Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Add mongo datapoints for encryption

Description

Add datapoints to PMM to answer on these questions:

  • Is the database encrypted (data at rest encryption)?

  • the type of used encryption. It could be:

    • Local Key file (MongoDB and Percona Mongo)

    • KMIP  (MongoDB and Percona Mongo)

    • Vault (Percona Mongo)

How to test

Testing mongodb_exporter
You can find FB here https://github.com/Percona-Lab/pmm-submodules/pull/2948

There will should appear new metric `mongodb_security_encryption_enabled` for MongoDB which are encrypted. Use next configuration for setuping MongoDB in different modes:

  1. MongoDB enterprise Encrypted with Local file - https://github.com/implex-p6/pmm-test-infra/tree/master/mongo-setup/enterprise_standalone_encrypted. Metric should be  equal to `mongodb_security_encryption_enabled{type="localKeyFile"}`

  2. MongoDB enterprise Encrypted with KMIP. - https://github.com/implex-p6/pmm-test-infra/tree/master/mongo-setup/enterprise_standalone_encrypted_kmip_server. Metric should be  equal to `mongodb_security_encryption_enabled{type="kmip"}`

  3. Percona MongoDB encrypted using Vault - https://github.com/implex-p6/pmm-test-infra/tree/master/mongo-setup/pmdb_standalone_encrypted_vault Metric should be  equal to`mongodb_security_encryption_enabled{type="vault"}`

Testing sending metrics
You can find FB here https://github.com/Percona-Lab/pmm-submodules/pull/2966
There should be added two new metrics:

  • mongodb_encryption_at_rest_enabled - shows whether encryption at rest is enabled on the mongodb instance or not

  • mongodb_encryption_at_rest_type - shows the type of the encrytpion. If monogdb doesn't have enabled encryption this metric should not exist.

Setup for mongodb you can find here: https://github.com/implex-p6/pmm-test-infra/tree/master/mongo-setup
Charts you can find here: https://pmm.check-dev.percona.com/graph/d/v1czpTp4z/pmm-telemetry-panels-library-mongo?orgId=1&from=now-30d&to=now

How to document

None

Attachments

6

Activity

Show:

Ihor Cherkasov December 29, 2022 at 12:30 PM

Ihor Cherkasov December 27, 2022 at 6:56 PM
Edited

Verifying metrics sending and storing on check-dev:

Now I see that "mongodb_encryption_at_rest_enabled" metric is sent with 0 or 1 value.

  • If metric value is 1, then "mongodb_encryption_at_rest_type" metric is also sent with following values depending on encryption type:

– localKeyFile:

– kmip:

– vault:

  • If metric value is 0, then "mongodb_encryption_at_rest_type" metric is not sent at all

 

Ihor Cherkasov December 20, 2022 at 3:23 PM

now we can start implementation of telemetry for this

Ihor Cherkasov December 20, 2022 at 3:22 PM

Verified on FB: https://github.com/Percona-Lab/pmm-submodules/pull/2948#issuecomment-1346660635

MongoDB exporter now has "mongodb_security_encryption_enabled" metric with "type" label with following values:

  • kmip

  • vault

  • localKeyFile 

Done

Details

Assignee

Reporter

Priority

Needs QA

Yes

Needs Doc

No

Planned Version/s

Fix versions

Story Points

Smart Checklist

Created November 7, 2022 at 2:59 PM
Updated November 2, 2023 at 2:30 PM
Resolved February 27, 2023 at 1:13 PM
Configure