Monday, June 29, 2020

M310: MongoDB Security - Mongo University - Solutions

M310: MongoDB Security
=======================
cd D:\mongo_courses\m310_security
vagrant up
vagrant ssh database

=====================================================
d:\mongo_courses\m310_security
vagrant ssh database
mkdir -p data/db
mongod --dbpath /home/vagrant/data/db

db.createUser({
    user: "alice",
    pwd: "secret",
    roles: [
      {role: "root", db: "admin"}
    ]
  })

restart mongod
mongod --dbpath /home/vagrant/data/db --auth

use admin
db.auth('alice','secret')
run the commands given in the lab -

Chapter 1: Authentication
Homework 1.1 : Enable SCRAM-SHA-1
Ans:
mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo admin -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
mongo -u alice -p secret --eval "db=db.getSisterDB('admin');
db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase admin
------------------------------------------------------------------------------------------

openssl rand -base64 756 > /home/vagrant/M310-HW-1.2/keyfile
chmod 400 /home/vagrant/M310-HW-1.2/keyfile

mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork

mongo --port 31122
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r2 --logpath /home/vagrant/M310-HW-1.2/r2/mongo.log.log --port 31122 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork

mongo --port 31121
MongoDB Enterprise TO_BE_SECURED:SECONDARY> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:SECONDARY> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r1 --logpath /home/vagrant/M310-HW-1.2/r1/mongo.log.log --port 31121 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork

mongo --port 31120
MongoDB Enterprise TO_BE_SECURED:RECOVERING> use admin
switched to db admin
MongoDB Enterprise TO_BE_SECURED:RECOVERING> db.shutdownServer()
server should be down...
mongod --dbpath /home/vagrant/M310-HW-1.2/r0 --logpath /home/vagrant/M310-HW-1.2/r0/mongo.log.log --port 31120 --keyFile /home/vagrant/M310-HW-1.2/keyfile --replSet TO_BE_SECURED --fork

MongoDB Enterprise TO_BE_SECURED:SECONDARY> rs.isMaster()
{
        "hosts" : [
                "database.m310.mongodb.university:31120",
                "database.m310.mongodb.university:31121",
                "database.m310.mongodb.university:31122"
        ],
        "setName" : "TO_BE_SECURED",
        "setVersion" : 1,
        "ismaster" : false,
        "secondary" : true,
        "primary" : "database.m310.mongodb.university:31121",
        "me" : "database.m310.mongodb.university:31120",
        "maxBsonObjectSize" : 16777216,
        "maxMessageSizeBytes" : 48000000,
        "maxWriteBatchSize" : 1000,
        "localTime" : ISODate("2020-04-16T14:54:07.253Z"),
        "maxWireVersion" : 4,
        "minWireVersion" : 0,
        "ok" : 1
}

mongo --port 31121
use admin
db.createUser({
    user: "admin",
    pwd: "webscale",
    roles: [
      {role: "root", db: "admin"}
    ]
  })

db.auth('admin','webscale')
or
mongo admin --port 31121 -u admin -p webscale

Chapter 1: Authentication
Homework 1.2 : Enabling Authentication on a Running Replica Set
vagrant@database:~/shared$ ./validate-hw-1.2.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$

===============================================================================================================================================================

sudo mkdir -p /M310-HW-1.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-1.3

PEMKeyFile

/home/vagrant/shared/mongod1.conf
----------------------------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31130
systemLog:
   destination: file
   path: "/M310-HW-1.3/r0/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-1.3/r0"
processManagement:
   fork: true

/home/vagrant/shared/mongod2.conf
---------------------------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31131
systemLog:
   destination: file
   path: "/M310-HW-1.3/r1/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-1.3/r1"
processManagement:
   fork: true

/home/vagrant/shared/mongod3.conf
---------------------------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31132
systemLog:
   destination: file
   path: "/M310-HW-1.3/r2/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-1.3/r2"
processManagement:
   fork: true

mongod -f /home/vagrant/shared/mongod1.conf
mongod -f /home/vagrant/shared/mongod2.conf
mongod -f /home/vagrant/shared/mongod3.conf

vagrant@database:~/shared$ ps aux | grep mongo
vagrant   5622  2.7  8.9 770728 90632 ?        Sl   01:04   1:59 mongod -f /home/vagrant/shared/mongod1.conf
vagrant   5653  2.3  8.3 748608 84664 ?        Sl   01:04   1:46 mongod -f /home/vagrant/shared/mongod2.conf
vagrant   5684  2.3  8.2 740080 83640 ?        Sl   01:04   1:46 mongod -f /home/vagrant/shared/mongod3.conf

database.m310.mongodb.university

mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem

openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253

vagrant@database:~$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client

db.getSiblingDB("$external").runCommand(
  {
    createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
    roles: [
         { role: "root", db: "admin" }
           ]
  }
)


mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>  --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509

or
mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>
db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509"
  }
)

db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })

rs.add("database.m310.mongodb.university:31131")
rs.add("database.m310.mongodb.university:31132")

Chapter 1: Authentication
Homework 1.3: Enabling Internal Authentication using X.509
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }

-------------------------------------------------------
result set:
-----------
vagrant@database:~/shared$ ./validate-hw-1.3.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
vagrant@database:~/shared$

========================================================================================================================================================

db.adminCommand({authSchemaUpgrade: 1})

vagrant@database:~/shared$ ps aux | grep mongo
vagrant   6562  2.9  6.8 612268 70108 ?        Sl   02:26   0:01 mongod --dbpath /home/vagrant/M310-HW-1.4/db --logpath /home/vagrant/M310-HW-1.4/db/mongo.log --fork

MongoDB Enterprise > db.version()
3.2.22
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections
system.indexes
system.users
system.version
MongoDB Enterprise >

MongoDB Enterprise > db.system.users.find()
{ "_id" : "admin.alice", "user" : "alice", "db" : "admin", "credentials" : { "MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2" }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
MongoDB Enterprise > db.system.users.find().pretty()
{
        "_id" : "admin.alice",
        "user" : "alice",
        "db" : "admin",
        "credentials" : {
                "MONGODB-CR" : "b2d1852f112d209beb4b60a128da1bd2"
        },
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > db.adminCommand({authSchemaUpgrade: 1})
{ "done" : true, "ok" : 1 }

MongoDB Enterprise > db.system.users.find().pretty()
{
        "_id" : "admin.alice",
        "user" : "alice",
        "db" : "admin",
        "credentials" : {
                "SCRAM-SHA-1" : {
                        "iterationCount" : 10000,
                        "salt" : "FWj2FYMvygPYW6xLpOc0jQ==",
                        "storedKey" : "6EFNJeMm4D0HkmAJ5o0PD3C3UNA=",
                        "serverKey" : "oHv87ksaN6a/avftGOUgliv1rmg="
                }
        },
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
MongoDB Enterprise >

Chapter 1: Authentication
Homework 1.4: Migrating MONGODB-CR to SCRAM-SHA-1
-----------------------------------------
vagrant@database:~/shared$ ./validate-hw-1.4.sh
about to fork child process, waiting until server is ready for connections.
forked process: 6593
child process started successfully, parent exiting
[ "SCRAM-SHA-1" ]
vagrant@database:~/shared$
Ans:
[ "SCRAM-SHA-1" ]

===========================================================================================================================================================
Try:
====
db.createUser({
    user: "admin",
    pwd: "admin",
    roles: [
      {role: "root", db: "admin"}
    ]
  })

mongo --host database.m310.mongodb.university --port 31130 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u admin -p admin --authenticationDatabase admin --authenticationMechanism=SCRAM-SHA-256

authorization: enabled

setParameter:                                                                                                                                                                                    authenticationMechanisms: SCRAM-SHA1,SCRAM-SHA-1,PLAIN,SCRAM-SHA-256

==========================================================================================================================================================
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
=======================================================
sudo mkdir -p /M310-HW-1.5/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-1.5

openssl rand -base64 741 > /M310-HW-1.5/m310-keyfile
chmod 600 /M310-HW-1.5/m310-keyfile

/home/vagrant/shared/mongod4.conf
---------------------------------
security:
  keyFile: /M310-HW-1.5/m310-keyfile
  clusterAuthMode: x509
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31150
  ssl:
     mode: requireSSL
     CAFile: /home/vagrant/shared/certs/ca.pem
     PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
  dbPath: "/M310-HW-1.5/r0"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-1.5/r0/mongodb.log"
  logAppend: true
processManagement:
  fork: true

/home/vagrant/shared/mongod5.conf
---------------------------------
security:
  keyFile: /M310-HW-1.5/m310-keyfile
  clusterAuthMode: x509
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31151
  ssl:
     mode: requireSSL
     CAFile: /home/vagrant/shared/certs/ca.pem
     PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
  dbPath: "/M310-HW-1.5/r1"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-1.5/r1/mongodb.log"
  logAppend: true
processManagement:
  fork: true

/home/vagrant/shared/mongod6.conf
---------------------------------
security:
  keyFile: /M310-HW-1.5/m310-keyfile
  clusterAuthMode: x509
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31152
  ssl:
     mode: requireSSL
     CAFile: /home/vagrant/shared/certs/ca.pem
     PEMKeyFile: /home/vagrant/shared/certs/server.pem
storage:
  dbPath: "/M310-HW-1.5/r2"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-1.5/r2/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod -f /home/vagrant/shared/mongod4.conf
mongod -f /home/vagrant/shared/mongod5.conf
mongod -f /home/vagrant/shared/mongod6.conf

mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem

rs.initiate()

use admin
db.createUser({
    user: "will",
    pwd: "$uperAdmin",
    roles: [
      {role: "root", db: "admin"}
    ]
  })
db.auth('will','$uperAdmin')

rs.add("database.m310.mongodb.university:31151")
rs.add("database.m310.mongodb.university:31152")

mongo admin --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u will -p '$uperAdmin'

----------------------------------
Creating Client.pem user
-------------------------
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253

vagrant@database:~/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253
subject= C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client

db.getSiblingDB("$external").runCommand(
  {
    createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
    roles: [
         { role: "userAdminAnyDatabase", db: "admin" }
           ]
  }
)

mongo --host database.m310.mongodb.university --port 31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
-----------------------------------
Chapter 1: Authentication
Homework 1.5: Enabling Mixed Authentication Mechanisms
Ans:
vagrant@database:~/shared$ ./validate-hw-1.5.sh
{ unauthorizedStatus: {"ok":0,"errmsg":"not authorized on admin to execute command { replSetGetStatus: 1.0 }","code":13}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"], users: [{"_id":"admin.will","roles":[{"role":"root","db":"admin"}]},{"_id":"$external.C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}] }
vagrant@database:~/shared$

======================================================================================================================================================================
Chapter 1: Authentication
Homework 1.6: Enabling LDAP Authentication on a Replica Set
Ans:
{ unauthorizedStatus: { "ok" : 0, "errmsg" : "not authorized on admin to execute command { replSetGetStatus: 1.0 }", "code" : 13 }, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }

==========================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
================================================

sudo mkdir -p /M310-HW-2.1/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.1

openssl rand -base64 741 > /M310-HW-2.1/m310-keyfile
chmod 600 /M310-HW-2.1/m310-keyfile

mongod7.conf
------------
security:
  keyFile: /M310-HW-2.1/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31210
storage:
  dbPath: "/M310-HW-2.1/r0"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.1/r0/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod8.conf
-----------
security:
  keyFile: /M310-HW-2.1/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31211
storage:
  dbPath: "/M310-HW-2.1/r1"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.1/r1/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod9.conf
-----------
security:
  keyFile: /M310-HW-2.1/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31212
storage:
  dbPath: "/M310-HW-2.1/r2"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.1/r2/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod -f /home/vagrant/shared/mongod7.conf
mongod -f /home/vagrant/shared/mongod8.conf
mongod -f /home/vagrant/shared/mongod9.conf

mongo --host database.m310.mongodb.university --port 31210
rs.initiate()

create users on any database
----------------------------
use admin
db.createUser({
    user: "userAdmin",
    pwd: "badges",
    roles: [
      {role: "userAdminAnyDatabase", db: "admin"}
    ]
  })
db.auth('userAdmin','badges')

mongo admin --host database.m310.mongodb.university --port 31210 -u userAdmin -p badges

configure a replica set and add shards
--------------------------------------
use admin
db.createUser({
    user: "sysAdmin",
    pwd: "cables",
    roles: [
      {role: "clusterManager", db: "admin"}
    ]
  })
db.auth('sysAdmin','cables')

rs.add("database.m310.mongodb.university:31211")
rs.add("database.m310.mongodb.university:31212")

create a collection on any database
-----------------------------------
use admin
db.createUser({
    user: "dbAdmin",
    pwd: "collections",
    roles: [
      {role: "dbAdminAnyDatabase", db: "admin"}
    ]
  })
db.auth('dbAdmin','collections')

insert data on any database
---------------------------
use admin
db.createUser({
    user: "dataLoader",
    pwd: "dumpin",
    roles: [
      {role: "readWriteAnyDatabase", db: "admin"}
    ]
  })
db.auth('dataLoader','dumpin')
--------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.1 : Create Users for Different Tasks
---------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.1.sh
{"users":[{"user":"dataLoader","roles":[{"role":"readWriteAnyDatabase","db":"admin"}]},{"user":"dbAdmin","roles":[{"role":"dbAdminAnyDatabase","db":"admin"}]},{"user":"sysAdmin","roles":[{"role":"clusterManager","db":"admin"}]},{"user":"userAdmin","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}],"numMembers":3}

=========================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
=================================================

sudo mkdir -p /M310-HW-2.2/{r0,r1,r2}
sudo chown vagrant:vagrant -R /M310-HW-2.2

openssl rand -base64 741 > /M310-HW-2.2/m310-keyfile
chmod 600 /M310-HW-2.2/m310-keyfile

mongod11.conf
------------
security:
  keyFile: /M310-HW-2.2/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31220
storage:
  dbPath: "/M310-HW-2.2/r0"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.2/r0/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod12.conf
-----------
security:
  keyFile: /M310-HW-2.2/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31221
storage:
  dbPath: "/M310-HW-2.2/r1"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.2/r1/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod13.conf
-----------
security:
  keyFile: /M310-HW-2.2/m310-keyfile
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31222
storage:
  dbPath: "/M310-HW-2.2/r2"
replication:
  replSetName: m103-repl
systemLog:
  destination: file
  path: "/M310-HW-2.2/r2/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod -f /home/vagrant/shared/mongod11.conf
mongod -f /home/vagrant/shared/mongod12.conf
mongod -f /home/vagrant/shared/mongod13.conf

mongo --host database.m310.mongodb.university --port 31220

rs.initiate()

User1 on admin
---------------
use admin
db.createUser({
    user: "admin",
    pwd: "webscale",
    roles: [
      {role: "root", db: "admin"}
    ]
  })
db.auth('admin','webscale') or
mongo admin --host database.m310.mongodb.university --port 31220 -u admin -p webscale

rs.add("database.m310.mongodb.university:31221")
rs.add("database.m310.mongodb.university:31222")

User2 on acme
---------------
use admin
db.createUser({
    user: "reader",
    pwd: "books",
    roles: [
      {role: "read", db: "acme"}
    ]
  })

User3 on acme
---------------
use admin
db.createUser({
    user: "writer",
    pwd: "typewriter",
    roles: [
      {role: "readWrite", db: "acme"}
    ]
  })
---------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.2 : Create application specific users
--------------------------------------
Ans:
-----
vagrant@database:/vagrant/shared$ ./validate-hw-2.2.sh
{"users":[{"user":"admin","roles":[{"role":"root","db":"admin"}]},{"user":"reader","roles":[{"role":"read","db":"acme"}]},{"user":"writer","roles":[{"role":"readWrite","db":"acme"}]}],"numMembers":3}
vagrant@database:/vagrant/shared$

=======================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
=======================================

sudo mkdir -p /M310-HW-2.3/r0
sudo chown vagrant:vagrant -R /M310-HW-2.3

mongod15.conf
-----------
net:
  bindIp: localhost,database.m310.mongodb.university
  port: 31230
storage:
  dbPath: "/M310-HW-2.3/r0"
systemLog:
  destination: file
  path: "/M310-HW-2.3/r0/mongodb.log"
  logAppend: true
processManagement:
  fork: true

mongod -f /home/vagrant/shared/mongod15.conf

mongo --host database.m310.mongodb.university --port 31230

Role1
------
use admin
db.createRole(
   {
     role: "HRDEPARTMENT",
     privileges: [
       { resource: { db: "HR", collection: "" }, actions: [ "find" ] },
       { resource: { db: "HR", collection: "employees"}, actions: [ "insert" ] },
       { resource: { db: "HR", collection: "" }, actions: [ "dropUser" ] }
     ],
     roles: []
   }
)

Role2
------
use admin 
db.createRole(
   {
     role: "MANAGEMENT",
     privileges: [],
     roles: [
       { "role":"dbOwner","db":"HR" }
     ]
   }
)

Role2
------
use admin
db.createRole(
   {
     role: "EMPLOYEEPORTAL",
     privileges: [
       { resource: { db: "HR", collection: "employees" }, actions: [ "find","update" ] },
     ],
     roles: []
   }
)
-----------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.3 : Create custom role
----------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.3.sh
[{"role":"EMPLOYEEPORTAL","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":"employees"},"actions":["find","update"]}]},{"role":"HRDEPARTMENT","inheritedRoles":[],"privileges":[{"resource":{"db":"HR","collection":""},"actions":["dropUser","find"]},{"resource":{"db":"HR","collection":"employees"},"actions":["insert"]}]},{"role":"MANAGEMENT","inheritedRoles":[{"role":"dbOwner","db":"HR"}],"privileges":[]}]
vagrant@database:/vagrant/shared$

===============================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
==============================================
sudo mkdir -p /M310-HW-2.4/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-2.4

mongod18.conf
-------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31240
systemLog:
   destination: file
   path: "/M310-HW-2.4/r0/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-2.4/r0"
processManagement:
   fork: true

mongod19.conf
-------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31241
systemLog:
   destination: file
   path: "/M310-HW-2.4/r1/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-2.4/r1"
processManagement:
   fork: true

mongod20.conf
-------------
security:
   clusterAuthMode: x509
net:
   ssl:
      mode: requireSSL
      CAFile: /home/vagrant/shared/certs/ca.pem
      PEMKeyFile: /home/vagrant/shared/certs/server.pem
replication:
   replSetName: replwithssl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31242
systemLog:
   destination: file
   path: "/M310-HW-2.4/r2/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-2.4/r2"
processManagement:
   fork: true

mongod -f mongod18.conf
mongod -f mongod19.conf
mongod -f mongod20.conf
--------------------------------------------
this works:
------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
rs.initiate(
   {
      _id: "replwithssl",
      version: 1,
      members: [
         { _id: 0, host : "database.m310.mongodb.university:31240" },
         { _id: 1, host : "database.m310.mongodb.university:31241" },
         { _id: 2, host : "database.m310.mongodb.university:31242" }
      ]
   }
)

----------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.4 : Create replica with TLS enabled
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.4.sh
{"numMembers":3}
vagrant@database:/vagrant/shared$
-----------------------------------------------------------
this will not get the answer
-----------------------------
mongo --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem
openssl x509 -in /home/vagrant/shared/certs/client.pem -inform PEM -subject -nameopt RFC2253

rs.initiate()
db.getSiblingDB("$external").runCommand(
  {
    createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
    roles: [
         { role: "root", db: "admin" }
           ]
  }
)
db.getSiblingDB("$external").auth({ user: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", mechanism: "MONGODB-X509" })

rs.add("database.m310.mongodb.university:31241")
rs.add("database.m310.mongodb.university:31242")

mongo admin --host database.m310.mongodb.university --port 31240 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem -u 'C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client' --authenticationDatabase '$external' --authenticationMechanism MONGODB-X509
=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
============================================================================
vagrant@database:~/shared$ ./setup-hw-2.5.sh
about to fork child process, waiting until server is ready for connections.
forked process: 16135
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16152
child process started successfully, parent exiting
about to fork child process, waiting until server is ready for connections.
forked process: 16189
child process started successfully, parent exiting
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
{ "ok" : 1 }
MongoDB shell version: 3.2.22
connecting to: 127.0.0.1:31250/test
WriteResult({ "nInserted" : 1 })
vagrant@database:~/shared$ ps aux | grep mongo
vagrant  16135  1.5  7.2 743452 73656 ?        Sl   15:10   0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork
vagrant  16152  1.5  4.7 738324 48764 ?        Sl   15:10   0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork
vagrant  16189  1.5  4.4 737292 44792 ?        Sl   15:10   0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork
vagrant  16506  0.0  0.0   8868   648 pts/0    S+   15:11   0:00 grep --color=auto mongo
vagrant@database:~/shared$

openssl rand -base64 32 > /home/vagrant/M310-HW-2.5/mongodb-keyfile
chmod 600 /home/vagrant/M310-HW-2.5/mongodb-keyfile

mongo --port 31250
mongo --port 31251
mongo --port 31252

mongo --port 31252
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r2
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile

mongo --port 31251
use admin
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r1
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile

mongo --port 31250
use admin
rs.stepDown()
db.shutdownServer()
cd /home/vagrant/M310-HW-2.5/r0
rm -rf *
mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile

vagrant@database:~/M310-HW-2.5/r0$ ps aux | grep mongo
vagrant  16553  1.9 10.6 807984 108116 ?       SLl  15:25   0:06 mongod --dbpath /home/vagrant/M310-HW-2.5/r2 --logpath /home/vagrant/M310-HW-2.5/r2/mongo.log.log --port 31252 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant  16833  1.8  5.0 814348 50900 ?        SLl  15:29   0:01 mongod --dbpath /home/vagrant/M310-HW-2.5/r1 --logpath /home/vagrant/M310-HW-2.5/r1/mongo.log.log --port 31251 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant  17003  4.6  4.1 519272 41976 ?        SLl  15:30   0:00 mongod --dbpath /home/vagrant/M310-HW-2.5/r0 --logpath /home/vagrant/M310-HW-2.5/r0/mongo.log.log --port 31250 --replSet UNENCRYPTED --fork --enableEncryption --encryptionKeyFile /home/vagrant/M310-HW-2.5/mongodb-keyfile
vagrant  17048  0.0  0.0   8868   648 pts/0    S+   15:30   0:00 grep --color=auto mongo
vagrant@database:~/M310-HW-2.5/r0$

------------------------------------------------------------------------------
Chapter 2: Authorization and Encryption
Homework 2.5 : Update replica set nodes to enable encrypted storage engine
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-2.5.sh
{"doc":{"str":"The quick brown fox jumps over the lazy dog"},"isEnabled":true}
vagrant@database:/vagrant/shared$

=================================================================================================================================================================
Chapter 2: Authorization and Encryption
Homework 2.6 : Configure KMIP backed mongod
============================================
Ans:
-----
{isEnabled: true, usingKMIP: true}

==================================================================================================================================================================
Chapter 3: Auditing and Best Practices #
Homework 3.1 : Enable auditing on replica set #
===============================================
sudo mkdir -p /M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.1

sudo mkdir -p ~/M310-HW-3.1/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.1

mongod21.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31310
systemLog:
   destination: file
   path: "/M310-HW-3.1/r0/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.1/r0"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.1/r0/auditLog.json
processManagement:
   fork: true

mongod22.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31311
systemLog:
   destination: file
   path: "/M310-HW-3.1/r1/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.1/r1"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.1/r1/auditLog.json
processManagement:
   fork: true

mongod23.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31312
systemLog:
   destination: file
   path: "/M310-HW-3.1/r2/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.1/r2"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.1/r2/auditLog.json
processManagement:
   fork: true

mongod -f mongod21.conf
mongod -f mongod22.conf
mongod -f mongod23.conf

mongo --host database.m310.mongodb.university --port 31310 
rs.initiate()
rs.add("database.m310.mongodb.university:31311")
rs.add("database.m310.mongodb.university:31312")
---------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.1 : Enable auditing on replica set
--------------------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.1.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$

=======================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
===============================================================

sudo mkdir -p /M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.2

sudo mkdir -p ~/M310-HW-3.2/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.2

mongod24.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31320
systemLog:
   destination: file
   path: "/M310-HW-3.2/r0/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.2/r0"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.2/r0/auditLog.json
   filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod25.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31321
systemLog:
   destination: file
   path: "/M310-HW-3.2/r1/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.2/r1"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.2/r1/auditLog.json
   filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod26.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31322
systemLog:
   destination: file
   path: "/M310-HW-3.2/r2/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.2/r2"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.2/r2/auditLog.json
   filter: '{ users: { user: "steve", db: "admin" } }'
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod -f mongod24.conf
mongod -f mongod25.conf
mongod -f mongod26.conf

mongo --host database.m310.mongodb.university --port 31320 
rs.initiate()
rs.add("database.m310.mongodb.university:31321")
rs.add("database.m310.mongodb.university:31322")

use admin
db.createUser({
    user: "steve",
    pwd: "secret",
    roles: [
      {role: "root", db: "admin"}
    ]
  })
-----------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.2 : Change audit filters to audit specific user
-----------------------------------------------------------
Ans:
----
vagrant@database:~/shared$ ./validate-hw-3.2.sh
{ numMembers: 3, auditLog1: 1, auditLog2: 0 }
vagrant@database:~/shared$
--------------------------------------------------
=============================================================================================================================================================
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
========================================

sudo mkdir -p /M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant /M310-HW-3.3

sudo mkdir -p ~/M310-HW-3.3/{r0,r1,r2}
sudo chown -R vagrant:vagrant ~/M310-HW-3.3

mongod27.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31330
systemLog:
   destination: file
   path: "/M310-HW-3.3/r0/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.3/r0"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.3/r0/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod28.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31331
systemLog:
   destination: file
   path: "/M310-HW-3.3/r1/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.3/r1"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.3/r1/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod29.conf
-------------
replication:
   replSetName: auditRepl
net:
   bindIp: localhost,database.m310.mongodb.university
   port: 31332
systemLog:
   destination: file
   path: "/M310-HW-3.3/r2/mongodb.log"
   logAppend: true
storage:
   dbPath: "/M310-HW-3.3/r2"
auditLog:
   destination: file
   format: JSON
   path: /home/vagrant/M310-HW-3.3/r2/auditLog.json
setParameter: {auditAuthorizationSuccess: true}
processManagement:
   fork: true

mongod -f mongod27.conf
mongod -f mongod28.conf
mongod -f mongod29.conf

mongo --host database.m310.mongodb.university --port 31330
rs.initiate()
rs.add("database.m310.mongodb.university:31331")
rs.add("database.m310.mongodb.university:31332")
---------------------------------------------------------
Chapter 3: Auditing and Best Practices
Homework 3.3 : Enable DML audit
---------------------------------------
Ans:
----
vagrant@database:/vagrant/shared$ ./validate-hw-3.3.sh
{ numMembers: 3, auditLog: 1 }
vagrant@database:/vagrant/shared$
---------------------------------------------------------
=================================================================================================================================================================
Final Exam
===========
Question 1
==========
Ans:
----
Enabling auditing on MongoDB Enterprise will decrease database performance.

Question 2
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
vagrant@database:/vagrant/shared$ openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 266611 (0x41173)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US,ST=New York,L=New York City,O=MongoDB,OU=University,CN=localhost
        Validity
            Not Before: Nov  7 20:03:00 2016 GMT
            Not After : Nov  7 20:03:00 2036 GMT
        Subject: C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:94:45:9e:e1:54:26:69:2c:d7:c5:a4:f8:f5:17:
                    52:07:80:77:23:a0:7a:10:3e:ae:11:54:5d:3e:05:
                    96:f4:4e:44:22:89:9a:cc:ae:ef:ba:a3:92:e6:b7:
                    f7:13:3b:b6:95:8e:f0:7f:04:75:b1:c8:65:e3:d2:
                    04:22:76:99:2c:d6:5d:54:83:4a:83:43:b5:25:99:
                    df:d2:fd:51:64:d0:b9:d9:66:0a:8f:65:c7:69:70:
                    6f:13:9c:71:f4:08:06:b5:da:40:66:3d:a9:9d:ed:
                    a8:c7:81:df:3d:3a:b6:47:21:39:de:a5:83:f1:c2:
                    15:07:86:0e:74:26:ee:0e:67:07:6b:c0:9f:aa:91:
                    ee:14:77:28:67:e0:ae:95:29:c8:91:dc:55:a9:4f:
                    cc:98:b8:34:fe:87:c7:f5:c4:84:4c:d4:2e:d6:e5:
                    45:55:f6:0e:dd:16:fb:bb:d1:3c:e0:d8:fc:0b:d6:
                    8f:79:19:42:56:38:35:27:c6:3e:6f:85:e9:39:3e:
                    4a:e8:26:f5:e3:36:c5:15:0d:5c:6e:bf:df:21:31:
                    e9:f9:d1:69:00:ba:ae:ab:73:90:c3:96:02:3d:b3:
                    6d:c6:58:14:35:f9:1f:79:88:03:71:83:67:62:d1:
                    a1:e4:4e:4d:3f:f2:c2:09:fd:00:af:dc:b6:0a:2c:
                    a0:ed
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:127.0.0.1, DNS:database.m310.mongodb.university, DNS:infrastructure.m310.mongodb.university
    Signature Algorithm: sha1WithRSAEncryption
         01:90:dc:e0:2b:04:5d:9e:f0:ba:66:ee:cf:db:63:ee:dc:96:
         ba:6e:3c:d3:e6:74:1b:17:11:1c:98:a0:1b:97:d1:54:a4:3d:
         a9:99:14:5c:b2:22:97:56:5b:aa:d2:83:5a:37:c4:7d:73:73:
         8a:dd:7b:21:b9:9f:a4:dc:f2:b4:5e:42:39:ad:20:98:51:b9:
         d9:aa:e9:1f:3d:ac:5a:55:df:01:2b:93:45:ac:c3:43:c3:5e:
         58:5c:98:fa:e7:07:8c:c6:f7:3d:f4:44:32:28:d5:e7:7b:ae:
         f0:9f:46:fb:b4:17:92:55:c2:fa:b9:ac:65:89:ae:55:0b:ee:
         6c:25:05:3c:4b:87:1b:4e:d2:72:9d:c0:07:76:30:5f:e2:ed:
         aa:f5:61:af:92:20:5e:ff:71:c5:5d:51:54:2c:92:4e:0e:70:
         5b:c4:00:81:5f:9b:07:3d:98:7a:b5:2f:c3:fd:a3:3b:14:c8:
         a6:7c:ff:b7:dd:c6:c3:f3:17:aa:d5:c6:88:22:d7:ee:c2:25:
         cf:9f:80:96:cf:c6:a2:86:65:4c:69:21:9b:06:a8:ab:6a:da:
         bf:a6:6f:9c:3a:f5:d6:18:62:32:89:29:bb:f3:3b:84:f0:a3:
         18:4d:a5:16:8c:04:c8:34:68:f7:09:f0:e9:0d:67:8d:9b:a2:
         e3:37:b4:9a
-----BEGIN CERTIFICATE-----
MIIDzjCCAragAwIBAgIDBBFzMA0GCSqGSIb3DQEBBQUAMHMxEjAQBgNVBAMTCWxv
Y2FsaG9zdDETMBEGA1UECxMKVW5pdmVyc2l0eTEQMA4GA1UEChMHTW9uZ29EQjEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNV
BAYTAlVTMB4XDTE2MTEwNzIwMDMwMFoXDTM2MTEwNzIwMDMwMFowdjEUMBIGA1UE
AxMLTTMxMCBDbGllbnQxFDASBgNVBAsTC1VuaXZlcnNpdHkyMRAwDgYDVQQKEwdN
b25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9y
azELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU
RZ7hVCZpLNfFpPj1F1IHgHcjoHoQPq4RVF0+BZb0TkQiiZrMru+6o5Lmt/cTO7aV
jvB/BHWxyGXj0gQidpks1l1Ug0qDQ7Ulmd/S/VFk0LnZZgqPZcdpcG8TnHH0CAa1
2kBmPamd7ajHgd89OrZHITnepYPxwhUHhg50Ju4OZwdrwJ+qke4Udyhn4K6VKciR
3FWpT8yYuDT+h8f1xIRM1C7W5UVV9g7dFvu70Tzg2PwL1o95GUJWODUnxj5vhek5
PkroJvXjNsUVDVxuv98hMen50WkAuq6rc5DDlgI9s23GWBQ1+R95iANxg2di0aHk
Tk0/8sIJ/QCv3LYKLKDtAgMBAAGjaDBmMGQGA1UdEQRdMFuCCWxvY2FsaG9zdIcE
fwAAAYIgZGF0YWJhc2UubTMxMC5tb25nb2RiLnVuaXZlcnNpdHmCJmluZnJhc3Ry
dWN0dXJlLm0zMTAubW9uZ29kYi51bml2ZXJzaXR5MA0GCSqGSIb3DQEBBQUAA4IB
AQABkNzgKwRdnvC6Zu7P22Pu3Ja6bjzT5nQbFxEcmKAbl9FUpD2pmRRcsiKXVluq
0oNaN8R9c3OK3XshuZ+k3PK0XkI5rSCYUbnZqukfPaxaVd8BK5NFrMNDw15YXJj6
5weMxvc99EQyKNXne67wn0b7tBeSVcL6uaxlia5VC+5sJQU8S4cbTtJyncAHdjBf
4u2q9WGvkiBe/3HFXVFULJJODnBbxACBX5sHPZh6tS/D/aM7FMimfP+33cbD8xeq
1caIItfuwiXPn4CWz8aihmVMaSGbBqiratq/pm+cOvXWGGIyiSm78zuE8KMYTaUW
jATINGj3CfDpDWeNm6LjN7Sa
-----END CERTIFICATE-----
vagrant@database:/vagrant/shared$

Question 3
==========
Solution:
---------
openssl x509 -in /home/vagrant/shared/certs/client.pem -text -nameopt RFC2253
Ans:
----
db.products.findOne({product: 'Door Hinge'})
db.products.insertOne({product: 'Basket'})
db.products.find({product: 'Candle'})
db.products.insert({product: 'Amplifier'})

Question 4
==========
Ans:
----
{
  role: "senior-engineer",
  privileges: [],
  roles: [ "dbAdmin" ]
}

Question 5
==========
MongoDB drivers will send LDAP credentials to a connected mongod in plain text.
MONGODB-CR still exists in MongoDB only for backwards compatibility reasons.
It is a best practice to leave the HTTP status interface disabled in production.

Question 6
==========
Encryption at rest is a four step process: generate a master key, generate keys for each database, encrypt each database with the database keys, and encrypt the database keys with the master key.
The localhost exception applies to a replica set and sharded cluster environments.
Internal authentication via X.509 certificates will enable MongoDB's role-based access control authorization system.

Question 7
==========
MongoDB stores user-defined role information in the system.roles collection in the admin database.
The subject of a client certificate acts as the "user" when authenticating with X.509 certificates.
When auditing is enabled on MongoDB Enterprise, the --auditFormat BSON option has much better performance than the --auditFormat JSON option.

==================================================================================================================================================

No comments:

Post a Comment