Enable MongoDB Cluster Authentication

Introduction

When a MongoDB HA cluster is created, it is configured to listen to external requests. This is mandatory as each node in the cluster should be able to sync with other nodes in the clusted. While hosting such a configuration in a private dedicated network is secure, hosting it in intranet or public network will not be secure. In such cases, it is necessary to enable authentication on these clusters. Follow the steps outlined here to enable authentication on a MongoDB cluster.

Enable Cluster Node Authentication

In order for the cluster nodes to communicate with each other in a secure mode, enable what is called "Internal Authentication". This is done by creating a secure key and configuring each cluster node to use that key.

Create secure key
Create a secure key with the following command.

OS	Command
Linux	$ sudo -s /bin/bash -c 'openssl rand -base64 741 > /etc/mongodb-keyfile' $ sudo -s /bin/bash -c 'chmod 600 /etc/mongodb-keyfile' $ sudo -s /bin/bash -c 'chown mongodb.mongodb /etc/mongodb-keyfile'
Windows	`C:\xampp\apache\bin>openssl rand -base64 741 >"C:\xampp\apache\conf\mongodb-keyfile"`

Copy secure key to all nodes
After the key is generated, copy the key file to all the cluster nodes.

Modify configuration file to use the key
Edit mongodb.conf file and make the following changes

OS	Command
Linux	security: keyFile: /srv/mongodb/keyfile
Windows	`In case of mongodb on Windows(all versions) and mongodb v2.x on Linux, uncomment (or add) security.keyfile and set it like the following (or add this line if not present)keyFile = C:\xampp\apache\conf\mongodb-keyfile`

Restart MongoDB server nodes.
Save the configuration changes and restart the server. Make sure the cluster is back to normal operation.

Setup DB User

A DB user has to be first created in MongoDB and this user can be later used in FileCloud for secure database access.
Assuming we will add a user with following details:

User Name	Password
dbuser	passw0rd1

Use a command line mongo client and execute the following commands to create the required DB user.

Mongo Client

> use admin;
> db.createUser({ user: 'dbuser', pwd: 'passw0rd1', roles: [ { role: "clusterAdmin", db: "admin" }, { role: "userAdminAnyDatabase", db: "admin" },  { role: "readWriteAnyDatabase", db: "admin" } ] });

Upon executing the above commands, 'dbuser' will be added as valid database user.

Optional: Setting Restrictive DB User Policy

In certain cases, when the DB server doesn't run on a private network, it will be preferable to setup more restrictive permissions. In these situations, follow the steps below to create a more restrictive policey.
So we need to create explicit policies for the following databases that FileCloud uses.

Database name
tonidoauditdb
tonidoclouddb
tonidosettings
tonidostoragedb
tonidosyncdb

Use a command line mongo client and execute the following commands to create the required DB user.

Mongo Client

> use admin;
> db.createUser({ user: 'dbuser', pwd: 'passw0rd1', "roles" : [
              {
                     "role" : "dbOwner",
                     "db" : "tonidosyncdb"
              },
              {
                     "role" : "dbOwner",
                     "db" : "tonidostoragedb"
              },
              {
                     "role" : "dbOwner",
                     "db" : "tonidosettings"
              },
              {
                     "role" : "dbOwner",
                     "db" : "tonidoclouddb"
              },
              {
                     "role" : "dbOwner",
                     "db" : "tonidoauditdb"
              }
       ] });

Upon executing the above commands, 'dbuser' will be added as valid database user.

Note

If you are running a multisite installation, then the each site will have its own set of databases of the format dbname_siteid. You will need to add roles or create seperate db user for each database set specific to the site

Configure Other DB URLs In Config File

If you have never updated the database URLs in the admin UI, follow this sub-section. If not, skip to the next sub-section.

Other database URLs required for FileCloud needs to be changed to reflect the database user as well.
To do this, edit the configuration file WWWROOT/config/cloudconfig.php and update the following lines:

Update DB URLs in cloudconfig.php

// ... Cloud Database
define("TONIDOCLOUD_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");
// ... Audit Database
define("TONIDOCLOUD_AUDIT_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");
// ... Settings Database
define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");

and configuration file WWWROOT/config/cloudconfig.php and update the following line:

Update DB URLs in localstorageconfig.php

// ... Cloud Database
define("TONIDO_LOCALSTORAGE_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");

Restart Services

Finally, it is necessary to restart both MongoDB and Apache to get the security in-place.

Note

In case of any issues, disable security in mongodb and fix the problems.
To disable security, mongodb security key has to be disabled and the database URLs has to be reverted back.