Authentication

Authentication refers to verifying the identity of a client. This prevents the impersonation of someone in order to gain access to their data.

The simplest way to authenticate is by using a username and password pair. This can be done via the shell in two ways, the first of which is as follows:

> db.auth( <username>, <password> )

Passing in a comma-separated username and password will assume the default values for the rest of the fields:

> db.auth( {
  user: <username>,
  pwd: <password>,
  mechanism: <authentication mechanism>,
  digestPassword: <boolean>
} )

If we pass a document object, we can define more parameters than username/password.

The (authentication) mechanism parameter can take several different values, with the default being SCRAM-SHA-1. The parameter value MONGODB-CR is used for backwards compatibility with versions earlier than 3.0.

MONGODB-x.509 is used for TLS/SSL authentication. Users and internal replica set servers can be authenticated by using SSL certificates, which are self-generated and signed, or comes from a trusted third-party authority.

To configure x.509 for internal authentication of replica set members, we need to supply one of the following parameters.

The following is for the configuration file:

security.clusterAuthMode / net.ssl.clusterFile

The following is used on the command line:

--clusterAuthMode and --sslClusterFile
> mongod --replSet <name> --sslMode requireSSL --clusterAuthMode x509 --sslClusterFile <path to membership certificate and key PEM file> --sslPEMKeyFile <path to SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file>

MongoDB Enterprise Edition, the paid offering from MongoDB, Inc., adds two more options for authentication, as follows:

  • The first added option is Generic Security Service Application Program Interface (GSSAPI) Kerberos. Kerberos is a mature and robust authentication system that can be used for Windows-based Active Directory deployments, among others.
  • The second added option is PLAIN (LDAP SASL). LDAP is just like Kerberos: a mature and robust authentication mechanism. The main consideration when using the PLAIN authentication mechanism is that the credentials are transmitted in plain text over the wire. This means that we should secure the path between the client and server via VPN or a TSL/SSL connection to avoid a man in the middle stealing our credentials.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset