introduce new approach for the previous solution, add mongo user-data…

… validator
FREVA-CLINT · Oct 23, 2024 · 14e1a37 · 14e1a37
1 parent 8c8ef72
commit 14e1a37
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 5 deletions.
diff --git a/assets/share/freva/deployment/playbooks/freva_rest-server-compose-template.yml b/assets/share/freva/deployment/playbooks/freva_rest-server-compose-template.yml
@@ -29,16 +29,15 @@ services:
       - 8983:8983
 
   {{mongo_name}}:
+    image: docker.io/mongo:latest
+    container_name: {{ mongo_name }}
+    hostname: {{ mongo_name }}
 {% if (become == true and ansible_become_user == 'root') or ansible_user == 'root' %}
-    container_name: {{mongo_name}}
+    entrypoint: /tmp/mongo-flush-pass-entrypoint.sh
 {% else %}
-    container_name: {{mongo_name}}
     user: root:0
     entrypoint: /tmp/entrypoint.sh
 {% endif %}
-    image: docker.io/mongo:latest
-    container_name: {{mongo_name}}
-    hostname: {{mongo_name}}
 {% if debug %}
     network_mode: host
 {% else %}

diff --git a/assets/share/freva/deployment/playbooks/freva_rest-server-playbook.yml b/assets/share/freva/deployment/playbooks/freva_rest-server-playbook.yml
@@ -9,6 +9,7 @@
     freva_rest_name: "{{project_name}}-freva_rest"
     databrowser_name: "{{project_name}}-databrowser"
     compose_file: '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/compose_services/{{freva_rest_name}}-compose.yml'
+    flush_mongo_pass_path: '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/{{ project_name }}/freva_rest/mongo-flush-pass-entrypoint.sh'
     solr_name: "{{project_name}}-solr"
     mongo_name: "{{project_name}}-mongo"
     data_path: '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/{{project_name}}/freva_rest'
@@ -30,6 +31,8 @@
     mongo_volumes:
       - '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/{{project_name}}/freva_rest/stats:/data/db:z'
       - '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/{{ project_name }}/freva_rest/rootless-entrypoint.sh:/tmp/entrypoint.sh:z'
+      - '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/{{ project_name }}/freva_rest/mongo-flush-pass-entrypoint.sh:/tmp/mongo-flush-pass-entrypoint.sh:z'
+      - '{{freva_rest_data_path|regex_replace("^~", ansible_env.HOME)}}/freva-service-config/mongo/mongo-userdata-init.js:/docker-entrypoint-initdb.d/mongo-userdata-init.js:ro'
     ansible_become_user: "{{ freva_rest_ansible_become_user | default('root') }}"
   tasks:
     - name: Decode Base64 information content
@@ -177,6 +180,13 @@
       template:
         src: "{{ asset_dir }}/playbooks/freva_rest-server-compose-template.yml"
         dest: "{{compose_file}}"
+    - name: Deploy and set permissions for MongoDB flush password entrypoint
+      template:
+        src: "{{ asset_dir }}/script/mongo-flush-pass-entrypoint.sh"
+        dest: "{{flush_mongo_pass_path}}"
+        owner: "{{ uid }}"
+        group: "{{ gid }}"
+        mode: "0755"
     - name: Creating systemd services
       shell: |
         /tmp/create_systemd.py {{freva_rest_name}} compose --enable --project-name {{freva_rest_name}} -f {{compose_file}} up --remove-orphans

diff --git a/assets/share/freva/deployment/scripts/mongo-flush-pass-entrypoint.sh b/assets/share/freva/deployment/scripts/mongo-flush-pass-entrypoint.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+set -Eeuo pipefail
+
+MONGODB_USER=${MONGODB_USER:-"mongo"}
+MONGODB_PASSWORD=${MONGODB_PASSWORD:-"{{root_passwd}}"}
+LOG_FILE="/var/log/mongodb.log"
+
+log() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*"
+}
+
+wait_for_mongo() {
+    # TODO: For a small test environemt, 30 seconds was too long, but to be safe and sure in a real env, we should keep it at 30 seconds
+    for i in {1..30}; do
+        if mongosh --quiet --eval "db.adminCommand('ping')" &>/dev/null; then
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
+reset_user() {
+    log "Starting mongo without auth for user reset..."
+    mongod --bind_ip_all --fork --logpath "$LOG_FILE" --noauth
+
+    sleep 5
+
+    log "striping existing users and creating admin user again..."
+    mongosh admin --quiet --eval "
+        db.dropUser('${MONGODB_USER}');
+        db.createUser({
+            user: '${MONGODB_USER}',
+            pwd: '${MONGODB_PASSWORD}',
+            roles: [
+                { role: 'root', db: 'admin' },
+                { role: 'userAdminAnyDatabase', db: 'admin' },
+                { role: 'dbAdminAnyDatabase', db: 'admin' },
+                { role: 'readWriteAnyDatabase', db: 'admin' }
+            ]
+        });"
+
+    if [ $? -eq 0 ]; then
+        log "User reset successfully"
+        mongod --shutdown
+        sleep 5
+        return 0
+    else
+        log "Failed to reset user"
+        mongod --shutdown
+        sleep 5
+        return 1
+    fi
+}
+
+verify_auth() {
+    log "Verifying authentication..."
+    mongosh admin --quiet --eval "
+        try {
+            db.auth('${MONGODB_USER}', '${MONGODB_PASSWORD}');
+            db.adminCommand('listDatabases');
+            quit(0);
+        } catch(err) {
+            quit(1);
+        }"
+}
+
+main() {
+    log "Starting mongo without auth to verify and then reset credentials..."
+    mongod --bind_ip_all --fork --logpath "$LOG_FILE" --noauth
+
+    sleep 5
+
+    if ! verify_auth; then
+        log "Authentication failed with existing credentials - resetting user..."
+        mongod --shutdown
+        sleep 5
+        reset_user
+    else
+        log "Existing credentials are valid"
+        mongod --shutdown
+        sleep 5
+    fi
+
+    log "Starting MongoDB with authentication..."
+    exec mongod --bind_ip_all --auth
+}
+
+main "$@"