Enforce Keyfile Access Control in a Replica Set without Downtime
On this page
Overview
To secure against unauthorized access, enforce authentication for your deployments. Authentication for replica sets consists of internal authentication among the replica set members, and user access control for clients connecting to the replica set.
If your deployment does not enforce authentication, MongoDB 3.4+ provides the --transitionToAuth option for performing a no-downtime upgrade to enforcing authentication.
New in version 3.4: MongoDB 3.2 and earlier do not support a no-downtime upgrade to enforce authentication. See Enforce Keyfile Access Control in a Replica Set for enforcing authentication in an existing MongoDB 3.2 replica set.
This tutorial uses the keyfile internal authentication mechanism for internal security, and SCRAM-based role-based access controls for client connections.
Cloud Manager and Ops Manager
If you are using Cloud Manager or Ops Manager to manage your deployment, see the respective Cloud Manager manual or the Ops Manager manual to enforce authentication.
Architecture
This tutorial assumes that your replica set can elect a new primary after stepping down the existing primary replica set member. This requires:
- A majority of voting replica set members available after stepping down the primary.
- At least one secondary member that is not delayed, hidden, or Priority 0.
Transition State
A mongod running with --transitionToAuth accepts both authenticated and non-authenticated connections. Clients connected to the mongod during this transition state can perform read, write, and administrative operations on any database.
Client Access
At the end of the following procedure, the replica set rejects any client attempting to make a non-authenticated connection. The procedure creates users for client applications to use when connecting to the replica set.
See ➤ Configure Role-Based Access Control for user creation and management best practices.
IP Binding
Changed in version 3.6.
Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default. From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default. To learn more about this change, see Localhost Binding Compatibility Changes.
Enforce Keyfile Access Control on Existing Replica Set
1
Create the user administrator.
Connect to the primary to create a user with userAdminAnyDatabase role. The userAdminAnyDatabase role grants access to user creation on any database in the deployment.
The following example creates the user fred with the userAdminAnyDatabase role on the admin database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
admin = db.getSiblingDB("admin")
admin.createUser(
{
user: "fred",
pwd: "changeme1",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
At the completion of this procedure, any client that administers users in the replica set must authenticate as this user, or a user with similar permissions.
See Database User Roles for a full list of built-in roles and related to database administration operations.
2
Create the cluster administrator.
Connect to the primary to create a user with clusterAdmin role. The clusterAdmin role grants access to replication operations, such as configuring the replica set.
The following example creates the user ravi with the clusterAdmin role on the admin database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
db.getSiblingDB("admin").createUser(
{
"user" : "ravi",
"pwd" : "changeme2",
roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]
}
)
At the completion of this procedure, any client that administrates or maintains the replica set must authenticate as this user, or a user with similar permissions.
See Cluster Administration Roles for a full list of built-in roles related to replica set operations.
3
Create users for client applications.
Create users to allow client application to connect and interact with the replica set. At the completion of this tutorial, clients must authenticate as a configured user to connect to the replica set.
See Database User Roles for basic built-in roles to use in creating read-only and read-write users.
The following creates a user with read and write permissions on the foo database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
Create a user with the readWrite role in the foo database.
db.getSiblingDB("foo").createUser(
{
"user" : "joe",
"pwd" : "changeme2",
roles: [ { "role" : "readWrite", "db" : "foo" } ]
}
)
Clients authenticating as this user can perform read and write operations against the foo database. See Authenticate a User for more on creating an authenticated connection to the replica set.
See the Add Users tutorial for more information on adding users. Consider security best practices when adding new users.
4
Update Client Applications
At this point in the procedure, the replica set does not enforce authentication. However, client applications can still specify auth credentials and connect to the replica set.
Update client applications to authenticate to the replica set using a configured user. Authenticated connections require a username, password, and the authentication database. See Authenticate a User.
For example, the following connects to a replica set named mongoRepl and authenticates as the user joe.
mongo -u joe -password changeme2 -authenticationDatabase foo --host mongoRepl/mongo1.example.net:27017, mongo2.example.net:27017, mongo3.example.net:27017
If your application uses a MongoDB driver, see the associated driver documentation for instructions on creating an authenticated connection.
At the completion of this tutorial, the replica set rejects non-authenticated client connections. Performing this step now ensures clients can connect to the replica set before and after the transition.
5
Create a keyfile.
With keyfile authentication, each mongod instances in the replica set uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod instances with the correct keyfile can join the replica set.
The content of the keyfile must be between 6 and 1024 characters long and must be the same for all members of the replica set.
Note
On UNIX systems, the keyfile must not have group or world permissions. On Windows systems, keyfile permissions are not checked.
You can generate a keyfile using any method you choose. For example, the following operation uses openssl to generate a complex pseudo-random 1024 character string to use for a keyfile. It then uses chmod to change file permissions to provide read permissions for the file owner only:
openssl rand -base64 756 > <path-to-keyfile>
chmod 400 <path-to-keyfile>
See Keyfiles for additional details and requirements for using keyfiles.
6
Copy the keyfile to each replica set member.
Copy the keyfile to each server hosting the replica set members. Ensure that the user running the mongod instances is the owner of the file and can access the keyfile.
Avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod instances, such as a USB drive or a network attached storage device.
7