Mongodb always prefers auth to be enabled on all nodes of cluster to secure from outside acess.
This can be enabled using 2 methods
- Use simple auth using key file based access
- Use Cert based access
Steps-
Let’s see how to enable using Key based authentication.
Please follow the steps.
a. You can spawn the mogod and mongos processes using 2 ways
- Use conf file for mongod and mongos
- Use CLI way
Read other posts by me for how to spawn mongo processes .
b. Once these get spawned successfully, configure correct Shard settings under Config serv
c. Connect to mongos and add below user. Don’t use mongod here as we are configuring on the cluster and not standalone servers. [For a cluster, using mongos way for config works correctly.]
Login to mongos shell and fire
– use admin
– db.createUser( { user: “admin”, pwd: “admin”, roles: [ { role: “root”, db: “admin” } )
I prefer root role here to avoid further config issues, you can specify any other roles as per your requirements. Follow roles here.
d. Once this is done, you can try logging in using below to test if a user has been created successfully {try this for both mongos and mongod]
mongo –port 26051 –authenticationDatabase “admin” -u “admin” -p “admin”
It will allow the user to enter into mongod or mongos shell and perform related operations.
d. Is this done?? Is auth enabled now???
Wait, no it’s not, we need to respawn both mongod and mongos processes with auth enabled switch.
e. Now, for a standalone server, you can just respawn the mongod with –auth switch and it will enable the auth but for the cluster, we need to generate a key which will be shared between all the nodes of cluster
If we dont generate this key, mongos and mongod fails to start with error like below under logs-
errmsg” :
- “not authorized on admin to execute command { update: \”system.version\”, ordered: true, $clusterTime…….”
- not authorized on config to execute command
- not authorized on local to execute command
f. Want to solve, Yes.. how ?
g. We need to generate this key using below steps
h. Goto config server, and fire below
openssl rand -base64 755 > /home/key
chmod 400 /home/key
i. Copy this key file to all nodes of the cluster and provide the permissions on same
Once this is done, get ready to respawn the processes with auth enabled
- Kill mongos and mongod
- Respawn CLI way-
a . mongos –configdb setname/host1.com:26050 –fork –logappend –logpath /data/log.mongos0 –port 26051 –keyFile /home/key
b. Using config file (e.g. mongos --config /etc/mongos.conf)
(Read another post for spawning mongos/mongod with key file here)
4. Now, kill mongod and spawn using below
a. mongod –configsvr –replSet setname –dbpath /data –port 26050 –fork –logpath /data/log.cfg0 –logappend –oplogSize 50 –directoryperdb –auth –keyFile /home/key
b. Using config file mongod –config /etc/mongod.conf
(Read another post for spawning mongod with key file using conf file here)
Once these start successfully, please try to login using below CLIs and perform all operations.
Mongod
mongo –port 26050 –authenticationDatabase “admin” -u “admin” -p “admin”
Mongos
mongo –port 26051 –authenticationDatabase “admin” -u “admin” -p “admin”
==============================
You can verify if auth is enabled or not with below steps.
Login to mongos with below without auth and try to run sh.status().
mongo –port 26051
Error –
“errmsg” : “not authorized on config to execute command { find: \”version\”, filter: {}, limit: 1.0, singleBatch: true, $clusterTime: { clusterTime: Timestamp(1535182725, 1),”code” : 13,
“codeName” : “Unauthorized”,
Same error will be seen if you try to run rs.status() on primary under mongo –port 28001
If you see above errors and able to connect using credentials, you cluster is now protected with authentication. 
No comments:
Post a Comment