M310: MongoDB Security
=======================
cd D:\mongo_courses\m310_security
vagrant up
vagrant ssh database
=====================================================
d:\mongo_courses\m310_security
vagrant ssh database
mkdir -p data/db
mongod --dbpath /home/vagrant/data/db
db.createUser({
user: "alice",
pwd: "secret",
roles: [
{role: "root", db: "admin"}
]
})
restart mongod
mongod --dbpath /home/vagrant/data/db --auth
use admin
db.auth('alice','secret')
run the commands given in the lab -
Chapter 1: Authentication
Homework 1.1 : Enable SCRAM-SHA-1
Ans:
mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo admin -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo -u alice -p secret --eval "db=db.getSisterDB('admin');
db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase admin
------------------------------------------------------------------------------------------
openssl rand -base64 756 > /home/vagrant/M310-HW-1.2/keyfile
chmod 400 /home/vagrant/M310-HW-1.2/keyfile
mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31122
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31121
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31120
MongoDB Enterprise TO_BE_SECURED:RECOVERING> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:RECOVERING> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
MongoDB Enterprise TO_BE_SECURED:SECONDARY> rs.isMaster()
{
"hosts" : [
"database.m310.mongodb.university:31120",
"database.m310.mongodb.university:31121",
"database.m310.mongodb.university:31122"
],
"setName" : "TO_BE_SECURED",
"setVersion" : 1,
"ismaster" : false,
"secondary" : true,
"primary" : "database.m310.mongodb.university:31121",
"me" : "database.m310.mongodb.university:31120",
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"maxWriteBatchSize" : 1000,
"localTime" : ISODate("2020-04-16T14:54:07.253Z"),
"maxWireVersion" : 4,
"minWireVersion" : 0,
"ok" : 1
}
mongo --port 31121
use admin
db.createUser({
user: "admin",
pwd: "webscale",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('admin','webscale')
or
mongo admin --port 31121 -u admin -p webscale
Chapter 1: Authentication
Homework 1.2 : Enabling Authentication on a Running Replica Set
vagrant@database:~/shared$ ./validate-hw-1.2.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$
===============================================================================================================================================================
sudo mkdir -p /M310-HW-1.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-1.3
PEMKeyFile
/home/vagrant/shared/mongod1.conf
----------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31130
systemLog:
destination: file
path: "/M310-HW-1.3/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r0"
processManagement:
fork: true
/home/vagrant/shared/mongod2.conf
---------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31131
systemLog:
destination: file
path: "/M310-HW-1.3/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r1"
processManagement:
fork: true
/home/vagrant/shared/mongod3.conf
---------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31132
systemLog:
destination: file
path: "/M310-HW-1.3/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r2"
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod1.conf
mongod -f /home/vagrant/shared/mongod2.conf
mongod -f /home/vagrant/shared/mongod3.conf
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 5622 2.7 8.9 770728 90632 ? Sl 01:04 1:59 mongod -f /home/vagrant/shared/mongod1.conf
vagrant 5653 2.3 8.3 748608 84664 ? Sl 01:04 1:46 mongod -f /home/vagrant/shared/mongod2.conf
vagrant 5684 2.3 8.2 740080 83640 ? Sl 01:04 1:46 mongod -f /home/vagrant/shared/mongod3.conf
database.m310.mongodb.university
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
vagrant@database:~$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "root", db: "admin" }
]
}
)
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file> --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
or
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>
db.getSiblingDB("$external").auth(
{
mechanism: "MONGODB-X509"
}
)
db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })
rs.add("database.m310.mongodb.university:31131")
rs.add("database.m310.mongodb.university:31132")
Chapter 1: Authentication
Homework 1.3: Enabling Internal Authentication using X.509
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
-------------------------------------------------------
result set:
-----------
vagrant@database:~/shared$ ./validate-hw-1.3.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$
========================================================================================================================================================
db.adminCommand({authSchemaUpgrade: 1})
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 6562 2.9 6.8 612268 70108 ? Sl 02:26 0:01 mongod --dbpath /home/vagrant/M310-HW-1.4/db --logpath /home/vagrant/M310-HW-1.4/db/mongo.log --fork
MongoDB Enterprise > db.version()
3.2.22
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections
system.indexes
system.users
system.version
MongoDB Enterprise >
MongoDB Enterprise > db.system.users.find()
{ "_id" : "admin.alice", "user" : "alice", "db" : "admin", "credentials" : { "MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2" }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
MongoDB Enterprise > db.system.users.find().pretty()
{
"_id" : "admin.alice",
"user" : "alice",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2"
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > db.adminCommand({authSchemaUpgrade: 1})
{ "done" : true, "ok" : 1 }
MongoDB Enterprise > db.system.users.find().pretty()
{
"_id" : "admin.alice",
"user" : "alice",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "FWj2FYMvygPYW6xLpOc0jQ==",
"storedKey" : "6EFNJeMm4D0HkmAJ5o0PD3C3UNA=",
"serverKey" : "oHv87ksaN6a/avftGOUgliv1rmg="
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
MongoDB Enterprise >
Chapter 1: Authentication
Homework 1.4: Migrating MONGODB-CR to SCRAM-SHA-1
-----------------------------------------
vagrant@database:~/shared$ ./validate-hw-1.4.sh
about to fork child process, waiting until server is ready for connections.
