I have a mongo replica set with 3 members and they are using keyFile authorisation. I am using Mongoose and from their docs could not find a way to authenticate via a keyFile.
Does Mongoose support it ? if so, how do I specify a keyFile while authenticating ?
You do not authenticate your client via a keyFile. You can setup SSL and use x509 to authenticate. However, a keyFile is for authentication between replication set members. For authentication you must create a user and require authentication in your mongodb config. The user is local to that database in which it is created. x509 requires some extra steps to correlate the key/cert to a given user.
If you have no need for SSL, I'd recommend just creating an admin user for the entire database, then creating a user for the database you're trying to access in your app.
Related
Does AWS DocumentDB support authenticating clients with SSL?I've downloaded rds-combined-ca-bundle.pem and got rds-truststore.jks by following the aws link "https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled".Specifying it in truststore,I can successfully connect to document db.
For two way ssl,I've created keystore using self-signed certificate following the link https://docs.mongodb.com/manual/appendix/security/appendixA-openssl-ca/. I'm able to connect to documentdb by specifying any keystore,even by specifying rds-truststore.jks in both truststore and keystore also.
Amazon DocumentDB doesn't support x509 certificate based authentication, only username/password authentication.
As the service is continually improving, stay tuned for new releases .
After reviewing several MongoDB official documents (see list at the bottom) I understand that MongoDB security in communications (as in community version 4.2) works as follows:
For internal communication authentication (i.e. between the members of a replica set or between mongos and the replica sets which implement the different shards) there are two mechanisms available:
shared keyfile (--keyFile)
x.509 certificates
For internal communication encryption, SSL/TLS is the only possibility. In other words, shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative. Using SSL/TLS requires to use x.509 certificates also (so, we can say that encryption also provides authentication)
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster):
there isn't keyfile option
the only way to secure communication (which provides both authentication and encryption) is SSL/TLS with x.509 certificates
I'd like just to confirm my understanding, as the documentation I have browsed is a little "disperse" and I'm not sure if I have got the point. Any feedback, comment, extra info or documentation pointers is really welcome!
PD: the statement which I'm most unsure is this one: "shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative"
References checked:
https://docs.mongodb.com/manual/tutorial/configure-ssl
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
https://docs.mongodb.com/manual/core/security-internal-authentication
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster) there are several authentication methods:
No authentication
Internal authentication with username/password
Kerberos Authentication
LDAP Proxy Authentication
LDAP Authentication
Note, you can always connect to MongoDB database, even without an account. However, you are not permitted to execute any command unless you are authenticated.
I'm using MongoDB 3.2.6 and I want to use Keyfile Access Control for MongoDB replication.
What I read in this link:
https://docs.mongodb.com/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set/
Enforcing access control on a replica set requires configuring Security between members of the replica set using Internal
Authentication
Unfortunately I can not find in the link below how I enable Internal Authentication:
https://docs.mongodb.com/manual/core/security-internal-authentication/
Should I configure auth = true in the mongo configuration file (and configure users)?
How I enable Internal Authentication?
The opposite question:
If I will enable configure auth = true in the mongo configuration then I have to use Keyfile Access Control for the MongoDB replication (otherwise the MongoDB replication will not work).
Correct?
There is not a separate option to enable internal authentication. Basically, internal authentication and client authentication need to be either both enabled or both disabled.
Note, that specifying the keyFile will implicitly enable authentication (e.g. setting auth=true is redundant/implied and not required). But setting both keyFile and auth is probably a good idea to avoid confusion.
When authentication is enabled and you are running a replica set or sharded cluster, then you must utilize one of the internal authentication mechanisms to allow the members to authenticate and communicate with each other. Meaning you will need to either use a keyFile or x.509 authentication in order for replication/sharding to work.
We have a recently sharded mongodb cluster. Before sharding, for read-only access, all users used to connect to one of the secondaries. We need a similar read-only access now when users connect to 'mongos' (after sharding). One option is to enable authentication and add user user roles. But that will mean changing java code on some app module which connect to the mongos using the java connector.
Is there a way to obtain read-only access without enabling authentication ?
You can only create read-only roles by enabling authentication. If you do not want to enable authentication, your human users have to specify their read preference explicitly when connecting. As they may forget this, I would advise you enable authentication. It will allow you more granular access in the future and will allow users to continue the data when the secondary servers are down (e.g. maintenance).
In MongoDB how unauthorized access and changes to the database is restricted. If only by login credentials. Then is the data stored in storage media (HDD,SSD) encrypted ?
MongoDB uses role-based access control to restrict the operations that users can perform. Authentication can be via challenge-response (simple username/password), x.509 certificates, or, with MongoDB Enterprise, via Kerberos or LDAP. MongoDB does not write data to the disk encrypted.