tests are sorely needed here obviously.

commented

I'll be opening a PR shortly with these issues fixed. For the record, you were right about -n too @kurik :) - I mis-remembered and mis-read the docs.