[receiver/mongodb] Add support for auth_mechanism, auth_mechanism_properties and auth_source configuration#45306
Conversation
|
Welcome, contributor! Thank you for your contribution to opentelemetry-collector-contrib. Important reminders:
A maintainer will review your pull request soon. Thank you for helping make OpenTelemetry better! |
hardik-choksi
force-pushed
the
receiver/mongodb/add-auth-mechanism-source
branch
2 times, most recently
from
a568be0 to
6cc83f3
Compare
hardik-choksi
changed the title
| @@ -73,10 +76,20 @@ func (c *Config) ClientOptions(secondary bool) *options.ClientOptions { | |||
| } | |||
|
|
|||
| if c.Username != "" && c.Password != "" { | |||
There was a problem hiding this comment.
We shouldn't be requiring a username and password for all authentication types.
There was a problem hiding this comment.
Good catch! I've updated the code to allow authentication setup when only auth_mechanism is specified, even without username/password.
Changes made:
- Modified the condition to set up auth credentials when either username/password are provided OR when auth_mechanism is specified
- Added test case
TestOptionsWithAuthMechanismOnlyto verify X509 authentication works without username/password
dyl10s
left a comment
dyl10s
left a comment
There was a problem hiding this comment.
This is looking good to me, just some CI issues to fix up. After that, I will give it one final test before approving!
hardik-choksi
requested review from
ArthurSens,
ChrsMark,
MovieStoreGuy,
TylerHelmuth,
VihasMakwana,
andrzej-stencel,
atoulme,
dashpole,
dehaansa,
dmitryax,
evan-bradley,
fatsheep9146,
jmacd,
pjanotti and
tigrannajaryan
as code owners
github-actions
Bot
added
connector/datadog
connector/count
confmap/provider/secretsmanagerprovider
confmap/provider/s3provider
confmap/provider/googlesecretmanagerprovider
confmap/provider/aesprovider
cmd/telemetrygen
hardik-choksi
force-pushed
the
receiver/mongodb/add-auth-mechanism-source
branch
from
de8d0dd to
85935a2
Compare
I've fixed the CI issues. Checks should pass after workflows are approved. Also, apologies for all the extra reviewers and labels that got added - the branch got messy from multiple merges with main. I've cleaned it up by rebasing onto the latest main. The extra reviewers/labels can be removed at your convenience. |
hardik-choksi
force-pushed
the
receiver/mongodb/add-auth-mechanism-source
branch
4 times, most recently
from
c3ebd67 to
ad1cf98
Compare
…ptions - Added auth_mechanism parameter to configure MongoDB authentication mechanism - Added auth_source parameter to specify authentication database - Added tests for new configuration options - Updated documentation Fixes open-telemetry#40686
… auth_source and auth_mechanism_properties support
…out username/password
…o use require.Empty
hardik-choksi
force-pushed
the
receiver/mongodb/add-auth-mechanism-source
branch
from
01a8afa to
5a09f1f
Compare
dyl10s
left a comment
dyl10s
left a comment
There was a problem hiding this comment.
2 minor things, I tested everything and it's working well. I will be ready to give this my approval once these last comments are addressed.
| - For a sharded MongoDB deployment, please specify a list of the `mongos` hosts. | ||
| - `username`: If authentication is required, the user can with `clusterMonitor` permissions can be provided here. | ||
| - `password`: If authentication is required, the password can be provided here. | ||
| - `auth_mechanism`: (optional) The authentication mechanism to use. Common values include `SCRAM-SHA-1`, `SCRAM-SHA-256`, `MONGODB-X509`, `GSSAPI`, `MONGODB-AWS`, etc. If not specified, MongoDB will use the default mechanism. |
There was a problem hiding this comment.
Can you add a link to the Go documentation that explains how to configure each of these, or include a section in this readme on how to configure them
There was a problem hiding this comment.
Yeah, I'll add links to documentation in a separate Auth section.
| - For a sharded MongoDB deployment, please specify a list of the `mongos` hosts. | ||
| - `username`: If authentication is required, the user can with `clusterMonitor` permissions can be provided here. | ||
| - `password`: If authentication is required, the password can be provided here. | ||
| - `auth_mechanism`: (optional) The authentication mechanism to use. Common values include `SCRAM-SHA-1`, `SCRAM-SHA-256`, `MONGODB-X509`, `GSSAPI`, `MONGODB-AWS`, etc. If not specified, MongoDB will use the default mechanism. |
There was a problem hiding this comment.
