. . .

MongoDB Authentication

MongoDB does not use authentication by default. Enabling authentication is highly recommended in production systems! The following steps will guide through a simple authentication setup sufficient for ApiOmat installations. For more information about MongoDB authentication see https://docs.mongodb.com/manual/core/authentication/.

Authentication change in MongoDB 3

In MongoDB version 3.0, the default authentication method changed from MONGODB-CR to SCRAM-SHA-1 . Both variants are implemented in ApiOmat in version 2.5.3 and newer. If using older versions of ApiOmat, you have to change the authentication scheme in MongoDB as described in the last part of this page.

  1. Create a keyfile containing a basic key. A key’s length must be between 6 and 1024 characters and may only contain characters in the base64 set. The key file must not have group or world permissions on UNIX systems. Key file permissions are not checked on Windows systems.


    openssl rand -base64 741 > mongodb-keyfile
    chown mongodb:mongodb mongodb-keyfile
    chmod 600 mongodb-keyfile

  2. Edit /etc/mongod.conf and add a line

    ...
    security:
    keyFile: /path/to/mongodb-keyfile
    ...

  3. Restart mongodb

  4. Create a system administrator in mongod:

    use admin
    db.createUser(
    {
    user: "siteUserAdmin",
    pwd: "password",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
    }
    )
    exit

  5. Try to open a collection on apiomat database:

    > mongo apiomat
    MongoDB shell version: 2.6.7
    connecting to: apiomat
    > db.Customer.find()

    The error { "$err" : "not authorized for query on apiomat.Customer", "code" : 13 } must show up.

  6. Login as admin:

    mongo -u siteUserAdmin -p password --authenticationDatabase admin

  7. Create an ApiOmat user; root role is required to gain access to all created databases:

    use admin
    db.createUser(
    {
    user: "apiomat",
    pwd: "12345678",
    roles: [ "root" ]
    }
    )

  8. Set up the password in apiomat.yaml:

    yambas:
    mongodb:
    userName: apiomat
    userPassword:
    default: 12345678
    #live:
    #staging:
    #test:  

    For a replication setup, see https://docs.mongodb.org/v3.0/tutorial/enable-internal-authentication/

Possible problems (Authentication scheme)

  • If you start the tomcat and in the log the message "MongoFacade - Error ensure indexes, dbName apiomat ..." occurs, than in the mongodb-log you get the message "Failed to authenticate". To solve this problem, you have to delete all users and change the scheme from version 5 to 3.

    mongo
    use admin
    db.system.users.remove({})
    db.system.version.remove({})
    db.system.version.insert({ "_id" : "authSchema", "currentVersion" : 3})

    Now you have to restart the mongodb and create a new user and go on with step 7.

* link only available in Enterprise Documentation