PMM2 - Password storing of database monitoring user

Hi Team!
For security reasons, I would like to know where exactly monitoring user passwords are stored into PMM2 while adding a remote DB instance please.
I am talking about the user which connects to the DB instance to enable monitoring metrics collection.
For example I know that in case that I add a new DB instance via the PMM client, this password can be stored in a file with restraint access which will be called during the" pmm-admin add" command using “@/home/pmm/.access-mysql.conf”.
But what about remote monitoring?
Thanks in advance.
Best Regards,
Elisa

There is a PostgreSQL database inside the PMM server that houses the vast majority of configuration data including credential information. This is both for local (agent-based) monitoring AND remote (agent-less) monitoring.

2 Likes

Hello
So all these credentials are centralized in the Postgres database, is this correct ?
Are they in plaintext or encrypted in the database ?
Thanks in advance !

2 Likes

Hi @steve.hoffman ,
May I clarify what does “remote (agent-less) monitoring” mean in PMM’s case?

Also, with reference to @jm7474 's query, are these credentials stored in plaintext or encrypted format in the PMM’s PostgreSQL database?

Thank you!

1 Like

Whoops, missed @jm7474’s reply :man_facepalming:

Credentials are currently stored in plaintext in the PG database but work is underway to integrate Hashicorp’s vault for secure credential management. In the mean time, take care to secure the PMM Server host as anyone with physical access or root/sudo shell access can get into that PG database.

Remote (agent-less) monitoring means that you do not need to install pmm-client on your DB host to monitor the DB. PMM-server can remotely connect to the DB service port (i.e. 3306 for MySQL, 5432 for Postgresql, etc) to pull nearly all the DB related stats. there is a tradeoff though, you will not get corresponding node stats (CPU, Disk, Memory, etc) for that node which may be leading indicators of a problem on a host.

1 Like

Thanks @steve.hoffman .

I have a few additional queries below:

  1. Does remote (agent-less) monitoring of databases (e.g. PostgreSQL) apply to only AWS RDS instances?

  2. Does remote (agent-less) monitoring of databases (e.g. PostgreSQL) apply to PMM client and server installed on Virtual Machines?

  3. It was mentioned that currently, the PMM Server’s PostgreSQL DB stores all the plaintext database credentials used by the PMM client(s) to connect to the monitored databases. Are there any workaround solutions available currently to encrypt these sensitive credential data that are stored in the PMM Server’s PostgreSQL DB for security purposes (to mitigate leak of credentials via insider threat)?

  4. It was also mentioned that the PMM developer team is currently working on integrating PMM with Hashicorp’s Vault for secure credential management – for this,

a) What is the expected timeline for release?

b) With this new architecture, does it mean that all the credentials used by the PMM Client and/or PMM Server daemon processes can eventually be stored in the enterprise’s Hashicorp’s Vault, and retrieved by PMM daemon processes during runtime?

c) With the new architecture, does it mean that the following statements will be true?:
• These credentials will then no longer be stored inside the PMM Server’s PostgreSQL database.
• None of the databases used by PMM Server will then contain sensitive credentials / data that are stored unencrypted at rest.
• Sensitive credentials will also no longer be stored inside the following yaml file: “usr/local/percona/pmm2/config/pmm-agent.yaml”.
• The deploying company can deploy PMM to integrate with the company’s on-premise enterprise HashiCorp Vault to protect these credentials stored at rest.
• Architecture will be akin to the attached diagram.

Thank you!

1 Like