forked process: 6593
child process started successfully, parent exiting
[ "SCRAM-SHA-1" ]
vagrant@database:~/shared$
Ans:
[ "SCRAM-SHA-1" ]
===========================================================================================================================================================
Try:
====
db.createUser({
user: "admin",
pwd: "admin",
roles: [
{role: "root", db: "admin"}
]
})
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u admin -p admin --authenticationDatabase admin --authenticationMechanism=SCRAM-SHA-256
authorization: enabled
setParameter: authenticationMechanisms: SCRAM-SHA1,SCRAM-SHA-1,PLAIN,SCRAM-SHA-256
==========================================================================================================================================================
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
=======================================================
sudo mkdir -p /M310-HW-1.5/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-1.5
openssl rand -base64 741 > /M310-HW-1.5/m310-keyfile
chmod 600 /M310-HW-1.5/m310-keyfile
/home/vagrant/shared/mongod4.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31150
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
/home/vagrant/shared/mongod5.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31151
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
/home/vagrant/shared/mongod6.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31152
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod4.conf
mongod -f /home/vagrant/shared/mongod5.conf
mongod -f /home/vagrant/shared/mongod6.conf
mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
rs.initiate()
use admin
db.createUser({
user: "will",
pwd: "$uperAdmin",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('will','$uperAdmin')
rs.add("database.m310.mongodb.university:31151")
rs.add("database.m310.mongodb.university:31152")
mongo admin --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u will -p '$uperAdmin'
----------------------------------
Creating Client.pem user
-------------------------
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
vagrant@database:~/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" }
]
}
)
mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
-----------------------------------
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
Ans:
vagrant@database:~/shared$ ./validate-hw-1.5.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"], users: [{"_id":"admin.will","roles":[{"role":"root","db":"admin"}]},{"_id":"$external.C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}] }
vagrant@database:~/shared$
======================================================================================================================================================================
Chapter 1: Authentication
Homework 1.6: Enabling LDAP Authentication on a Replica Set
Ans:
{ unauthorizedStatus: { "ok" : 0, "errmsg" : "not authorized on admin to execute command { replSetGetStatus: 1.0 }", "code" : 13 }, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
==========================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
================================================
sudo mkdir -p /M310-HW-2.1/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.1
openssl rand -base64 741 > /M310-HW-2.1/m310-keyfile
chmod 600 /M310-HW-2.1/m310-keyfile
mongod7.conf
------------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31210
storage:
dbPath: "/M310-HW-2.1/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod8.conf
-----------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31211
storage:
dbPath: "/M310-HW-2.1/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod9.conf
-----------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31212
storage:
dbPath: "/M310-HW-2.1/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod7.conf
mongod -f /home/vagrant/shared/mongod8.conf
mongod -f /home/vagrant/shared/mongod9.conf
mongo --host database.m310.mongodb.university --port 31210
rs.initiate()
create users on any database
----------------------------
use admin
db.createUser({
user: "userAdmin",
pwd: "badges",
roles: [
{role: "userAdminAnyDatabase", db: "admin"}
]
})
db.auth('userAdmin','badges')
mongo admin --host database.m310.mongodb.university --port 31210 -u userAdmin -p badges
configure a replica set and add shards
--------------------------------------
use admin
db.createUser({
user: "sysAdmin",
pwd: "cables",
roles: [
{role: "clusterManager", db: "admin"}
]
})
db.auth('sysAdmin','cables')
rs.add("database.m310.mongodb.university:31211")
rs.add("database.m310.mongodb.university:31212")
create a collection on any database
-----------------------------------
use admin
db.createUser({
user: "dbAdmin",
pwd: "collections",
roles: [
{role: "dbAdminAnyDatabase", db: "admin"}
]
})
db.auth('dbAdmin','collections')
insert data on any database
---------------------------
use admin
db.createUser({
user: "dataLoader",
pwd: "dumpin",
roles: [
{role: "readWriteAnyDatabase", db: "admin"}
]
})
db.auth('dataLoader','dumpin')
--------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
---------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.1.sh
{"users":[{"user":"dataLoader","roles":[{"role":"readWriteAnyDatabase","db":"admin"}]},{"user":"dbAdmin","roles":[{"role":"dbAdminAnyDatabase","db":"admin"}]},{"user":"sysAdmin","roles":[{"role":"clusterManager","db":"admin"}]},{"user":"userAdmin","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}],"numMembers":3}
=========================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
=================================================
sudo mkdir -p /M310-HW-2.2/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.2
openssl rand -base64 741 > /M310-HW-2.2/m310-keyfile
chmod 600 /M310-HW-2.2/m310-keyfile
mongod11.conf
------------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31220
storage:
dbPath: "/M310-HW-2.2/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod12.conf
-----------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31221
storage:
dbPath: "/M310-HW-2.2/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod13.conf
-----------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31222
storage:
dbPath: "/M310-HW-2.2/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod11.conf
mongod -f /home/vagrant/shared/mongod12.conf
mongod -f /home/vagrant/shared/mongod13.conf
mongo --host database.m310.mongodb.university --port 31220
rs.initiate()
User1 on admin
---------------
use admin
db.createUser({
user: "admin",
pwd: "webscale",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('admin','webscale') or
mongo admin --host database.m310.mongodb.university --port 31220 -u admin -p webscale
rs.add("database.m310.mongodb.university:31221")
rs.add("database.m310.mongodb.university:31222")
User2 on acme
---------------
use admin
db.createUser({
user: "reader",
pwd: "books",
roles: [
{role: "read", db: "acme"}
]
})
User3 on acme
---------------
use admin
db.createUser({
user: "writer",
pwd: "typewriter",
roles: [
{role: "readWrite", db: "acme"}
]
})
---------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
--------------------------------------
Ans:
-----
vagrant@database:/vagrant/shared$ ./validate-hw-2.2.sh
{"users":[{"user":"admin","roles":[{"role":"root","db":"admin"}]},{"user":"reader","roles":[{"role":"read","db":"acme"}]},{"user":"writer","roles":[{"role":"readWrite","db":"acme"}]}],"numMembers":3}
vagrant@database:/vagrant/shared$
=======================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
=======================================
sudo mkdir -p /M310-HW-2.3/r0
sudo chown vagrant:vagrant -R /M310-HW-2.3
mongod15.conf
-----------
net:
bindIp: localhost,database.m310.mongodb.university
port: 31230
storage:
dbPath: "/M310-HW-2.3/r0"
systemLog:
destination: file
path: "/M310-HW-2.3/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod15.conf
mongo --host database.m310.mongodb.university --port 31230
Role1
------
use admin
db.createRole(
{
role: "HRDEPARTMENT",
privileges: [
{ resource: { db: "HR", collection: "" }, actions: [ "find" ] },
{ resource: { db: "HR", collection: "employees"}, actions: [ "insert" ] },
{ resource: { db: "HR", collection: "" }, actions: [ "dropUser" ] }
],
roles: []
}
)
Role2
------
use admin
db.createRole(
{
role: "MANAGEMENT",
privileges: [],
roles: [
{ "role":"dbOwner","db":"HR" }
]
}
)
Role2
------
use admin
db.createRole(
{
role: "EMPLOYEEPORTAL",
privileges: [
{ resource: { db: "HR", collection: "employees" }, actions: [ "find","update" ] },
],
roles: []
}
)
-----------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
----------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.3.sh
[{"role":"EMPLOYEEPORTAL","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":"employees"},"actions":["find","update"]}]},{"role":"HRDEPARTMENT","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":""},"actions":["dropUser","find"]},{"resource":{"db":"HR","collection":"employees"},"actions":["insert"]}]},{"role":"MANAGEMENT","inheritedRoles":[{"role":"dbOwner","db":"HR"}],"privileges":[]}]
vagrant@database:/vagrant/shared$
===============================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
==============================================
sudo mkdir -p /M310-HW-2.4/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-2.4
mongod18.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31240
systemLog:
destination: file
path: "/M310-HW-2.4/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r0"
processManagement:
fork: true
mongod19.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31241
systemLog:
destination: file
path: "/M310-HW-2.4/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r1"
processManagement:
fork: true
mongod20.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31242
systemLog:
destination: file
path: "/M310-HW-2.4/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r2"
processManagement:
fork: true
mongod -f mongod18.conf
mongod -f mongod19.conf
mongod -f mongod20.conf
--------------------------------------------
this works:
------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
rs.initiate(
{
_id: "replwithssl",
version: 1,
members: [
{ _id: 0, host : "database.m310.mongodb.university:31240" },
{ _id: 1, host : "database.m310.mongodb.university:31241" },
{ _id: 2, host : "database.m310.mongodb.university:31242" }
]
}
)
----------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.4.sh
{"numMembers":3}
vagrant@database:/vagrant/shared$
-----------------------------------------------------------
this will not get the answer
-----------------------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
rs.initiate()
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "root", db: "admin" }
]
}
)
db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })
rs.add("database.m310.mongodb.university:31241")
rs.add("database.m310.mongodb.university:31242")
mongo admin --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
============================================================================
vagrant@database:~/shared$ ./setup-hw-2.5.sh
about to fork child process, waiting until server is ready for connections.
forked process: 16135
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16152
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16189
child process started successfully, parent exiting
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
{ "ok" : 1 }
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
WriteResult({ "nInserted" : 1 })
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 16135 1.5 7.2 743452 73656 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork
vagrant 16152 1.5 4.7 738324 48764 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork
vagrant 16189 1.5 4.4 737292 44792 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork
vagrant 16506 0.0 0.0 8868 648 pts/0 S+ 15:11 0:00 grep --color=auto mongo
vagrant@database:~/shared$
openssl rand -base64 32 > /home/vagrant/M310-HW-2.5/mongodb-keyfile
chmod 600 /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31250
mongo --port 31251
mongo --port 31252
mongo --port 31252
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r2
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31251
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r1
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31250
use admin
rs.stepDown()
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r0
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant@database:~/M310-HW-2.5/r0$ ps aux | grep mongo
vagrant 16553 1.9 10.6 807984 108116 ? SLl 15:25 0:06 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 16833 1.8 5.0 814348 50900 ? SLl 15:29 0:01 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 17003 4.6 4.1 519272 41976 ? SLl 15:30 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 17048 0.0 0.0 8868 648 pts/0 S+ 15:30 0:00 grep --color=auto mongo
vagrant@database:~/M310-HW-2.5/r0$
------------------------------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.5.sh
{"doc":{"str":"The quick brown fox jumps over the lazy dog"},"isEnabled":true}
vagrant@database:/vagrant/shared$
=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.6 : Configure KMIP backed mongod
============================================
Ans:
-----
{isEnabled: true, usingKMIP: true}
==================================================================================================================================================================
Chapter 3: Auditing and Best Practices #
Homework 3.1 : Enable auditing on replica set #
===============================================
sudo mkdir -p /M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.1
sudo mkdir -p ~/M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.1
mongod21.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31310
systemLog:
destination: file
path: "/M310-HW-3.1/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r0/auditLog.json
processManagement:
fork: true
mongod22.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31311
systemLog:
destination: file
path: "/M310-HW-3.1/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r1/auditLog.json
processManagement:
fork: true
mongod23.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31312
systemLog:
destination: file
path: "/M310-HW-3.1/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r2/auditLog.json
processManagement:
fork: true
mongod -f mongod21.conf
mongod -f mongod22.conf
mongod -f mongod23.conf
mongo --host database.m310.mongodb.university --port 31310
rs.initiate()
rs.add("database.m310.mongodb.university:31311")
rs.add("database.m310.mongodb.university:31312")
---------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.1 : Enable auditing on replica set
--------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.1.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$
=======================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
===============================================================
sudo mkdir -p /M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.2
sudo mkdir -p ~/M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.2
mongod24.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31320
systemLog:
destination: file
path: "/M310-HW-3.2/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r0/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod25.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31321
systemLog:
destination: file
path: "/M310-HW-3.2/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r1/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod26.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31322
systemLog:
destination: file
path: "/M310-HW-3.2/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r2/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod -f mongod24.conf
mongod -f mongod25.conf
mongod -f mongod26.conf
mongo --host database.m310.mongodb.university --port 31320
rs.initiate()
rs.add("database.m310.mongodb.university:31321")
rs.add("database.m310.mongodb.university:31322")
use admin
db.createUser({
user: "steve",
pwd: "secret",
roles: [
{role: "root", db: "admin"}
]
})
-----------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
-----------------------------------------------------------
Ans:
----
vagrant@database:~/shared$ ./validate-hw-3.2.sh
{ numMembers: 3, auditLog1: 1, auditLog2: 0 }
vagrant@database:~/shared$
--------------------------------------------------
=============================================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
========================================
sudo mkdir -p /M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.3
sudo mkdir -p ~/M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.3
mongod27.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31330
systemLog:
destination: file
path: "/M310-HW-3.3/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r0/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod28.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31331
systemLog:
destination: file
path: "/M310-HW-3.3/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r1/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod29.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31332
systemLog:
destination: file
path: "/M310-HW-3.3/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r2/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod -f mongod27.conf
mongod -f mongod28.conf
mongod -f mongod29.conf
mongo --host database.m310.mongodb.university --port 31330
rs.initiate()
rs.add("database.m310.mongodb.university:31331")
rs.add("database.m310.mongodb.university:31332")
---------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
---------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.3.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$
---------------------------------------------------------
=================================================================================================================================================================
Final Exam
===========
Question 1
==========
Ans:
----
Enabling auditing on MongoDB Enterprise will decrease database performance.
Question 2
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
vagrant@database:/vagrant/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 266611 (0x41173)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,ST=New York,L=New York City,O=MongoDB,OU=University,CN=localhost
Validity
Not Before: Nov 7 20:03:00 2016 GMT
Not After : Nov 7 20:03:00 2036 GMT
Subject: C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:94:45:9e:e1:54:26:69:2c:d7:c5:a4:f8:f5:17:
52:07:80:77:23:a0:7a:10:3e:ae:11:54:5d:3e:05:
96:f4:4e:44:22:89:9a:cc:ae:ef:ba:a3:92:e6:b7:
f7:13:3b:b6:95:8e:f0:7f:04:75:b1:c8:65:e3:d2:
04:22:76:99:2c:d6:5d:54:83:4a:83:43:b5:25:99:
df:d2:fd:51:64:d0:b9:d9:66:0a:8f:65:c7:69:70:
6f:13:9c:71:f4:08:06:b5:da:40:66:3d:a9:9d:ed:
a8:c7:81:df:3d:3a:b6:47:21:39:de:a5:83:f1:c2:
15:07:86:0e:74:26:ee:0e:67:07:6b:c0:9f:aa:91:
ee:14:77:28:67:e0:ae:95:29:c8:91:dc:55:a9:4f:
cc:98:b8:34:fe:87:c7:f5:c4:84:4c:d4:2e:d6:e5:
45:55:f6:0e:dd:16:fb:bb:d1:3c:e0:d8:fc:0b:d6:
8f:79:19:42:56:38:35:27:c6:3e:6f:85:e9:39:3e:
4a:e8:26:f5:e3:36:c5:15:0d:5c:6e:bf:df:21:31:
e9:f9:d1:69:00:ba:ae:ab:73:90:c3:96:02:3d:b3:
6d:c6:58:14:35:f9:1f:79:88:03:71:83:67:62:d1:
a1:e4:4e:4d:3f:f2:c2:09:fd:00:af:dc:b6:0a:2c:
a0:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, DNS:database.m310.mongodb.university, DNS:infrastructure.m310.mongodb.university
Signature Algorithm: sha1WithRSAEncryption
01:90:dc:e0:2b:04:5d:9e:f0:ba:66:ee:cf:db:63:ee:dc:96:
ba:6e:3c:d3:e6:74:1b:17:11:1c:98:a0:1b:97:d1:54:a4:3d:
a9:99:14:5c:b2:22:97:56:5b:aa:d2:83:5a:37:c4:7d:73:73:
8a:dd:7b:21:b9:9f:a4:dc:f2:b4:5e:42:39:ad:20:98:51:b9:
d9:aa:e9:1f:3d:ac:5a:55:df:01:2b:93:45:ac:c3:43:c3:5e:
58:5c:98:fa:e7:07:8c:c6:f7:3d:f4:44:32:28:d5:e7:7b:ae:
f0:9f:46:fb:b4:17:92:55:c2:fa:b9:ac:65:89:ae:55:0b:ee:
6c:25:05:3c:4b:87:1b:4e:d2:72:9d:c0:07:76:30:5f:e2:ed:
aa:f5:61:af:92:20:5e:ff:71:c5:5d:51:54:2c:92:4e:0e:70:
5b:c4:00:81:5f:9b:07:3d:98:7a:b5:2f:c3:fd:a3:3b:14:c8:
a6:7c:ff:b7:dd:c6:c3:f3:17:aa:d5:c6:88:22:d7:ee:c2:25:
cf:9f:80:96:cf:c6:a2:86:65:4c:69:21:9b:06:a8:ab:6a:da:
bf:a6:6f:9c:3a:f5:d6:18:62:32:89:29:bb:f3:3b:84:f0:a3:
18:4d:a5:16:8c:04:c8:34:68:f7:09:f0:e9:0d:67:8d:9b:a2:
e3:37:b4:9a
-----BEGIN CERTIFICATE-----
MIIDzjCCAragAwIBAgIDBBFzMA0GCSqGSIb3DQEBBQUAMHMxEjAQBgNVBAMTCWxv
Y2FsaG9zdDETMBEGA1UECxMKVW5pdmVyc2l0eTEQMA4GA1UEChMHTW9uZ29EQjEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNV
BAYTAlVTMB4XDTE2MTEwNzIwMDMwMFoXDTM2MTEwNzIwMDMwMFowdjEUMBIGA1UE
AxMLTTMxMCBDbGllbnQxFDASBgNVBAsTC1VuaXZlcnNpdHkyMRAwDgYDVQQKEwdN
b25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9y
azELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU
RZ7hVCZpLNfFpPj1F1IHgHcjoHoQPq4RVF0+BZb0TkQiiZrMru+6o5Lmt/cTO7aV
jvB/BHWxyGXj0gQidpks1l1Ug0qDQ7Ulmd/S/VFk0LnZZgqPZcdpcG8TnHH0CAa1
2kBmPamd7ajHgd89OrZHITnepYPxwhUHhg50Ju4OZwdrwJ+qke4Udyhn4K6VKciR
3FWpT8yYuDT+h8f1xIRM1C7W5UVV9g7dFvu70Tzg2PwL1o95GUJWODUnxj5vhek5
PkroJvXjNsUVDVxuv98hMen50WkAuq6rc5DDlgI9s23GWBQ1+R95iANxg2di0aHk
Tk0/8sIJ/QCv3LYKLKDtAgMBAAGjaDBmMGQGA1UdEQRdMFuCCWxvY2FsaG9zdIcE
fwAAAYIgZGF0YWJhc2UubTMxMC5tb25nb2RiLnVuaXZlcnNpdHmCJmluZnJhc3Ry
dWN0dXJlLm0zMTAubW9uZ29kYi51bml2ZXJzaXR5MA0GCSqGSIb3DQEBBQUAA4IB
AQABkNzgKwRdnvC6Zu7P22Pu3Ja6bjzT5nQbFxEcmKAbl9FUpD2pmRRcsiKXVluq
0oNaN8R9c3OK3XshuZ+k3PK0XkI5rSCYUbnZqukfPaxaVd8BK5NFrMNDw15YXJj6
5weMxvc99EQyKNXne67wn0b7tBeSVcL6uaxlia5VC+5sJQU8S4cbTtJyncAHdjBf
4u2q9WGvkiBe/3HFXVFULJJODnBbxACBX5sHPZh6tS/D/aM7FMimfP+33cbD8xeq
1caIItfuwiXPn4CWz8aihmVMaSGbBqiratq/pm+cOvXWGGIyiSm78zuE8KMYTaUW
jATINGj3CfDpDWeNm6LjN7Sa
-----END CERTIFICATE-----
vagrant@database:/vagrant/shared$
Question 3
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
db.products.findOne({product: 'Door Hinge'})
db.products.insertOne({product: 'Basket'})
db.products.find({product: 'Candle'})
db.products.insert({product: 'Amplifier'})
Question 4
==========
Ans:
----
{
role: "senior-engineer",
privileges: [],
roles: [ "dbAdmin" ]
}
Question 5
==========
MongoDB drivers will send LDAP credentials to a connected mongod in plain text.
MONGODB-CR still exists in MongoDB only for backwards compatibility reasons.
It is a best practice to leave the HTTP status interface disabled in production.
Question 6
==========
Encryption at rest is a four step process: generate a master key, generate keys for each database, encrypt each database with the database keys, and encrypt the database keys with the master key.
The localhost exception applies to a replica set and sharded cluster environments.
Internal authentication via X.509 certificates will enable MongoDB's role-based access control authorization system.
Question 7
==========
MongoDB stores user-defined role information in the system.roles collection in the admin database.
The subject of a client certificate acts as the "user" when authenticating with X.509 certificates.
When auditing is enabled on MongoDB Enterprise, the --auditFormat BSON option has much better performance than the --auditFormat JSON option.
==================================================================================================================================================
=======================
cd D:\mongo_courses\m310_security
vagrant up
vagrant ssh database
=====================================================
d:\mongo_courses\m310_security
vagrant ssh database
mkdir -p data/db
mongod --dbpath /home/vagrant/data/db
db.createUser({
user: "alice",
pwd: "secret",
roles: [
{role: "root", db: "admin"}
]
})
restart mongod
mongod --dbpath /home/vagrant/data/db --auth
use admin
db.auth('alice','secret')
run the commands given in the lab -
Chapter 1: Authentication
Homework 1.1 : Enable SCRAM-SHA-1
Ans:
mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo admin -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo -u alice -p secret --eval "db=db.getSisterDB('admin');
db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase admin
------------------------------------------------------------------------------------------
openssl rand -base64 756 > /home/vagrant/M310-HW-1.2/keyfile
chmod 400 /home/vagrant/M310-HW-1.2/keyfile
mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31122
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31121
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongo --port 31120
MongoDB Enterprise TO_BE_SECURED:RECOVERING> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:RECOVERING> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
MongoDB Enterprise TO_BE_SECURED:SECONDARY> rs.isMaster()
{
"hosts" : [
"database.m310.mongodb.university:31120",
"database.m310.mongodb.university:31121",
"database.m310.mongodb.university:31122"
],
"setName" : "TO_BE_SECURED",
"setVersion" : 1,
"ismaster" : false,
"secondary" : true,
"primary" : "database.m310.mongodb.university:31121",
"me" : "database.m310.mongodb.university:31120",
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"maxWriteBatchSize" : 1000,
"localTime" : ISODate("2020-04-16T14:54:07.253Z"),
"maxWireVersion" : 4,
"minWireVersion" : 0,
"ok" : 1
}
mongo --port 31121
use admin
db.createUser({
user: "admin",
pwd: "webscale",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('admin','webscale')
or
mongo admin --port 31121 -u admin -p webscale
Chapter 1: Authentication
Homework 1.2 : Enabling Authentication on a Running Replica Set
vagrant@database:~/shared$ ./validate-hw-1.2.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$
===============================================================================================================================================================
sudo mkdir -p /M310-HW-1.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-1.3
PEMKeyFile
/home/vagrant/shared/mongod1.conf
----------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31130
systemLog:
destination: file
path: "/M310-HW-1.3/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r0"
processManagement:
fork: true
/home/vagrant/shared/mongod2.conf
---------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31131
systemLog:
destination: file
path: "/M310-HW-1.3/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r1"
processManagement:
fork: true
/home/vagrant/shared/mongod3.conf
---------------------------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31132
systemLog:
destination: file
path: "/M310-HW-1.3/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-1.3/r2"
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod1.conf
mongod -f /home/vagrant/shared/mongod2.conf
mongod -f /home/vagrant/shared/mongod3.conf
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 5622 2.7 8.9 770728 90632 ? Sl 01:04 1:59 mongod -f /home/vagrant/shared/mongod1.conf
vagrant 5653 2.3 8.3 748608 84664 ? Sl 01:04 1:46 mongod -f /home/vagrant/shared/mongod2.conf
vagrant 5684 2.3 8.2 740080 83640 ? Sl 01:04 1:46 mongod -f /home/vagrant/shared/mongod3.conf
database.m310.mongodb.university
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
vagrant@database:~$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "root", db: "admin" }
]
}
)
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file> --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
or
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>
db.getSiblingDB("$external").auth(
{
mechanism: "MONGODB-X509"
}
)
db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })
rs.add("database.m310.mongodb.university:31131")
rs.add("database.m310.mongodb.university:31132")
Chapter 1: Authentication
Homework 1.3: Enabling Internal Authentication using X.509
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
-------------------------------------------------------
result set:
-----------
vagrant@database:~/shared$ ./validate-hw-1.3.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$
========================================================================================================================================================
db.adminCommand({authSchemaUpgrade: 1})
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 6562 2.9 6.8 612268 70108 ? Sl 02:26 0:01 mongod --dbpath /home/vagrant/M310-HW-1.4/db --logpath /home/vagrant/M310-HW-1.4/db/mongo.log --fork
MongoDB Enterprise > db.version()
3.2.22
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections
system.indexes
system.users
system.version
MongoDB Enterprise >
MongoDB Enterprise > db.system.users.find()
{ "_id" : "admin.alice", "user" : "alice", "db" : "admin", "credentials" : { "MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2" }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
MongoDB Enterprise > db.system.users.find().pretty()
{
"_id" : "admin.alice",
"user" : "alice",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2"
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > db.adminCommand({authSchemaUpgrade: 1})
{ "done" : true, "ok" : 1 }
MongoDB Enterprise > db.system.users.find().pretty()
{
"_id" : "admin.alice",
"user" : "alice",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "FWj2FYMvygPYW6xLpOc0jQ==",
"storedKey" : "6EFNJeMm4D0HkmAJ5o0PD3C3UNA=",
"serverKey" : "oHv87ksaN6a/avftGOUgliv1rmg="
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
MongoDB Enterprise >
Chapter 1: Authentication
Homework 1.4: Migrating MONGODB-CR to SCRAM-SHA-1
-----------------------------------------
vagrant@database:~/shared$ ./validate-hw-1.4.sh
about to fork child process, waiting until server is ready for connections.
forked process: 6593
child process started successfully, parent exiting
[ "SCRAM-SHA-1" ]
vagrant@database:~/shared$
Ans:
[ "SCRAM-SHA-1" ]
===========================================================================================================================================================
Try:
====
db.createUser({
user: "admin",
pwd: "admin",
roles: [
{role: "root", db: "admin"}
]
})
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u admin -p admin --authenticationDatabase admin --authenticationMechanism=SCRAM-SHA-256
authorization: enabled
setParameter: authenticationMechanisms: SCRAM-SHA1,SCRAM-SHA-1,PLAIN,SCRAM-SHA-256
==========================================================================================================================================================
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
=======================================================
sudo mkdir -p /M310-HW-1.5/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-1.5
openssl rand -base64 741 > /M310-HW-1.5/m310-keyfile
chmod 600 /M310-HW-1.5/m310-keyfile
/home/vagrant/shared/mongod4.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31150
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
/home/vagrant/shared/mongod5.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31151
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
/home/vagrant/shared/mongod6.conf
---------------------------------
security:
keyFile: /M310-HW-1.5/m310-keyfile
clusterAuthMode: x509
net:
bindIp: localhost,database.m310.mongodb.university
port: 31152
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
dbPath: "/M310-HW-1.5/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-1.5/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod4.conf
mongod -f /home/vagrant/shared/mongod5.conf
mongod -f /home/vagrant/shared/mongod6.conf
mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
rs.initiate()
use admin
db.createUser({
user: "will",
pwd: "$uperAdmin",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('will','$uperAdmin')
rs.add("database.m310.mongodb.university:31151")
rs.add("database.m310.mongodb.university:31152")
mongo admin --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u will -p '$uperAdmin'
----------------------------------
Creating Client.pem user
-------------------------
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
vagrant@database:~/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" }
]
}
)
mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
-----------------------------------
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
Ans:
vagrant@database:~/shared$ ./validate-hw-1.5.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"], users: [{"_id":"admin.will","roles":[{"role":"root","db":"admin"}]},{"_id":"$external.C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}] }
vagrant@database:~/shared$
======================================================================================================================================================================
Chapter 1: Authentication
Homework 1.6: Enabling LDAP Authentication on a Replica Set
Ans:
{ unauthorizedStatus: { "ok" : 0, "errmsg" : "not authorized on admin to execute command { replSetGetStatus: 1.0 }", "code" : 13 }, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
==========================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
================================================
sudo mkdir -p /M310-HW-2.1/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.1
openssl rand -base64 741 > /M310-HW-2.1/m310-keyfile
chmod 600 /M310-HW-2.1/m310-keyfile
mongod7.conf
------------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31210
storage:
dbPath: "/M310-HW-2.1/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod8.conf
-----------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31211
storage:
dbPath: "/M310-HW-2.1/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod9.conf
-----------
security:
keyFile: /M310-HW-2.1/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31212
storage:
dbPath: "/M310-HW-2.1/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.1/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod7.conf
mongod -f /home/vagrant/shared/mongod8.conf
mongod -f /home/vagrant/shared/mongod9.conf
mongo --host database.m310.mongodb.university --port 31210
rs.initiate()
create users on any database
----------------------------
use admin
db.createUser({
user: "userAdmin",
pwd: "badges",
roles: [
{role: "userAdminAnyDatabase", db: "admin"}
]
})
db.auth('userAdmin','badges')
mongo admin --host database.m310.mongodb.university --port 31210 -u userAdmin -p badges
configure a replica set and add shards
--------------------------------------
use admin
db.createUser({
user: "sysAdmin",
pwd: "cables",
roles: [
{role: "clusterManager", db: "admin"}
]
})
db.auth('sysAdmin','cables')
rs.add("database.m310.mongodb.university:31211")
rs.add("database.m310.mongodb.university:31212")
create a collection on any database
-----------------------------------
use admin
db.createUser({
user: "dbAdmin",
pwd: "collections",
roles: [
{role: "dbAdminAnyDatabase", db: "admin"}
]
})
db.auth('dbAdmin','collections')
insert data on any database
---------------------------
use admin
db.createUser({
user: "dataLoader",
pwd: "dumpin",
roles: [
{role: "readWriteAnyDatabase", db: "admin"}
]
})
db.auth('dataLoader','dumpin')
--------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
---------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.1.sh
{"users":[{"user":"dataLoader","roles":[{"role":"readWriteAnyDatabase","db":"admin"}]},{"user":"dbAdmin","roles":[{"role":"dbAdminAnyDatabase","db":"admin"}]},{"user":"sysAdmin","roles":[{"role":"clusterManager","db":"admin"}]},{"user":"userAdmin","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}],"numMembers":3}
=========================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
=================================================
sudo mkdir -p /M310-HW-2.2/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.2
openssl rand -base64 741 > /M310-HW-2.2/m310-keyfile
chmod 600 /M310-HW-2.2/m310-keyfile
mongod11.conf
------------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31220
storage:
dbPath: "/M310-HW-2.2/r0"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod12.conf
-----------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31221
storage:
dbPath: "/M310-HW-2.2/r1"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r1/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod13.conf
-----------
security:
keyFile: /M310-HW-2.2/m310-keyfile
net:
bindIp: localhost,database.m310.mongodb.university
port: 31222
storage:
dbPath: "/M310-HW-2.2/r2"
replication:
replSetName: m103-repl
systemLog:
destination: file
path: "/M310-HW-2.2/r2/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod11.conf
mongod -f /home/vagrant/shared/mongod12.conf
mongod -f /home/vagrant/shared/mongod13.conf
mongo --host database.m310.mongodb.university --port 31220
rs.initiate()
User1 on admin
---------------
use admin
db.createUser({
user: "admin",
pwd: "webscale",
roles: [
{role: "root", db: "admin"}
]
})
db.auth('admin','webscale') or
mongo admin --host database.m310.mongodb.university --port 31220 -u admin -p webscale
rs.add("database.m310.mongodb.university:31221")
rs.add("database.m310.mongodb.university:31222")
User2 on acme
---------------
use admin
db.createUser({
user: "reader",
pwd: "books",
roles: [
{role: "read", db: "acme"}
]
})
User3 on acme
---------------
use admin
db.createUser({
user: "writer",
pwd: "typewriter",
roles: [
{role: "readWrite", db: "acme"}
]
})
---------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
--------------------------------------
Ans:
-----
vagrant@database:/vagrant/shared$ ./validate-hw-2.2.sh
{"users":[{"user":"admin","roles":[{"role":"root","db":"admin"}]},{"user":"reader","roles":[{"role":"read","db":"acme"}]},{"user":"writer","roles":[{"role":"readWrite","db":"acme"}]}],"numMembers":3}
vagrant@database:/vagrant/shared$
=======================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
=======================================
sudo mkdir -p /M310-HW-2.3/r0
sudo chown vagrant:vagrant -R /M310-HW-2.3
mongod15.conf
-----------
net:
bindIp: localhost,database.m310.mongodb.university
port: 31230
storage:
dbPath: "/M310-HW-2.3/r0"
systemLog:
destination: file
path: "/M310-HW-2.3/r0/mongodb.log"
logAppend: true
processManagement:
fork: true
mongod -f /home/vagrant/shared/mongod15.conf
mongo --host database.m310.mongodb.university --port 31230
Role1
------
use admin
db.createRole(
{
role: "HRDEPARTMENT",
privileges: [
{ resource: { db: "HR", collection: "" }, actions: [ "find" ] },
{ resource: { db: "HR", collection: "employees"}, actions: [ "insert" ] },
{ resource: { db: "HR", collection: "" }, actions: [ "dropUser" ] }
],
roles: []
}
)
Role2
------
use admin
db.createRole(
{
role: "MANAGEMENT",
privileges: [],
roles: [
{ "role":"dbOwner","db":"HR" }
]
}
)
Role2
------
use admin
db.createRole(
{
role: "EMPLOYEEPORTAL",
privileges: [
{ resource: { db: "HR", collection: "employees" }, actions: [ "find","update" ] },
],
roles: []
}
)
-----------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
----------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.3.sh
[{"role":"EMPLOYEEPORTAL","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":"employees"},"actions":["find","update"]}]},{"role":"HRDEPARTMENT","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":""},"actions":["dropUser","find"]},{"resource":{"db":"HR","collection":"employees"},"actions":["insert"]}]},{"role":"MANAGEMENT","inheritedRoles":[{"role":"dbOwner","db":"HR"}],"privileges":[]}]
vagrant@database:/vagrant/shared$
===============================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
==============================================
sudo mkdir -p /M310-HW-2.4/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-2.4
mongod18.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31240
systemLog:
destination: file
path: "/M310-HW-2.4/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r0"
processManagement:
fork: true
mongod19.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31241
systemLog:
destination: file
path: "/M310-HW-2.4/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r1"
processManagement:
fork: true
mongod20.conf
-------------
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
CAFile: /home/vagrant/shared/certs/ca.pem
PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
replSetName: replwithssl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31242
systemLog:
destination: file
path: "/M310-HW-2.4/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-2.4/r2"
processManagement:
fork: true
mongod -f mongod18.conf
mongod -f mongod19.conf
mongod -f mongod20.conf
--------------------------------------------
this works:
------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
rs.initiate(
{
_id: "replwithssl",
version: 1,
members: [
{ _id: 0, host : "database.m310.mongodb.university:31240" },
{ _id: 1, host : "database.m310.mongodb.university:31241" },
{ _id: 2, host : "database.m310.mongodb.university:31242" }
]
}
)
----------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.4.sh
{"numMembers":3}
vagrant@database:/vagrant/shared$
-----------------------------------------------------------
this will not get the answer
-----------------------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
rs.initiate()
db.getSiblingDB("$external").runCommand(
{
createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
roles: [
{ role: "root", db: "admin" }
]
}
)
db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })
rs.add("database.m310.mongodb.university:31241")
rs.add("database.m310.mongodb.university:31242")
mongo admin --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
============================================================================
vagrant@database:~/shared$ ./setup-hw-2.5.sh
about to fork child process, waiting until server is ready for connections.
forked process: 16135
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16152
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16189
child process started successfully, parent exiting
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
{ "ok" : 1 }
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
WriteResult({ "nInserted" : 1 })
vagrant@database:~/shared$ ps aux | grep mongo
vagrant 16135 1.5 7.2 743452 73656 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork
vagrant 16152 1.5 4.7 738324 48764 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork
vagrant 16189 1.5 4.4 737292 44792 ? Sl 15:10 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork
vagrant 16506 0.0 0.0 8868 648 pts/0 S+ 15:11 0:00 grep --color=auto mongo
vagrant@database:~/shared$
openssl rand -base64 32 > /home/vagrant/M310-HW-2.5/mongodb-keyfile
chmod 600 /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31250
mongo --port 31251
mongo --port 31252
mongo --port 31252
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r2
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31251
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r1
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
mongo --port 31250
use admin
rs.stepDown()
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r0
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant@database:~/M310-HW-2.5/r0$ ps aux | grep mongo
vagrant 16553 1.9 10.6 807984 108116 ? SLl 15:25 0:06 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 16833 1.8 5.0 814348 50900 ? SLl 15:29 0:01 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 17003 4.6 4.1 519272 41976 ? SLl 15:30 0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant 17048 0.0 0.0 8868 648 pts/0 S+ 15:30 0:00 grep --color=auto mongo
vagrant@database:~/M310-HW-2.5/r0$
------------------------------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.5.sh
{"doc":{"str":"The quick brown fox jumps over the lazy dog"},"isEnabled":true}
vagrant@database:/vagrant/shared$
=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.6 : Configure KMIP backed mongod
============================================
Ans:
-----
{isEnabled: true, usingKMIP: true}
==================================================================================================================================================================
Chapter 3: Auditing and Best Practices #
Homework 3.1 : Enable auditing on replica set #
===============================================
sudo mkdir -p /M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.1
sudo mkdir -p ~/M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.1
mongod21.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31310
systemLog:
destination: file
path: "/M310-HW-3.1/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r0/auditLog.json
processManagement:
fork: true
mongod22.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31311
systemLog:
destination: file
path: "/M310-HW-3.1/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r1/auditLog.json
processManagement:
fork: true
mongod23.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31312
systemLog:
destination: file
path: "/M310-HW-3.1/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.1/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.1/r2/auditLog.json
processManagement:
fork: true
mongod -f mongod21.conf
mongod -f mongod22.conf
mongod -f mongod23.conf
mongo --host database.m310.mongodb.university --port 31310
rs.initiate()
rs.add("database.m310.mongodb.university:31311")
rs.add("database.m310.mongodb.university:31312")
---------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.1 : Enable auditing on replica set
--------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.1.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$
=======================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
===============================================================
sudo mkdir -p /M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.2
sudo mkdir -p ~/M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.2
mongod24.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31320
systemLog:
destination: file
path: "/M310-HW-3.2/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r0/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod25.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31321
systemLog:
destination: file
path: "/M310-HW-3.2/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r1/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod26.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31322
systemLog:
destination: file
path: "/M310-HW-3.2/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.2/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.2/r2/auditLog.json
filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod -f mongod24.conf
mongod -f mongod25.conf
mongod -f mongod26.conf
mongo --host database.m310.mongodb.university --port 31320
rs.initiate()
rs.add("database.m310.mongodb.university:31321")
rs.add("database.m310.mongodb.university:31322")
use admin
db.createUser({
user: "steve",
pwd: "secret",
roles: [
{role: "root", db: "admin"}
]
})
-----------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
-----------------------------------------------------------
Ans:
----
vagrant@database:~/shared$ ./validate-hw-3.2.sh
{ numMembers: 3, auditLog1: 1, auditLog2: 0 }
vagrant@database:~/shared$
--------------------------------------------------
=============================================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
========================================
sudo mkdir -p /M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.3
sudo mkdir -p ~/M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.3
mongod27.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31330
systemLog:
destination: file
path: "/M310-HW-3.3/r0/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r0"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r0/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod28.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31331
systemLog:
destination: file
path: "/M310-HW-3.3/r1/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r1"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r1/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod29.conf
-------------
replication:
replSetName: auditRepl
net:
bindIp: localhost,database.m310.mongodb.university
port: 31332
systemLog:
destination: file
path: "/M310-HW-3.3/r2/mongodb.log"
logAppend: true
storage:
dbPath: "/M310-HW-3.3/r2"
auditLog:
destination: file
format: JSON
path: /home/vagrant/M310-HW-3.3/r2/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
fork: true
mongod -f mongod27.conf
mongod -f mongod28.conf
mongod -f mongod29.conf
mongo --host database.m310.mongodb.university --port 31330
rs.initiate()
rs.add("database.m310.mongodb.university:31331")
rs.add("database.m310.mongodb.university:31332")
---------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
---------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.3.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$
---------------------------------------------------------
=================================================================================================================================================================
Final Exam
===========
Question 1
==========
Ans:
----
Enabling auditing on MongoDB Enterprise will decrease database performance.
