# MongoDB Security<br />ch1 Authentication ###### tags: `MongoDB University M310` ## Authentication vs. Authorization | Authentication | Authorization | | -------------------------------- | ------------------------------------- | | Verifithe **identity** of a user | Verifies the **privileges** of a user | ## Authentication Mechanisms overview MongoDb supports 5 mechanisms. First three of them is part of the community version Last two is part of Enterprise * Community * SCRAM-SHA-1 * MONGODB-CR * X.509 * Enterprise * LDAP * Kerberos ## Authentication Mechanisms * Client/User Auth * SCRAM-SHA-1 * MONGODB-CR * X.509 * LDAP * Kerberos * Internal Auth (replica set or sharded cluster authenticate with each other) * keyfile(SCRAM-SHA-1) * X.509 #### SCRAM-SHA-1 * Challenge/Response * Username/Password * IETF standards #### MOMGODB-CR * Challenge/Response * Username/Password * Replaced by SCRAM-SHA-1 * **Deprecated** #### X.509 Cretificates * Certificated based * introduced in MongoDB 2.6 * TLS required #### LDAP * Light Directory Access Protocol * MongoDB Enterprise * Used for directory information * External authentication mechanism #### Kerberos * MongoDB Enterprise * Developed at MIT(Massachusetts Institute of Technology) * Designed for secure authentication * External authentication mechanism ## Internal Authentication Mechanisms #### Keyfile(SCRAM-SHA-1) * shared password * copy exists on each member * 6-1024 base64 characters * whitespace ignored #### X.509 * certificate based * recommended to issue different certs per member ## The Localhost Exception * allows you create **first user** for an authenticated mongodb * Only apply when connected to the database via the **localhost**f ## Authentication Method #### via command line ```bash= mongodb -u user -p password ``` This will **fail**, cuz mongo shell will connect to **test** database autometically by default The right way is below: ```bash= mongodb admin -u user -p password ``` ```bash= mongodb -u user -p password --authenticationDatabase=admin ``` #### mongo shell ```javascript= mongo use admin db.auth('user', 'password') ``` * The user must authenticate against the database they were created on * Ensure the username isn't used across different databases ## Authentication on Sharded Cluster * Connect to mongos * User informations are stored on configuration servers * It's better and safer to **disabled the localhost exception on each mongod** by the command below: ```bash= mongod --setParameter enableLocalhostAuthBypass=false ``` ## Enabling SCRAM-SHA-1 The default authenticate mechanism. #### Command line ```bash= // mongod with --auth mongod --auth ``` ```bash= // mongo shell use admin db.createUser({ user: 'username', pwd: 'password', roles: [ 'root' ] }) db.auth('username', 'password') ``` #### Config file 1. Add security setting to config file ```yaml= security: authorization: 'enabled' ``` 2. Run mongod with config file ```bash= mongod --config config ``` ## Enabling X.509 ***X.509 certificate authentication requires a secured TLS connection! Make sure the MongoDB has TLS enabled*** :::info We can easily check by running **mongod --version** ::: command for running mongodb with x.509 support. ```bash= mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem ``` ## Enabling LDAP :::info MongoDB communicates to an LDAP server via the **saslauthd proxy service**. Therefore, we need to configure the saslauthd to connect our **LDAP server** and we'll connect our **mongod** to the **sasl** via Unix socket. ::: ```bash= sudo apt-get install sasl2-bin ``` ## Migrating MONGODB-CR to SCRAM-SHA-1 1. If a 2.6 system (with existing user data) was upgraded to a 3.0+ system via the replacement of the mongod binary. In this scenario all old and new users will use MONGODB-CR until db.adminCommand({authSchemaUpgrade: 1}) is ran. 2. If a new 3.0+ system imports user data from a 2.6 or older system. In this senario all old users will use MONGODB-CR and all new users will use SCRAM-SHA-1. We just need to run the command to migrate user from using mongodb-cr to scram-sha-1. ```javascript= db.adminCommand({authSchemaUpgrade: 1}) ```