Friday, June 29, 2018

MongoDB Fresh Installation with Security - Linux


MongoDB Installation – Linux

Prerequisites

To Switch User to mongod – Changes to be made

# vi /etc/passwd/
only for the mongod user - have to change the home path and /bin/false to /bin/bash
/var/lib/mongo:/bin/false
to
/home/mongod:/bin/bash

Or
# usermod -d /home/mongod mongod
# usermod --shell /bin/bash  mongod
Then
# mkdir -p /home/mongod
# cp .bash_profile .bashrc /home/mongod/
# chown -R mongod:mongod /home/mongod/

Create necessary directories

# mkdir /data/usr/conf
# mkdir /data/usr/logs/
# mkdir -p /var/run/mongodb/
# chown mongod:mongod /var/run/mongodb/
# chmod 775 /var/run/mongodb/
# chmod -R 775 /data/usr

Copy the Latest copy of binaries

# dzdo su - mongod
# cp /tmp/mongodb-linux-x86_64-rhel62-3.6.5.tgz /data/usr
# tar -zxvf  mongodb-linux-x86_64-rhel62-3.6.5.tgz

Create Softlink

# ln -s mongodb-linux-x86_64-rhel62-3.6.5 mongodb

Create Config File:

# vi /data/usr/conf/mongod.conf

net:
  port: 27017
  bindIpAll: true
processManagement:
  pidFilePath: /var/run/mongodb/mongod.pid
  fork: true
#security:
#  authorization: enabled
storage:
  dbPath: /data/mongodb
systemLog:
  destination: file
  logAppend: true
  logRotate: rename
  path: /data/usr/logs/mongod.log

# :wq!

Create Init.d scripts – to run mongod as a service

# touch /etc/init.d/mongod
# copy the script to the file mongod

File Paths as per Standards

Config File Path: /data/usr/conf/mongod.conf
Log File Path: /data/usr/logs/mongod.log
Binary File Path: /data/usr/mongodb/bin/mongod

Start the Service

# dzdo service mongod start

Security:

Create root user for DBAs

# use admin
db.createUser(
  {
    user: "dba_mongo",
    pwd: "xxxxx",
    roles: [ { role: "root", db: "admin" } ]
  }
)

Enable the security options in config file

net:
  port: 27017
  bindIpAll: true
processManagement:
  pidFilePath: /var/run/mongodb/mongod.pid
  fork: true
security:
  authorization: enabled
storage:
  dbPath: /data/mongodb
systemLog:
  destination: file
  logAppend: true
  logRotate: rename
  path: /data/usr/logs/mongod.log

Restart the server

# dzdo service mongod restart

Login to mongo console

# /data/usr/mongodb/bin/mongo --port 27017 -u "dba_mongo" -p "xxxxx" --authenticationDatabase "admin"

# mongo --port 27017 -u dba_mongo -p xxxxxx --authenticationDatabase admin

Creating App Users

# use admin
db.createUser(
  {
    user: "app_mongo",
    pwd: "xxxx",
    roles: [{role:"dbAdminAnyDatabase",db: "admin"},{role:"readWriteAnyDatabase", db: "admin"}]
  }
)

Login to mongo console as App User

# mongo --port 27017 -u app_mongo -p xxxx --authenticationDatabase admin


Posted by at

1 comment:

Subscribe to: Post Comments (Atom)