This blog describes details to understand the way mongo security work for client-server and between mongo instances in replica set environment. Securing data remains concern areas for solution architects and this blog will help developers to set up mongo environment enabling secuity.
To implement security control for mongo data, all clients must be authenticated. Mongo authentication (username/password) is always validated with specific database, the way mongo stores users in system.users collection of admin database. Once authenticated before client execute any command authorization is verified to allow specific action on mongo instances based on role associated with. Authorization can be set based on pre-defined roles applicable over database or on individual collection.
For replica set environment, mongo instances communicate each other based on keyfile or X509 certificate. Same keyfile must be used on all instances of mongo instances and mongo instances are required to run with --keyfile option. Steps to run mongo instances with security enabled are mentioned below.
To implement security control for mongo data, all clients must be authenticated. Mongo authentication (username/password) is always validated with specific database, the way mongo stores users in system.users collection of admin database. Once authenticated before client execute any command authorization is verified to allow specific action on mongo instances based on role associated with. Authorization can be set based on pre-defined roles applicable over database or on individual collection.
For replica set environment, mongo instances communicate each other based on keyfile or X509 certificate. Same keyfile must be used on all instances of mongo instances and mongo instances are required to run with --keyfile option. Steps to run mongo instances with security enabled are mentioned below.
Create admin user with mongo built in role root. Below mentioned are steps to follow.
run mongd with --noauth option (e.g. mongod or mongod --noauth)
connect using mongo
db.createUser({"user":"superuser","pwd":"123456","roles":["root"]})
Now, run mongod without --auth option
connect to mongod instance using mongo command
mongo -u superuser -p 123456 --authenticateDatabase admin
Important to understand that two same name users can be created provided both of them belongs to the difference database. So we can create two users with the same name provided we switch database using 'use databasename'
Below mentioned will not be authenticated as it mongo will try to authenticate user with test database while superuser belong to admin database and it must be authenticated using admin database.
mongo -u superuser -p 123456
Once connected as the role is root it can access any database.
Logically it is should not be possible to connect to mongo using 'mongo' command, but mongod will allow connection to be established with but not allowing any actions. for e..g. after connecting even 'show dbs' will not work.
Below mentioned is java code using mongo driver to connect to database.
List<MongoCredential> credentials = new ArrayList<>(); credentials.add(MongoCredential.createMongoCRCredential("superuser","admin","123456".toCharArray()));
DBCollection collection = new MongoClient(new ServerAddress("127.0.0.1",27017), credentials).getDB("tenantDB").getCollection("test");collection.insert(new BasicDBObject("x",1));
In situation where we need to enable mongod instance with --auth option below mentioned are steps.
generate key file using
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
rs.initiate() from primary and adding members to replica set using
Any of the member to be added with replica set now must be supplied key file and it can run in --auth mode, else it will not be reachable by other members.
Reference :
http://docs.mongodb.org/manual/tutorial/deploy-replica-set-with-auth/
Logically it is should not be possible to connect to mongo using 'mongo' command, but mongod will allow connection to be established with but not allowing any actions. for e..g. after connecting even 'show dbs' will not work.
Below mentioned is java code using mongo driver to connect to database.
List<MongoCredential> credentials = new ArrayList<>(); credentials.add(MongoCredential.createMongoCRCredential("superuser","admin","123456".toCharArray()));
DBCollection collection = new MongoClient(new ServerAddress("127.0.0.1",27017), credentials).getDB("tenantDB").getCollection("test");collection.insert(new BasicDBObject("x",1));
In situation where we need to enable mongod instance with --auth option below mentioned are steps.
generate key file using
openssl rand -base64 741 > mongodb-keyfile chmod 600 mongodb-keyfile
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
mongod --replSet m101 --logpath "2.log" --dbpath /data/rs2 --port 27018 --smallfiles --oplogSize 64 --auth --keyFile mongodb-keyfile --fork
rs.initiate() from primary and adding members to replica set using
rs.add("localhost:27018")
rs.add("localhost:27019")
rs.conf() and rs.status() will provide the status for the replica set.
Any of the member to be added with replica set now must be supplied key file and it can run in --auth mode, else it will not be reachable by other members.
Reference :
http://docs.mongodb.org/manual/tutorial/deploy-replica-set-with-auth/
No comments:
Post a Comment