We recently migrated our DB to Mongo 4.0. We created a new user for the application and SCRAM-SHA-256 is enabled from the DB side. To my surprise, The existing mongo driver we are using is 3.8.2 is working fine without any changes in the config from the application side, I haven't specified the authMechanism param in the config. How does the client know the authentication mechanism?
My understanding is default mechanism would be SCRAM-SHA-1 will be considered and authentication should fail. I checked the code and I couldn't find how it is working, from some blogs I identified that isMaster will be called using saslSupportedMechs which will provide the supported SASL mechanisms, is my understanding right? where can I find this code in vertx mongo client?
MongoConnnection String:
mongoConnectionJson = new JsonObject().put("connection_string", "mongodb://testhost:6005")
.put("db_name", "test_db")
.put("username", "test_sha-256")
.put("password", "test_sha-256")
.put("authSource", "test_db");
The default auth mechanism selection may in theory differ from one driver to another but should be similar to the description here for the Ruby driver:
For MongoDB 4.0 and higher, the client performs SCRAM mechanism negotiation with the server. If the user specified in client configuration permits authentication with SCRAM-SHA-256, then SCRAM-SHA-256 is used for authentication. Otherwise SCRAM-SHA-1 is used.
For MongoDB 3.0 through 3.6, SCRAM-SHA-1 is used.
For MongoDB 2.6, MONGODB-CR is used.
Related
Mongo C++ driver has two compilation option. From driver documentation:
--ssl Enables SSL support. You will need a compatible version of the SSL libraries available.The default authorization mechanism since MongoDB version 3.0 is SCRAM-SHA-1. If you want to use standard MongoDB authentication, you should compile with –ssl option for SCRAM-SHA-1 mechanism support.
--use-sasl-client Enables SASL, which MongoDB uses for the Kerberos authentication available on MongoDB Enterprise. You will need a compatible version of the SASL implementation libraries available. The Cyrus SASL libraries are what we test with, and are recommended.
I wonder about clients not using authentication (which is a typical scenario in which the CB-MongoDB connection is secured using other means, e.g. level 3 firewalling, or simply the user doesn't want it, for whatever reason) from the point of view of performance. I mean, it is fine that users wanting authentication pay a price for it (in terms of performance penalty of the SSL CB-MongoDB communication needed to authentication) but users not wanting authentication shouldn't be affected .
Is the driver clever enough so even having being compiled using --ssl and --use-sasl-client clients not using authentication gets the same performance than if the driver would have been compiled without these options?
Note: I know this is question about Mongo C++ legacy driver which is a legacy piece of software. However, maybe a similar one applies also to the new driver (assuming it has a similar option-based compilation configurability) so I understand that the question is meaningfull anyway.
How to pass in kerberos token for authentication to kerborized mongo cluster through restheart? Should I do some custom implementation?
FYI Kerberos Authentication works fine when I use native mongo client in java/scala.
Thanks In Advance
The current RESTHeart version 1.0.3 does not support Kerberos authentication.
However if you get the latest development version from github, it allows defining the MongoDB connection via a connection URI.
This should allow to use Kerberos authentication. However I haven't tried it yet.
The new configuration option is called mongo-uri.
I have a little problem with mongodb: when I connect to the http interface I have no problems, but if I try to connect after enabling authentication the browser ask me for username and password.
So far it's correct, but if I try to log in with the users I have created (one root on admin db, one userAdminAnyDatabase on admin and one dbOwner on my personal db) neither of them allows me to access! Does anyone know why? Thanks
I'll start with the usual caveat that you should not use the HTTP interface on any production system, ever - turn it off for prod. With that said, are you using MongoDB 3.0 (and in particular SCRAM SHA-1 credentials)?
The HTTP interface does not support that auth method, per the page linked:
Neither the HTTP status interface nor the REST API support the
SCRAM-SHA-1 challenge-response user authentication mechanism
introduced in version 3.0.
Hence, to use auth with the interface you will have to make sure you are using 2.6 or at least 2.6 style credentials.
I am trying to set up mongoid to connect to a mongodb server using ssl with client certificates for authentication. However, I cannot find a comprehensive reference for the options in mongoid.yml .
For example, I found this: How to enable SSL/TLS in Mongoid 3 client? - which references a ssl: true option (which seems to work), but that mongoid.yml option does not appear to be documented anywhere I can find.
I am able to connect using the client certificate using the mongo shell. If I leave out the ssl: true option in mongoid.yml, at the server I get "AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections"
If I do use the ssl: true option, I get "ERROR: no SSL certificate provided by peer; connection rejected" suggesting that the ssl: true option is working.
So, is there a way to provide the client cert/key and ca cert to mongoid using mongoid.yml? Or is there another way to make the connection to the mongod and provide the connection to mongoid? Or is it simply not possible to use ssl client certificates for authentication with mongoid?
This question was posted several years ago, before the Mongoid gem was taken over by the MongoDB team. Mongoid 5 is a significant upgrade, and the documentation has also been dramatically improved.
I updated my applications to use Mongoid 5; the biggest change was that I had been using the lower level driver (Moped) for some operations, for better efficiency. However, with Mongoid 5, the standard ruby MongoDB driver is used, so I had to rewrite the code that used the lower level driver.
However, it was well worth it. Among the improvements in Mongoid 5 is documentation that clearly explains how to provide the client cert/key and ca cert to the Mongoid driver at https://docs.mongodb.com/ecosystem/tutorial/mongoid-installation/
You will also want to provide the matching configuration for the mongod server, which is explained at https://docs.mongodb.com/manual/tutorial/configure-ssl/
Also, as indicated on that latter page, as of MongoDB distributions now include support for SSL.
We have a mondogDB deployment currently in our test environment. We have a 7 member Replica Set and no Arbiter.
We want to configure the data replication between the replica set members secure.
We don't want to configure SSL for the clients to our MongoDB cluster as the communication from the client to this MongoDB cluster is via Stunnel. So the client doesn't need to use SSL to connect.
Just curious to see if this possible i.e configure only the data being replicated between replica set members Secure but not the actual communication from the Client to this MongoDB cluster
_THanks much
I've not tried this personally but I do believe you can do this. In addition to compiling mongodb with ssl, or purchasing one of the MongoDb subscriptions that support SSL you will need to run with the following option:
--sslMode
set to preferSSL. This will use SSL for inter-server communications but allow both SSL and non-SSL for other connections:
http://docs.mongodb.org/manual/reference/program/mongod/
That of course is all in addition to the other configuration settings required for running with SSL:
http://docs.mongodb.org/manual/tutorial/configure-ssl/
Note that this is new for version 2.6. I don't have a version of mongodb compiled with ssl support so it's not been tested by me.
#DurgaDeep in MongoDB v2.6 you can run the MongoDB instance in mixed mode SSL while also specifying the x509 certificates for the cluster members to authenticate each other. Please note that SSL is not part of the default community build and you may need to build the binary on your own if you are using community build. x509 certificates is only available on subscription builds so that will not work for you if you are using a community build.
The easiest option to achieve what you want to do irrespective of the MongoDB version would be to setup stunnel between the replica-set nodes and let it take care of encrypted channel independently. This is the usual route a lot of applications take which do not have SSL embedded as an option.