Activating the User Authentication¶
Caution - installation and configuration order
Mind the order of installation and configuration. The installation of the complete system including all its components, i. e. PLOSSYS Output Engine, SEAL Operator, easyPRIMA, and others, must be finished before you start to configure the user authentication.
Getting the Master Node¶
Find the master node in the MongoDB cluster:
mongosh --quiet --host `hostname` --tls --tlsAllowInvalidCertificates -eval 'rs.isMaster()'
Example - result of the above command to get the master node
The hosts
entry contains a list of all known cluster nodes and the primary
entry contains the host name of the master node.
{
"topologyVersion" : {
"processId" : ObjectId("62da51692acff423bc8b8a92"),
"counter" : NumberLong(4)
},
"hosts" : [
"db:27017",
"db2:27017",
"db3:27017"
],
"setName" : "rs",
"setVersion" : 5,
"ismaster" : false,
"secondary" : true,
"primary" : "db3:27017",
"me" : "db:27017",
"lastWrite" : {
"opTime" : {
"ts" : Timestamp(1658474882, 1),
"t" : NumberLong(20)
},
"lastWriteDate" : ISODate("2022-07-22T07:28:02Z"),
"majorityOpTime" : {
"ts" : Timestamp(1658474872, 2),
"t" : NumberLong(20)
},
"majorityWriteDate" : ISODate("2022-07-22T07:27:52Z")
},
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"maxWriteBatchSize" : 100000,
"localTime" : ISODate("2022-07-22T07:28:02.477Z"),
"logicalSessionTimeoutMinutes" : 30,
"connectionId" : 9,
"minWireVersion" : 0,
"maxWireVersion" : 13,
"readOnly" : false,
"ok" : 1,
"$clusterTime" : {
"clusterTime" : Timestamp(1658474882, 1),
"signature" : {
"hash" : BinData(0,"hgMLa+1zoaSPY1zOSOsiS1yr0bQ="),
"keyId" : NumberLong("7116508179495649285")
}
},
"operationTime" : Timestamp(1658474882, 1)
}
Single System and Replica Set Primary¶
The user authentication of MongoDB is disabled by default. Activate the user authentication to enhance the security.
Execute the following shell script as administrator and follow the instructions:
/opt/seal/seal-mongodb/secure-mongo.sh
The script creates a random password, please read the output of the script for the password.
The user for accessing the different databases is plossys
, the user for administration tasks is root
.
Example - configuration of PLOSSYS Output Engine
service:
any:
tag:
any:
MONGO_JOBS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-jobs?replicaSet=p5
MONGO_PRINTERS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-printers?replicaSet=p5
MONGO_EVENTS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-events?replicaSet=p5
MONGO_NOTIFICATIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-notifications?replicaSet=p5
MONGO_PREPROCESS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-preprocess?replicaSet=p5
MONGO_CONFIGS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-configs?replicaSet=p5
MONGO_LOCKS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-locks?replicaSet=p5
MONGO_ACTIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-actions?replicaSet=p5
Example - configuration of SEAL Operator
service:
any:
tag:
any:
MONGO_SERVER_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-server
MONGO_FILEUPLOAD_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-fileupload
MONGO_PREPROCESS_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/preprocess
Example - calling MongoDB client
mongosh --tls --tlsAllowInvalidCertificates -u root -p <the random password> -eval 'rs.status()'
Secondary Members of the Replica Set¶
-
On the secondary member, create the
/opt/seal/secure/
directory, if not yet existing:sudo mkdir /opt/seal/secure sudo chown seal:seal /opt/seal/secure sudo mv /path/to/mongod.keyfile /opt/seal/secure sudo chown mongod:mongod /opt/seal/secure/mongod.keyfile sudo chmod 0400 /opt/seal/secure/mongod.keyfile
-
Copy the key file created by
secure-mongo.sh
to the replica set primary/opt/seal/secure/mongod.keyfile
into the same directory on your current member of the replica set:
/opt/seal/secure
-
Add the following lines to the
/opt/seal/etc/mongod.conf
file:security: authorization: enabled keyFile: /opt/seal/secure/mongod.keyfile
-
Restart MongoDB:
sudo systemctl restart mongod
-
Proceed with step 1 on the next member of the replica set.