Question 2
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
vagrant@database:/vagrant/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 266611 (0x41173)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,ST=New York,L=New York City,O=MongoDB,OU=University,CN=localhost
Validity
Not Before: Nov 7 20:03:00 2016 GMT
Not After : Nov 7 20:03:00 2036 GMT
Subject: C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:94:45:9e:e1:54:26:69:2c:d7:c5:a4:f8:f5:17:
52:07:80:77:23:a0:7a:10:3e:ae:11:54:5d:3e:05:
96:f4:4e:44:22:89:9a:cc:ae:ef:ba:a3:92:e6:b7:
f7:13:3b:b6:95:8e:f0:7f:04:75:b1:c8:65:e3:d2:
04:22:76:99:2c:d6:5d:54:83:4a:83:43:b5:25:99:
df:d2:fd:51:64:d0:b9:d9:66:0a:8f:65:c7:69:70:
6f:13:9c:71:f4:08:06:b5:da:40:66:3d:a9:9d:ed:
a8:c7:81:df:3d:3a:b6:47:21:39:de:a5:83:f1:c2:
15:07:86:0e:74:26:ee:0e:67:07:6b:c0:9f:aa:91:
ee:14:77:28:67:e0:ae:95:29:c8:91:dc:55:a9:4f:
cc:98:b8:34:fe:87:c7:f5:c4:84:4c:d4:2e:d6:e5:
45:55:f6:0e:dd:16:fb:bb:d1:3c:e0:d8:fc:0b:d6:
8f:79:19:42:56:38:35:27:c6:3e:6f:85:e9:39:3e:
4a:e8:26:f5:e3:36:c5:15:0d:5c:6e:bf:df:21:31:
e9:f9:d1:69:00:ba:ae:ab:73:90:c3:96:02:3d:b3:
6d:c6:58:14:35:f9:1f:79:88:03:71:83:67:62:d1:
a1:e4:4e:4d:3f:f2:c2:09:fd:00:af:dc:b6:0a:2c:
a0:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, DNS:database.m310.mongodb.university, DNS:infrastructure.m310.mongodb.university
Signature Algorithm: sha1WithRSAEncryption
01:90:dc:e0:2b:04:5d:9e:f0:ba:66:ee:cf:db:63:ee:dc:96:
ba:6e:3c:d3:e6:74:1b:17:11:1c:98:a0:1b:97:d1:54:a4:3d:
a9:99:14:5c:b2:22:97:56:5b:aa:d2:83:5a:37:c4:7d:73:73:
8a:dd:7b:21:b9:9f:a4:dc:f2:b4:5e:42:39:ad:20:98:51:b9:
d9:aa:e9:1f:3d:ac:5a:55:df:01:2b:93:45:ac:c3:43:c3:5e:
58:5c:98:fa:e7:07:8c:c6:f7:3d:f4:44:32:28:d5:e7:7b:ae:
f0:9f:46:fb:b4:17:92:55:c2:fa:b9:ac:65:89:ae:55:0b:ee:
6c:25:05:3c:4b:87:1b:4e:d2:72:9d:c0:07:76:30:5f:e2:ed:
aa:f5:61:af:92:20:5e:ff:71:c5:5d:51:54:2c:92:4e:0e:70:
5b:c4:00:81:5f:9b:07:3d:98:7a:b5:2f:c3:fd:a3:3b:14:c8:
a6:7c:ff:b7:dd:c6:c3:f3:17:aa:d5:c6:88:22:d7:ee:c2:25:
cf:9f:80:96:cf:c6:a2:86:65:4c:69:21:9b:06:a8:ab:6a:da:
bf:a6:6f:9c:3a:f5:d6:18:62:32:89:29:bb:f3:3b:84:f0:a3:
18:4d:a5:16:8c:04:c8:34:68:f7:09:f0:e9:0d:67:8d:9b:a2:
e3:37:b4:9a
-----BEGIN CERTIFICATE-----
MIIDzjCCAragAwIBAgIDBBFzMA0GCSqGSIb3DQEBBQUAMHMxEjAQBgNVBAMTCWxv
Y2FsaG9zdDETMBEGA1UECxMKVW5pdmVyc2l0eTEQMA4GA1UEChMHTW9uZ29EQjEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNV
BAYTAlVTMB4XDTE2MTEwNzIwMDMwMFoXDTM2MTEwNzIwMDMwMFowdjEUMBIGA1UE
AxMLTTMxMCBDbGllbnQxFDASBgNVBAsTC1VuaXZlcnNpdHkyMRAwDgYDVQQKEwdN
b25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9y
azELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU
RZ7hVCZpLNfFpPj1F1IHgHcjoHoQPq4RVF0+BZb0TkQiiZrMru+6o5Lmt/cTO7aV
jvB/BHWxyGXj0gQidpks1l1Ug0qDQ7Ulmd/S/VFk0LnZZgqPZcdpcG8TnHH0CAa1
2kBmPamd7ajHgd89OrZHITnepYPxwhUHhg50Ju4OZwdrwJ+qke4Udyhn4K6VKciR
3FWpT8yYuDT+h8f1xIRM1C7W5UVV9g7dFvu70Tzg2PwL1o95GUJWODUnxj5vhek5
PkroJvXjNsUVDVxuv98hMen50WkAuq6rc5DDlgI9s23GWBQ1+R95iANxg2di0aHk
Tk0/8sIJ/QCv3LYKLKDtAgMBAAGjaDBmMGQGA1UdEQRdMFuCCWxvY2FsaG9zdIcE
fwAAAYIgZGF0YWJhc2UubTMxMC5tb25nb2RiLnVuaXZlcnNpdHmCJmluZnJhc3Ry
dWN0dXJlLm0zMTAubW9uZ29kYi51bml2ZXJzaXR5MA0GCSqGSIb3DQEBBQUAA4IB
AQABkNzgKwRdnvC6Zu7P22Pu3Ja6bjzT5nQbFxEcmKAbl9FUpD2pmRRcsiKXVluq
0oNaN8R9c3OK3XshuZ+k3PK0XkI5rSCYUbnZqukfPaxaVd8BK5NFrMNDw15YXJj6
5weMxvc99EQyKNXne67wn0b7tBeSVcL6uaxlia5VC+5sJQU8S4cbTtJyncAHdjBf
4u2q9WGvkiBe/3HFXVFULJJODnBbxACBX5sHPZh6tS/D/aM7FMimfP+33cbD8xeq
1caIItfuwiXPn4CWz8aihmVMaSGbBqiratq/pm+cOvXWGGIyiSm78zuE8KMYTaUW
jATINGj3CfDpDWeNm6LjN7Sa
-----END CERTIFICATE-----
vagrant@database:/vagrant/shared$
Question 3
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
db.products.findOne({product: 'Door Hinge'})
db.products.insertOne({product: 'Basket'})
db.products.find({product: 'Candle'})
db.products.insert({product: 'Amplifier'})
Question 4
==========
Ans:
----
{
role: "senior-engineer",
privileges: [],
roles: [ "dbAdmin" ]
}
Question 5
==========
MongoDB drivers will send LDAP credentials to a connected mongod in plain text.
MONGODB-CR still exists in MongoDB only for backwards compatibility reasons.
It is a best practice to leave the HTTP status interface disabled in production.
Question 6
==========
Encryption at rest is a four step process: generate a master key, generate keys for each database, encrypt each database with the database keys, and encrypt the database keys with the master key.
The localhost exception applies to a replica set and sharded cluster environments.
Internal authentication via X.509 certificates will enable MongoDB's role-based access control authorization system.
Question 7
==========
MongoDB stores user-defined role information in the system.roles collection in the admin database.
The subject of a client certificate acts as the "user" when authenticating with X.509 certificates.
When auditing is enabled on MongoDB Enterprise, the --auditFormat BSON option has much better performance than the --auditFormat JSON option.
==================================================================================================================================================
No comments:
Post a Comment