Learn How to Secure MongoDB Community Version using Authentication Part 2

Introduction

Part one of this tutorial, Learn How to Secure MongoDB Community Version using Authentication, explained the supported authentication mechanisms and methods for MongoDB Authentication. Part two of this series will demonstrate how to enable and configure these mechanisms.

Prerequisite

  • MongoDB must be properly installed and configured before beginning.

  • Completion of part one of this series.

  • Have a working knowledge of TLS/SSL and access to valid x.509 certificates.

How to Enable the Authentication Mechanism

Having learned the various authentication mechanisms and methods in part one, part two will examine how to configure for authentication on MongoDB against the authentication methods discussed in part one of this tutorial.

How to Enable SCRAM-SHA-1 Authentication

SCRAM-SHA-1 is the default authentication mechanism for password-based authentication in MongoDB. Execute the following command to connect to a monogd instance with SCRAM-SHA-1:

mongod --auth

To connect to the mongod instance, start a new terminal and type in mongo and switch to the admin database by entering the command use admin. Now create a user with the following command:

db.createUser(  
{  
user: "mel",  
pwd: "password",  
roles: [ role: "root" ]  
}  
)

Notice root is used as the role that grants the user all privileges. Use the following `db.auth command to authenticate the user:

db.auth('mel','password')

The systems will return a one (1) verifying the user “mel” was successfully authenticated.

Alternatively, SCRAM-SHA-1 can be enabled via a configuration file in a YAML (“YAML Ain’t Markup Language”) format, instead of having to provide the user credentials via the command line, and can be passed to the mongod instance using the --config option.

To execute this function, create the config file in any text editor and use the following code:

security:
authorization
: 'enabled'
  • Save this file as “MongoConfig” for later use.

Here security is followed by a keyword authorization set to enabled. Now use the configuration file against the mongod instance by executing the following command:

mongod --config MongoConfig

Next, connect to the mongod instance and then execute the following command:
db.system.users.find().

The result should resemble the following:

db.system.users.find()  
Error: error: {  
"ok" : 0,  
"errmsg" : "command find requires authentication",  
"code" : 13,  
"codeName" : "Unauthorized"  
}  
>

As shown, the mongod instance is using the configuration file and thus preventing execution of the .find() method.

How to Enable X.509 Authentication

This section will explain how to configure the MongoDB to use X.509 certificates as its authentication mechanism.
As discussed in part one of this tutorial, X.509 requires TLS connection. Confirm the MongoDB version in use was compiled supporting TLS by executing the following command:

mongod --version

The results should resemble the following:

db version v4.0.10  
git version: c389e7f69f637f7a1ac3cc9fae843b635f20b766  
OpenSSL version: OpenSSL 1.1.1c 28 May 2019  
allocator: tcmalloc  
modules: none  
build environment:  
distmod: ubuntu1804  
distarch: x86_64  
target_arch: x86_64

Notice the result returns OpenSSL, stating this binary was compiled with TLS support.

NOTE: Valid x.509 certificates are required to execute this function.
Assuming valid certificates were available, the necessary files for this purpose are:
certAuth.pem – The public certificate of the certificate authority.
client.pem – The certificate for the client.
server.pem – The certificate for the server.
Execute the following command for running MongoDB with X.509 support:

mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile certAuth.pem

Start the mongod instance and then connect to the following instance. However, establishing a prior connection to the instance displays the subject line of the client.pem file first. To accomplish this, execute the following command:

openssl x50 -in client.pem -inform PEM -subject -nameopt RFC2253 -noout

The above command communicates the processing of a x509 certificate and an -in parameter of the client.pem file and -inform or the input format PEM is provided.

Next, obtain the subject with RFC2253 -nameopt that transforms its subject name from the representation that is stored in the certificate into a string. Now use -noout to get only the subject, thus limiting the output of the entire certificate.

The results should resemble the following:

subject= C=US, ST=TEXAS L=AUSTIN City, O=MongoDB,OU=KernelUser,CN=client

This data will be used to identify the user when an account is created in the database. Now connect to the mongod instance using the following command:

mongo --ssl --sslPEMKeyFile client.pem --sslCAfile certAuth.pem

The above code performs the following functions:

  • Because the server requires ssl, and ssl in the PEMkeyfile option is used, the server will be able to verify information on the connected database.

  • It uses certAuth.pem to validate the connection to a legitimate server.

Now restart the server to see if the authentication can be confirmed by appending the –auth at the end of the command, shown here:

mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile certAuth.pem --auth

Now, reconnecting via mongo command and executing the command db.system.user.find(), will show an error, as follows:

Error: error: {  
"ok" : 0,  
"errmsg" : "command find requires authentication",  
"code" : 13,  
"codeName" : "Unauthorized"  
}

Now use the localhost exception and create the first user as discussed in part one of this series. Now execute the following command to add the first user:

db.getSiblingDB("$external").runCommand(  
{  
createUser: "C=US, ST=TEXAS L=AUSTIN City, O=MongoDB,OU=KernelUser,CN=client",  
roles: [{ role: "root", db: "admin" } ]  
}  
)

The above code calls for the getSiblingDB() function and passed in the $external variable as X.509 is an external authentication mechanism, with the credentials not being stored directly in MongoDB. The runCommand() will process the creation of the user with the details of the subject line previously established and will give it a user role of “root” on the admin database.
Now that the user is created, user authentication is carried out in the same manner, as follows:

db.getSiblingDB("$external").auth(  
{  
user: "C=US, ST=TEXAS L=AUSTIN City, O=MongoDB,OU=KernelUser,CN=client",  
mechanism: "MONGODB-X509"  
}  
)

This is the same method used in connecting the external database and passing it in the subject line again and by specifying the mechanism being used is X509.

Conclusion

Part two of this tutorial has discussed how to enable the SCRAM-SHA-1 and the X.509 validation mechanisms for MongoDB Authentication and provided examples. Part three in this tutorial series will demonstrate how to enable a Keyfile-based replica set authentication and X.509 internal authentication.

Pilot the ObjectRocket platform free for 30 Days

It's easy to get started. Imagine the time you'll save by not worrying about database management. Let's do this!

PILOT FREE FOR 30 DAYS

Keep in the know!

Subscribe to our emails and we’ll let you know what’s going on at ObjectRocket. We hate spam and make it easy to unsubscribe.