In MongoDB how unauthorized access and changes to the database is restricted. If only by login credentials. Then is the data stored in storage media (HDD,SSD) encrypted ?
MongoDB uses role-based access control to restrict the operations that users can perform. Authentication can be via challenge-response (simple username/password), x.509 certificates, or, with MongoDB Enterprise, via Kerberos or LDAP. MongoDB does not write data to the disk encrypted.
Related
I have one mongo db hosted in AWS atlas account and my application is running in AWS EC2 instance. I want to access my DB using my application by VPC peering but it always ask for username password which i think is not a good practice because for this i need to hardcode dummy credentials in properties file.
Is there any way I can do this without using dummy credentials. Can I do this using private endpoint? Please suggest best practice used in industry for mongodb atlas.
Authentication is orthogonal to your network topology (VPC).
Authentication in Atlas is required. You can try using x.509 or aws authentication instead of passwords.
How do we create client certificate to get validated by aws document db?In aws docs https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled, it is mentioned only about one way ssl i.e.,clients authenticating server certificate.I didn't find information regarding two way ssl supported by aws document db.Can anyone help on this?
Amazon DocumentDB does not support using client certificates to connect to your cluster. Are you looking for client-side certificates to be used by the server for authentication? Amazon DocumentDB only supports SCRAM based authentication.
After reviewing several MongoDB official documents (see list at the bottom) I understand that MongoDB security in communications (as in community version 4.2) works as follows:
For internal communication authentication (i.e. between the members of a replica set or between mongos and the replica sets which implement the different shards) there are two mechanisms available:
shared keyfile (--keyFile)
x.509 certificates
For internal communication encryption, SSL/TLS is the only possibility. In other words, shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative. Using SSL/TLS requires to use x.509 certificates also (so, we can say that encryption also provides authentication)
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster):
there isn't keyfile option
the only way to secure communication (which provides both authentication and encryption) is SSL/TLS with x.509 certificates
I'd like just to confirm my understanding, as the documentation I have browsed is a little "disperse" and I'm not sure if I have got the point. Any feedback, comment, extra info or documentation pointers is really welcome!
PD: the statement which I'm most unsure is this one: "shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative"
References checked:
https://docs.mongodb.com/manual/tutorial/configure-ssl
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
https://docs.mongodb.com/manual/core/security-internal-authentication
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster) there are several authentication methods:
No authentication
Internal authentication with username/password
Kerberos Authentication
LDAP Proxy Authentication
LDAP Authentication
Note, you can always connect to MongoDB database, even without an account. However, you are not permitted to execute any command unless you are authenticated.
We have a recently sharded mongodb cluster. Before sharding, for read-only access, all users used to connect to one of the secondaries. We need a similar read-only access now when users connect to 'mongos' (after sharding). One option is to enable authentication and add user user roles. But that will mean changing java code on some app module which connect to the mongos using the java connector.
Is there a way to obtain read-only access without enabling authentication ?
You can only create read-only roles by enabling authentication. If you do not want to enable authentication, your human users have to specify their read preference explicitly when connecting. As they may forget this, I would advise you enable authentication. It will allow you more granular access in the future and will allow users to continue the data when the secondary servers are down (e.g. maintenance).
I have a mongo replica set with 3 members and they are using keyFile authorisation. I am using Mongoose and from their docs could not find a way to authenticate via a keyFile.
Does Mongoose support it ? if so, how do I specify a keyFile while authenticating ?
You do not authenticate your client via a keyFile. You can setup SSL and use x509 to authenticate. However, a keyFile is for authentication between replication set members. For authentication you must create a user and require authentication in your mongodb config. The user is local to that database in which it is created. x509 requires some extra steps to correlate the key/cert to a given user.
If you have no need for SSL, I'd recommend just creating an admin user for the entire database, then creating a user for the database you're trying to access in your app.