Enable MongoDB Cluster Authentication
Introduction
When a MongoDB HA cluster is created, it is configured to listen to external requests. This is mandatory as each node in the cluster should be able to sync with other nodes in the clusted. While hosting such a configuration in a private dedicated network is secure, hosting it in intranet or public network will not be secure. In such cases, it is necessary to enable authentication on these clusters. Follow the steps outlined here to enable authentication on a MongoDB cluster.
Enable Cluster Node Authentication
In order for the cluster nodes to communicate with each other in a secure mode, enable what is called "Internal Authentication". This is done by creating a secure key and configuring each cluster node to use that key.
Create secure key
Create a secure key with the following command.OS Command Linux $ sudo -s /bin/bash -c 'openssl rand -base64 741 > /etc/mongodb-keyfile' $ sudo -s /bin/bash -c 'chmod 600 /etc/mongodb-keyfile'
$ sudo -s /bin/bash -c 'chown mongodb.mongodb /etc/mongodb-keyfile'Windows C:\xampp\apache\bin>openssl rand -base64 741 >
"C:\xampp\apache\conf\mongodb-keyfile"
- Copy secure key to all nodes
After the key is generated, copy the key file to all the cluster nodes.
Modify configuration file to use the key
Edit mongodb.conf file and make the following changesOS Command Linux security: keyFile: /srv/mongodb/keyfile
Windows In case of mongodb on Windows(all versions) and mongodb v2.x on Linux, uncomment (or add) security.keyfile and set it like the following (or add this line if not present)
keyFile = C:\xampp\apache\conf\mongodb-keyfile
- Restart MongoDB server nodes.
Save the configuration changes and restart the server. Make sure the cluster is back to normal operation.
Setup DB User
A DB user has to be first created in MongoDB and this user can be later used in FileCloud for secure database access.
Assuming we will add a user with following details:
User Name | Password |
---|---|
dbuser | passw0rd1 |
Use a command line mongo client and execute the following commands to create the required DB user.
> use admin; > db.createUser({ user: 'dbuser', pwd: 'passw0rd1', roles: [ { role: "clusterAdmin", db: "admin" }, { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWriteAnyDatabase", db: "admin" } ] });
Upon executing the above commands, 'dbuser' will be added as valid database user.
Optional: Setting Restrictive DB User Policy
In certain cases, when the DB server doesn't run on a private network, it will be preferable to setup more restrictive permissions. In these situations, follow the steps below to create a more restrictive policey.
So we need to create explicit policies for the following databases that FileCloud uses.
Database name |
---|
tonidoauditdb |
tonidoclouddb |
tonidosettings |
tonidostoragedb |
tonidosyncdb |
Use a command line mongo client and execute the following commands to create the required DB user.
> use admin; > db.createUser({ user: 'dbuser', pwd: 'passw0rd1', "roles" : [ { "role" : "dbOwner", "db" : "tonidosyncdb" }, { "role" : "dbOwner", "db" : "tonidostoragedb" }, { "role" : "dbOwner", "db" : "tonidosettings" }, { "role" : "dbOwner", "db" : "tonidoclouddb" }, { "role" : "dbOwner", "db" : "tonidoauditdb" } ] });
Upon executing the above commands, 'dbuser' will be added as valid database user.
Note
If you are running a multisite installation, then the each site will have its own set of databases of the format dbname_siteid. You will need to add roles or create seperate db user for each database set specific to the site
Configure Other DB URLs In Config File
If you have never updated the database URLs in the admin UI, follow this sub-section. If not, skip to the next sub-section.
Other database URLs required for FileCloud needs to be changed to reflect the database user as well.
To do this, edit the configuration file WWWROOT/config/cloudconfig.php and update the following lines:
// ... Cloud Database define("TONIDOCLOUD_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000"); // ... Audit Database define("TONIDOCLOUD_AUDIT_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000"); // ... Settings Database define("TONIDOCLOUD_SETTINGS_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");
and configuration file WWWROOT/config/cloudconfig.php and update the following line:
// ... Cloud Database define("TONIDO_LOCALSTORAGE_DBSERVER", "mongodb://dbuser:passw0rd1@192.168.1.10,192.168.1.20,192.168.1.30/?replicaSet=rs0&connectTimeoutMS=1000");
Restart Services
Finally, it is necessary to restart both MongoDB and Apache to get the security in-place.
Note
- In case of any issues, disable security in mongodb and fix the problems.
- To disable security, mongodb security key has to be disabled and the database URLs has to be reverted back.