Looks like for X509, some additional work is needed around appending to the connection string
https://pkg.go.dev/go.mongodb.org/mongo-driver/v2/mongo#example-Connect-X509
Feel free to add support for this or remove the option for now.
There was a problem hiding this comment.
I tested X.509, SCRAM-SHA-256, and SCRAM-SHA-1 using dockerized MongoDB 7.0 instances and confirmed they all work correctly with the receiver.
For X.509, the receiver already works without any connection string modifications. The MongoDB Go driver example puts TLS certificates in the URI:
mongodb://host:port/?tlsCAFile=ca.pem&tlsCertificateKeyFile=client.pem
But since the receiver uses OTel's standard configtls.ClientConfig, users configure TLS via the tls block instead (which is consistent with all other OTel components):
receivers:
mongodb:
hosts:
- endpoint: localhost:27018
auth_mechanism: MONGODB-X509
auth_source: $external
tls:
ca_file: /path/to/ca.pem
cert_file: /path/to/client-cert.pem
key_file: /path/to/client-key.pemThe only difference from the Go driver examples is that OTel's TLS config uses separate cert_file and key_file instead of a single combined PEM. If users have a combined PEM, they can split it with:
openssl x509 -in client.pem -out client-cert.pem
openssl pkey -in client.pem -out client-key.pemI verified this works with a dockerized MongoDB 7.0 instance using self-signed X.509 certificates.
For MONGODB-AWS and GSSAPI: these mechanisms require specific server-side support (Atlas/Percona for AWS, MongoDB Enterprise for GSSAPI) so I couldn't test them with a standard Docker image. However, the receiver passes auth_mechanism and auth_mechanism_properties directly to the Go driver's Credential struct via SetAuth(), so they should work as expected.
Also, I added PasswordSet support for GSSAPI (Kerberos) password-based authentication, following the Go driver documentation.
This has not been tested end-to-end, as GSSAPI requires MongoDB Enterprise.
logic Add an Authentication section to the README with examples for SCRAM, X.509, MONGODB-AWS, and GSSAPI. Document X.509 PEM splitting, AWS credential auto-discovery, and GSSAPI build requirements. Refactor credential construction into a shared buildCredential() helper and add PasswordSet support for GSSAPI password-based auth.
dyl10s
left a comment
dyl10s
left a comment
There was a problem hiding this comment.
LGTM, thank you for this contribution!
|
Thank you for your contribution @hardik-choksi! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey. If you are getting started contributing, you can also join the CNCF Slack channel #opentelemetry-new-contributors to ask for guidance and get help. |
7 participants
Description
Adds configuration options for MongoDB authentication mechanism, source database, and mechanism properties to the MongoDB receiver. This allows users to specify authentication methods like SCRAM-SHA-256, GSSAPI (Kerberos), or MONGODB-AWS when connecting to MongoDB instances that require specific authentication mechanisms. The implementation adds three new optional configuration fields:
auth_mechanism: The authentication mechanism to use (e.g., SCRAM-SHA-1, SCRAM-SHA-256, GSSAPI, MONGODB-AWS, MONGODB-X509)auth_source: The database name to use for authentication (defaults to admin if not specified)auth_mechanism_properties: A map of key-value pairs specifying additional properties for the authentication mechanism (e.g., SERVICE_NAME for GSSAPI, AWS_SESSION_TOKEN for MONGODB-AWS)These fields are applied to both primary and secondary MongoDB connections when connecting to replica sets, ensuring consistent authentication configuration across all connections.
Link to tracking issue
Fixes #40686
Testing
TestOptionsWithAuthMechanismAndSourceto verify authentication configuration (including auth_mechanism, auth_source, and auth_mechanism_properties) is correctly applied to both primary and secondary connectionsTestLoadConfigto verify configuration loading from YAML with the new fieldsmake lint) and formatting checks passauth_mechanism,auth_source, andauth_mechanism_propertiesare properly set in MongoDB client options when providedDocumentation
README.mdto document the newauth_mechanism,auth_source, andauth_mechanism_propertiesconfiguration options with usage examplestestdata/config.yamlto include example usage of the new configuration fields