Thursday, May 17, 2018

Security in Replication - Outline


Basic Security in Replication – Outline

This Outline is based on MongoDB documentation

Deploy Replica Set With Keyfile Access Control

Overview 
  • Security between members of the replica set using Internal Authentication, and
  • Security between connecting clients and the replica set using Role-Based Access Control.

Procedure

1.  Create a keyfile.

The following operation uses openssl to generate a complex pseudo-random 1024 character string to use for a keyfile.

# openssl rand -base64 756 > <path-to-keyfile>
# chmod 400 <path-to-keyfile>

2. Copy the keyfile to each replica set member. 
  • Copy the keyfile to each server hosting the replica set members.
  • Ensure that the user running the mongod instances can access the keyfile. 

 3. Enforce access control on each member of the replica set.

Running a mongod with the keyFile parameter enforces both Internal Authentication and Role-Based Access Control.

Configuration File

security:
  keyFile: <path-to-keyfile>
replication:
  replSetName: <replicaSetName>

4. Connect to a member of the replica set over the localhost interface. 
  • Connect a mongo shell to one of the mongod instances over the localhost interface.
  • The localhost interface is only available since no users have been created for the deployment.
  • The localhost interface closes after the creation of the first user. 

 5. Initiate the replica set.

Initiate the replica set using ,

# rs.initiate()

Add the members to the replica set,

# rs.add(“<hostname>:<portno>”)
# rs.add(“<hostname>:<portno>”)

6. Create the user administrator. 
  • Add a user using the db.createUser() method. The user should have at minimum the userAdminAnyDatabase role on the admin database.
  • You must be connected to the primary to create users.
  • The following example creates the user tommy with the userAdminAnyDatabase role on the admin database. 
admin = db.getSiblingDB("admin")
admin.createUser(
  {
    user: "tommy",
    pwd: "changeme1",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

7. Authenticate as the user administrator.

Authenticate to the admin database.

# db.getSiblingDB("admin").auth("tommy", "changeme1" )

Alternatively, connect a new mongo shell to the primary replica set member using,

# mongo -u "tommy" -p "changeme1" --authenticationDatabase "admin"

8. Create the cluster administrator. 
  • The clusterAdmin role grants access to replication operations, such as configuring the replica set.
  • Create a cluster administrator user and assign the clusterAdmin role in the admin database: 
db.getSiblingDB("admin").createUser(
  {
    "user" : "jerry",
    "pwd" : "changeme2",
    roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]
  }
)

9. Create additional users (Optional).

Create users to allow clients to connect and interact with the replica set, if required.


DoneJ

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)