[Pulp-list] Pulp (MongoDB) Security Configuration
All; I am attempting to secure Satellite/Katello per DoD security guidance. The first few items I need to do is to limit incoming connections and to enable access control. Along those lines can anyone answer: a) How many connections to MongoDB does Pulp require? Is it configurable? b) Out of the box there is no access control between Pulp and MongoDB. What are the minimum permissions/roles needed for a user to allow Pulp do do what it needs to do? ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Pulp (MongoDB) Security Configuration
Hi Lesley,
I just had to do this during my setup. Well, part b at least - haven't
throttled the # connections.
Here is what is working for me, YMMV as I'm hardly an expert:
> use pulp_database
switched to db pulp_database
> show users
{
"_id" : "pulp_database.pulpAdministrator",
"user" : "pulpAdministrator",
"db" : "pulp_database",
"roles" : [
{
"role" : "dbAdmin",
"db" : "pulp_database"
},
{
"role" : "readWrite",
"db" : "pulp_database"
}
]
}
Hit me up on #pulp if you have any trouble and I'll see if your errors
match any of the ones I hit during my struggle to get mongo auth set up :)
On Wed, Jan 27, 2016 at 1:21 PM, Lesley Kimmel
wrote:
> All;
>
> I am attempting to secure Satellite/Katello per DoD security guidance. The
> first few items I need to do is to limit incoming connections and to enable
> access control. Along those lines can anyone answer:
>
> a) How many connections to MongoDB does Pulp require? Is it configurable?
> b) Out of the box there is no access control between Pulp and MongoDB.
> What are the minimum permissions/roles needed for a user to allow Pulp do
> do what it needs to do?
>
> ___
> Pulp-list mailing list
> Pulp-list@redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
>
___
Pulp-list mailing list
Pulp-list@redhat.com
https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Pulp (MongoDB) Security Configuration
see inline On 01/27/2016 01:21 PM, Lesley Kimmel wrote: > All; > > I am attempting to secure Satellite/Katello per DoD security guidance. > The first few items I need to do is to limit incoming connections and to > enable access control. Along those lines can anyone answer: > > a) How many connections to MongoDB does Pulp require? Is it configurable? I think the best way to answer this question is to look at how Pulp components configure PyMongo [0]. Each Pulp process will call initialize() once. The #mongodb community could speak more to how many connections that translates to with replica sets and seeds. > b) Out of the box there is no access control between Pulp and MongoDB. > What are the minimum permissions/roles needed for a user to allow Pulp > do do what it needs to do? Use the roles documented here [1]. > > > ___ > Pulp-list mailing list > Pulp-list@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-list > [0]: https://github.com/pulp/pulp/blob/master/server/pulp/server/db/connection.py#L35 [1]: http://pulp.readthedocs.org/en/latest/user-guide/installation.html#server ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
[Pulp-list] Missing packages in errata specific repository
I have an issue that dependencies for some packages where not resolved correctly when running “yum install kernel” or “yum update” on a RHEL7 machine which has access to a repository that should only be filled with pulp content filtered by errrata. It seems the missing packages in this transaction where not copied during the initial pulp task on the pulp server, when content from the source repo was copied using the --match or --filter argument (tried both of them). --> Processing Dependency: systemd = 208-20.el7 for package: systemd-sysv-208-20.el7.x86_64 --> Processing Dependency: systemd = 208-20.el7 for package: libgudev1-208-20.el7.x86_64 --> Processing Dependency: systemd = 208-20.el7 for package: systemd-python-208-20.el7.x86_64 --> Finished Dependency Resolution Error: Package: dracut-config-rescue-033-240.el7.x86_64 (@anaconda/7.1) Requires: dracut = 033-240.el7 Removing: dracut-033-240.el7.x86_64 (@anaconda/7.1) dracut = 033-240.el7 Updated By: dracut-033-360.el7_2.x86_64 (rhel7u1-rhn) dracut = 033-360.el7_2 Error: Package: libgudev1-208-20.el7.x86_64 (@anaconda/7.1) Requires: systemd = 208-20.el7 Removing: systemd-208-20.el7.x86_64 (@anaconda/7.1) systemd = 208-20.el7 Updated By: systemd-219-19.el7.x86_64 (rhel7u1-rhn) systemd = 219-19.el7 Error: Package: dracut-network-033-240.el7.x86_64 (@anaconda/7.1) Requires: dracut = 033-240.el7 Removing: dracut-033-240.el7.x86_64 (@anaconda/7.1) dracut = 033-240.el7 Updated By: dracut-033-360.el7_2.x86_64 (rhel7u1-rhn) dracut = 033-360.el7_2 Error: Package: systemd-sysv-208-20.el7.x86_64 (@anaconda/7.1) Requires: systemd = 208-20.el7 Removing: systemd-208-20.el7.x86_64 (@anaconda/7.1) systemd = 208-20.el7 Updated By: systemd-219-19.el7.x86_64 (rhel7u1-rhn) systemd = 219-19.el7 Error: Package: systemd-python-208-20.el7.x86_64 (@anaconda/7.1) Requires: systemd = 208-20.el7 Removing: systemd-208-20.el7.x86_64 (@anaconda/7.1) systemd = 208-20.el7 Updated By: systemd-219-19.el7.x86_64 (rhel7u1-rhn) systemd = 219-19.el7 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Am I missing an option or something else, when copying content based on an errata to a specific repository? rhel-7-server-rpms: feeded from external (whole mirror from rhn) rhel7u1-rhn-x86_64: explicit repository containing security fixes based on errata Command used: sudo pulp-admin rpm repo copy errata --recursive --match="id=RHSA-2016:0064" --from-repo-id=rhel-7-server-rpms --to-repo-id=rhel7u1-rhn-x86_64 Rgds, Gunnar ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
