prisma1 icon indicating copy to clipboard operation
prisma1 copied to clipboard

Published 20 hours ago • verified publisher icon prisma

Provide additional options for SSL MongoDB connections in configuration

Open kellerj opened this issue 5 years ago • 7 comments

Describe the bug There are some options which can only be passed to the MongoDB driver via an options object. (Not supported on the URI query string.) . Specifically, the ability to specify CA or key/cert files needed for connections to some MongoDB instances. (And important for testing, the ability to turn off SSL certificate checking.) . They are the options that correspond to the mongo CLI options below:

--sslCAFile arg
--sslPEMKeyFile arg
--sslPEMKeyPassword arg
--sslCRLFile arg
--sslAllowInvalidCertificates

To Reproduce Steps to reproduce the behavior:

  1. Generate a self-signed cert/key and start up a mongo instance (docker run -p 27018:27017 --name mongo --rm -v $PWD:/etc/ssl mongo:4 --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem -v)
  2. Verify connections work to the database with the needed flags set (simplest case: mongo localhost:27018 --ssl --sslAllowInvalidCertificates)
  3. Attempt to connect to this database using mongodb://localhost:27018/?ssl=true as the connect string with prisma

Expected behavior An additional yml dictionary of connection options which could be passed along to the connection objects.

Versions (please complete the following information):

  • Connector: MongoDB
  • Prisma Server: 1.31.0

kellerj avatar Apr 19 '19 16:04 kellerj

Further information:

I continued hacking to see what I could come up with locally. It looks like the forcing of netty by system property as in the files below may be triggering the error described here: https://jira.mongodb.org/browse/SCALA-501

Sounds like netty may no longer be needed for the MongoDB connections?

MongoDatabasesFactory.scala MongoInternalDatabaseDefs.scala

kellerj avatar Apr 19 '19 17:04 kellerj

Is there any way to connect to a mongo instance which requires certificates currently?

sreekarchigurupati avatar Sep 25 '19 06:09 sreekarchigurupati

any update on this issue

cat-turner avatar Nov 22 '19 20:11 cat-turner

Using scalegrid.io as the database provider, SSL is required for MongoDB. This functionality must be supported in prisma for the mongodb connector to make sense.

larsivi avatar Feb 22 '20 11:02 larsivi

I have so far been using Mongo DB 3.4 (and upgrading isn't necessarily trivial), but it seems like 4.2 has added the possibility to specify the certificates, etc in the connection string, e.g. tlsCertificateKeyFile. Did anyone try this with prisma yet? It would be a kind of workaround at least.

larsivi avatar Feb 24 '20 09:02 larsivi

So I'm not sure if this is the global solution to certificates in the Java world, but it seems like every question on how to set certificates there, also when using Mongo, is to use the Java certificate store. So I have made a fork and a pull request where I have made a mechanism to the prisma build tool, such that it is possible build your own Docker image with the relevant certificates.

The prerun_hook.sh script can have something like this:

`#!/usr/bin/env bash

keytool -storepasswd -new mysecretpassword -keystore /etc/ssl/certs/java/cacerts -storepass changeit echo "yes" | keytool -import -trustcacerts -file /app/prerun_hook_files/my-mongod-cert.crt -keystore /etc/ssl/certs/java/cacerts -storepass mysecretpassword rm -f /app/prerun_hook_files/my-mongod-cert.crt `

larsivi avatar Mar 01 '20 14:03 larsivi

FWIW, I have this running on Heroku now, after following some suggestions on how to build Docker images for the service. In doing this I ditched the idea of the pull request above, and instead I built a new Docker image based on the prisma one, and added the certs (using the commands from above) via the Dockerfile.

See https://github.com/dpetrick/prisma-heroku for general instructions on how to make a Docker image for Heroku.

larsivi avatar Mar 02 '20 22:03 larsivi