How to pass in kerberos token for authentication to kerborized mongo cluster through restheart? Should I do some custom implementation?
FYI Kerberos Authentication works fine when I use native mongo client in java/scala.
Thanks In Advance
The current RESTHeart version 1.0.3 does not support Kerberos authentication.
However if you get the latest development version from github, it allows defining the MongoDB connection via a connection URI.
This should allow to use Kerberos authentication. However I haven't tried it yet.
The new configuration option is called mongo-uri.
Related
How do we create client certificate to get validated by aws document db?In aws docs https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled, it is mentioned only about one way ssl i.e.,clients authenticating server certificate.I didn't find information regarding two way ssl supported by aws document db.Can anyone help on this?
Amazon DocumentDB does not support using client certificates to connect to your cluster. Are you looking for client-side certificates to be used by the server for authentication? Amazon DocumentDB only supports SCRAM based authentication.
We recently migrated our DB to Mongo 4.0. We created a new user for the application and SCRAM-SHA-256 is enabled from the DB side. To my surprise, The existing mongo driver we are using is 3.8.2 is working fine without any changes in the config from the application side, I haven't specified the authMechanism param in the config. How does the client know the authentication mechanism?
My understanding is default mechanism would be SCRAM-SHA-1 will be considered and authentication should fail. I checked the code and I couldn't find how it is working, from some blogs I identified that isMaster will be called using saslSupportedMechs which will provide the supported SASL mechanisms, is my understanding right? where can I find this code in vertx mongo client?
MongoConnnection String:
mongoConnectionJson = new JsonObject().put("connection_string", "mongodb://testhost:6005")
.put("db_name", "test_db")
.put("username", "test_sha-256")
.put("password", "test_sha-256")
.put("authSource", "test_db");
The default auth mechanism selection may in theory differ from one driver to another but should be similar to the description here for the Ruby driver:
For MongoDB 4.0 and higher, the client performs SCRAM mechanism negotiation with the server. If the user specified in client configuration permits authentication with SCRAM-SHA-256, then SCRAM-SHA-256 is used for authentication. Otherwise SCRAM-SHA-1 is used.
For MongoDB 3.0 through 3.6, SCRAM-SHA-1 is used.
For MongoDB 2.6, MONGODB-CR is used.
Here is my scenario - I have a webapp and mongodb running on same host. And I have not enabled authorization in mongod.conf. So, my webapp, connects to mongodb with out any authentication. Now I want to provide access to mongodb for certain group of people who will connect from outside. Since, connections will be made from outside, I need to enable authentication. But, if I enable authentication webapp will not be able to connect to mongodb(which assumes mongodb is running on localhost and it does not require authentication). I do not want to change webapp to connect to mongodb with authentication. So, I want to disable authentication only for connections from localhost. Is it possible?
No, it's not possible from Mongo 3.0 version
The only case where localhost authentication bypass occurs is when there are no configured users, with enableLocalhostAuthBypass parameter (Enabled by default).
Your scenario can only be solved by creating multiple roles / users with different privileges
I have a little problem with mongodb: when I connect to the http interface I have no problems, but if I try to connect after enabling authentication the browser ask me for username and password.
So far it's correct, but if I try to log in with the users I have created (one root on admin db, one userAdminAnyDatabase on admin and one dbOwner on my personal db) neither of them allows me to access! Does anyone know why? Thanks
I'll start with the usual caveat that you should not use the HTTP interface on any production system, ever - turn it off for prod. With that said, are you using MongoDB 3.0 (and in particular SCRAM SHA-1 credentials)?
The HTTP interface does not support that auth method, per the page linked:
Neither the HTTP status interface nor the REST API support the
SCRAM-SHA-1 challenge-response user authentication mechanism
introduced in version 3.0.
Hence, to use auth with the interface you will have to make sure you are using 2.6 or at least 2.6 style credentials.
Is the PostgreSQL feature of authentication via LDAP available somehow when using the JDBC driver?
Looking at the JDBC driver documentation it doesn't look like it's supported.
If not - any idea as to how to customize the driver to get it working?
LDAP authentication is server-side. To the client it's the same as password (clear-text password, so use SSL!) authentication.
In src/backend/libpq/auth.c the auth request function void ClientAuthentication(Port *port) calls CheckLDAPAuth(port) if LDAP auth is matched in pg_hba.conf.
This does a:
sendAuthRequest(port, AUTH_REQ_PASSWORD);
just like password does.
Any client driver that supports password auth supports ldap. PgJDBC supports password.
The configuration options documented in the server docs are with reference to options set in postgresql.conf on the server side for authenticating users against the LDAP directory.
There is no change required to PgJDBC to use ldap auth.