Missing -dbSSL and -dbAuthDb arguments

[RemiOllivier2]

Hi,

It seems that -dbSSL and -dbAuthDb arguments do not exist in Orion-LD while they are present in Orion.

It would be nice to add them in order to connect Orion-LD to a secured Mongo cluster

[kzangeli]

Ok, I will look into this

[kzangeli]

I've looked into it a little and found ... I think more than 100 options for the URL for the mongo connection.
Can't support all that, that's insane.

So, what I propose it the following:

• Implement a few options, the ones we believe are most commonly used:
  • host (port is baked in) - already exists: -dbhost
  • database user - already exists: -dbuser
  • password of database user - already exists: -dbpwd
  • replica set - already exists: -rplSet
  • SSL (a boolean flag)
  • file name/path of certificate file (if SSL is used)
• For any other combination, offer a "mighty" CLI option (if used, the other mongo connection options are ignored - except one):
  • mongo-url (perhaps name it -dbURI)

[ The first four (dbhost - replSet) are already supported and their names cannot be changed for backwards compatibility reasons]

The "mighty" mongo-url CLI option would give users liberty to set any of the +100 options for connection to mongo.
The broker would instead of composing the URL itself, simply use what it is given via "-dbURI" CLI option (or env var)

Except for the password - we don't want secrets inside the value of "-dbURI", so for the password we would use variable substitution.
E.g.:
Pass the entire URL, but encode the password as simply ${PWD}, and supply the password separately in "-dbpwd" - that option already exists in Orion-LD, like this:

orionld -dbURI "mongodb[+srv]://kz:${PWD}@hostname/whatever?options1=X&options=Y ..." -dbpwd "mypassword"

The broker would then substitute ${PWD} in the value of -dbURI with whatever is the value of -dbpwd ("mypassword" in the example above).

This substitution would (naturally) only be done if:

• -dbURI contains the string "${PWD}"
• -dbpwd is given
  And, only the first occurrence of {PWD} would be substituted.

This way, the most common usage is supported by CLI options (or env vars), and any complicated case is supported by
-dbURI.

IMPORTANT: If -dbURI is used, the other mongo connection options (dbhost, dbuser, rplSet, ...) - except dbpwd - are ignored.
Actually, I think I'll report an error if set. That way we avoid misunderstandings.

[kzangeli]

So, I did something, but, just for the "renewed" API endpoints, that use the mongoc driver.
Read about details in the PR #1156 and if you want to test it out, that would be great !
The whole thing is quite untested.
Anyway, with the new -dbURL CLI option, you can define the complete URI for the connection

[RemiOllivier2]

Ok, thank you, I will test the -dbURL option

[kzangeli]

Remember you can "bake in" the password, using ${PWD} as part of the value for -dbURI and giving the password via
-dbpwd.
And also, that mongo connection is only used for the services (API endpoints) that work with the new driver, mongoc.
To turn that on, you have to start the broker with -experimental.
The "legacy services" use the old mongo driver with its own connection.

If you need any help, just poke me.

[Blobonat]

@kzangeli Did I understand correctly that no SSL connection is possible in the current stable version 1.0.1?

Btw. I tested the new -dbURI-Feature, but with a Replica Set MongoDB Cluster with 3 nodes I get

time=Monday 18 Jul 20:06:14 2022.169Z | lvl=FATAL | corr=N/A | trans=N/A | from=N/A | srv=N/A | subsrv=N/A | comp=Orion | op=orionld.cpp[973]:main | msg=dbName too long (max 10 characters)

with -dbURI 'mongodb://xxx:yyy@aaa.mongodb.net:27017,bbb.mongodb.net:27017,ccc.mongodb.net:27017/?ssl=true&authSource=admin&replicaSet=ddd'

[kzangeli]

ok, I'll take a look tomorrow.
1.0.1 is quite old and yeah, older than the PR #1156.
A new release (1.1.0) is just around the corner. This week or next.
Let's make sure this works before releasing!

Just one thing. What value do you give to the -db CLI ?
Cause, the broker complains about the -db value, not about the -dbURI value ...
Show me please the entire command line for starting the broker.

BTW, -db is to set the database prefix, default value is "orion". It's supposed to be short.
Not sure why we picked exactly ten chars, but, it's a prefix and it should be short.

[kzangeli]

So, I've tried everything I could think of.
Only way I'm able to reproduce the same "error" you're seeing is by giving a -db with a string with length > 10.
Which is how it's meant to be.
So, pass me your entire command line for starting the broker and I'll try that, see what happens.

[Blobonat]

@kzangeli It was a misconfiguration at my side. I'm sorry to cause this inconvenience.

[kzangeli]

No worries.
Just, let me know how it goes, as I'm about to release a new version of the broker.
Would be nice to have this Highly Untested feature tested to work, at least for you guys ... :)