Enable & Force Authentication on MongoDB

Create an overall mongo root mongo and backup users

Check that –auth & localhostException are NOT enabled yet,

ps aux | grep mongo
grep enableLocalhostAuthBypass /etc/mongod.conf

Create a mongo root user and a backup user,

db.createUser(
  {
    user: "root",
    pwd: "MONGO-ROOT-PASSWD",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

db.createUser(
  {
    user: "backupuser",
    pwd: "YETANOTHERPASSWD",
    roles: [ { role: "backup", db: "admin" } ]
  }
)

Without even restarting the mongo daemon, check that you can connect with those credentials,

mongo -u "root" -p "MONGO-ROOT-PASSWD" --authenticationDatabase "admin"

Create an application user

With access to DBNAME db only,

use DBNAME

var user = {
  "user" : "DBNAMEuser",
  "pwd" : "MONGO-USER-PASSWD",
  roles : [
      {
          "role" : "readWrite",
          "db" : "DBNAME"
      }
  ]
}

db.createUser(user);

Without even restarting the mongo daemon, check that you can connect with those credentials,

mongo -u "DBNAMEuser" -p "MONGO-USER-PASSWD" --authenticationDatabase "DBNAME" DBNAME

Force Authentication

Tune the config,

vi /etc/mongodb.conf

setParameter:
   enableLocalhostAuthBypass: false

Also into the init script,

cp -p /etc/init.d/mongod /etc/init.d/mongod.`date +%s`
vi /etc/init.d/mongod

OPTIONS=" -f $CONFIGFILE --auth"

Enable SSL

Further tune the arguments when running the daemon,

vi /etc/init.d/mongod

OPTIONS=" -f $CONFIGFILE --auth --sslMode preferSSL --sslPEMKeyFile /etc/mongodb/private_and_cert.pem --sslPEMKeyPassword PASSPHRASE_HERE --sslCAFile /etc/mongodb/chain_and_root_concat.crt --sslAllowInvalidHostnames --sslAllowConnectionsWithoutCertificates"

systemctl daemon-reload

In case you played around starting the damon as root (WRONG), fix the perms again,

chown -R mongod:mongod /data/logs/mongodb/ /data/databases/ /var/log/mongodb/ /var/lib/mongo/

and make sure the process & pidfie are gone,

ls -l /var/run/mongodb/mongod.pid
ps aux | grep mongo

Refs.

Ready to go

Point your app to the right URL, if SSL not enabled yet,

mongodb://[user]:[password]@[serveraddress]:[port]/[database]

with SSL enabled,

mongodb://[user]:[password]@[serveraddress]:[port]/[database]?ssl=true

then restart the daemon and watch the logs,

service mongod restart
tail -n 100 -F /data/logs/mongodb/mongod.log

check that –auth and –ssl* are now enabled and that the right cert is provided by the mongodb service,

ps aux | grep mongo
openssl s_client -connect localhost:27017

and finally restart the application and check that it is able to access the data tru the now better secured connection.

Refs.

Update your backup scripts with mongo auth

Now that auth is enabled onto MongoDB, make sure your backup scripts are up-to-date e.g.,

umask 0077

date=`date +%Y-%m-%d-%s`
backupdir=/data/backup/mongodb
mkdir -p $backupdir/
days=5
host=`hostname --short`

    destdir=$backupdir/$date.$host.mongo
    echo -n dumping all mongo databases to $destdir/...
    time mongodump --quiet -u "backupuser" -p "YETANOTHERPASSWD" --authenticationDatabase "admin" -o $destdir && echo done
    unset destdir

    echo -n removing older mongo backups \(+$days days\) from $backupdir/...
    find $backupdir/ -maxdepth 1 -type d -mtime +$days -exec rm -rf {} \; && echo done

References

official tutos

other tutos

official docs

Trash

this did not work – editing the init script instead – And also tune the arguments when running the daemon!

grep SYSCONFIG /etc/init.d/mongod
vi /etc/default/mongod

# custom sysconfig for mongod to enable --auth
CONFIGFILE="/etc/mongod.conf"
OPTIONS=" -f $CONFIGFILE --auth"

HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun