Project

General

Profile

Task #25083

Remote authenticated mongodb access on dune-apa-dbedv vms

Added by Natalia Ratnikova about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Start date:
10/16/2020
Due date:
10/16/2020
% Done:

100%

Estimated time:
1.00 h
Spent time:
Duration: 1

Description

Work with sysadmins in RITM1028147 to secure MongoDB server authentication
and configure remote access from within Fermilab subnet.

History

#1 Updated by Natalia Ratnikova about 1 month ago

  • Estimated time set to 1.00 h
  • % Done changed from 0 to 10
  • Due date set to 10/16/2020

Test service restart and config updates

Login to the host, start mongo client. Initial authentication state:

[natasha@dune-apa-dbdev02 ~]$ mongo
MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1725f08d-6a94-4fee-b648-5c225e35b0c9") }
MongoDB server version: 4.4.1
---
The server generated these startup warnings when booting: 
        2020-10-14T11:41:17.511-05:00: ***** SERVER RESTARTED *****
        2020-10-14T11:41:18.486-05:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
        2020-10-14T11:41:18.486-05:00: /sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'
---
---
        Enable MongoDB's free cloud-based monitoring service, which will then receive and display
        metrics about your deployment (disk utilization, CPU, operation statistics, etc).

        The monitoring data will be available on a MongoDB website with a unique URL accessible to you
        and anyone you share the URL with. MongoDB may use this information to make product
        improvements and to suggest MongoDB products and deployment options to you.

        To enable free monitoring, run the following command: db.enableFreeMonitoring()
        To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
> db.runCommand({connectionStatus : 1})
{
    "authInfo" : {
        "authenticatedUsers" : [ ],
        "authenticatedUserRoles" : [ ]
    },
    "ok" : 1
}

Try server status and restart:

[natasha@dune-apa-dbdev02 ~]$ sudo systemctl status mongod 
● mongod.service - MongoDB Database Server
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-10-14 11:41:18 CDT; 2 days ago
     Docs: https://docs.mongodb.org/manual
  Process: 256355 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 256351 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 256349 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 256347 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
 Main PID: 256357 (mongod)
   Memory: 206.9M
   CGroup: /system.slice/mongod.service
           └─256357 /usr/bin/mongod -f /etc/mongod.conf

Oct 14 11:41:17 dune-apa-dbdev02.fnal.gov systemd[1]: Starting MongoDB Database Server...
Oct 14 11:41:17 dune-apa-dbdev02.fnal.gov mongod[256355]: about to fork child process, waiting until server is ready for connections.
Oct 14 11:41:17 dune-apa-dbdev02.fnal.gov mongod[256355]: forked process: 256357
Oct 14 11:41:18 dune-apa-dbdev02.fnal.gov mongod[256355]: child process started successfully, parent exiting
Oct 14 11:41:18 dune-apa-dbdev02.fnal.gov systemd[1]: Started MongoDB Database Server.
[natasha@dune-apa-dbdev02 ~]$
[natasha@dune-apa-dbdev02 ~]$ sudo systemctl restart mongod 
[natasha@dune-apa-dbdev02 ~]$ sudo systemctl status mongod 
● mongod.service - MongoDB Database Server
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-10-16 12:25:34 CDT; 2s ago
     Docs: https://docs.mongodb.org/manual
  Process: 577221 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 577219 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 577217 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 577214 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
 Main PID: 577223 (mongod)
   Memory: 171.9M
   CGroup: /system.slice/mongod.service
           └─577223 /usr/bin/mongod -f /etc/mongod.conf

Oct 16 12:25:33 dune-apa-dbdev02.fnal.gov systemd[1]: Stopped MongoDB Database Server.
Oct 16 12:25:33 dune-apa-dbdev02.fnal.gov systemd[1]: Starting MongoDB Database Server...
Oct 16 12:25:33 dune-apa-dbdev02.fnal.gov mongod[577221]: about to fork child process, waiting until server is ready for connections.
Oct 16 12:25:33 dune-apa-dbdev02.fnal.gov mongod[577221]: forked process: 577223
Oct 16 12:25:34 dune-apa-dbdev02.fnal.gov mongod[577221]: child process started successfully, parent exiting
Oct 16 12:25:34 dune-apa-dbdev02.fnal.gov systemd[1]: Started MongoDB Database Server.
[natasha@dune-apa-dbdev02 ~]$ date
Fri Oct 16 12:25:43 CDT 2020
[natasha@dune-apa-dbdev02 ~]$
> show users
> db.createUser(
... {
... user: "superuser",
... pwd: passwordPrompt(),
... roles: ["root"]
... }
... )
Enter password: 
Successfully added user: { "user" : "superuser", "roles" : [ "root" ] }
> show users
{
    "_id" : "admin.superuser",
    "userId" : UUID("4ab7abc8-36eb-4168-b1f1-4af272f74d36"),
    "user" : "superuser",
    "db" : "admin",
    "roles" : [
        {
            "role" : "root",
            "db" : "admin" 
        }
    ],
    "mechanisms" : [
        "SCRAM-SHA-1",
        "SCRAM-SHA-256" 
    ]
}
> 

Initiated git repo in /home/natasha/CODE/configuration, to track modifications to the /etc/mongod.conf file.

Enabled authentication and remote access, and restarted the server.

Also tried to enable auditLog, unsuccessfully, as this feature is only available on cloud Atlas, or in Enterprise edition.

Tested remote access from integration cluster.

#2 Updated by Natalia Ratnikova about 1 month ago

  • % Done changed from 10 to 100
  • Status changed from New to Resolved

test remote access


[mysql@mariadbwp-d3 tests]$ mongo 'mongodb://dune-apa-dbdev02.fnal.gov'
MongoDB shell version v4.4.1
connecting to: mongodb://dune-apa-dbdev02.fnal.gov:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("34e5469a-1982-4259-92f8-b6a9cc0dc6f1") }
MongoDB server version: 4.4.1
> show dbs
> use admin
switched to db admin
> show collections
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
> db.auth( "superuser", passwordPrompt() )
Enter password: 
1
> db.runCommand({connectionStatus : 1})
{
    "authInfo" : {
        "authenticatedUsers" : [
            {
                "user" : "superuser",
                "db" : "admin" 
            }
        ],
        "authenticatedUserRoles" : [
            {
                "role" : "root",
                "db" : "admin" 
            }
        ]
    },
    "ok" : 1
}
> exit
bye
[mysql@mariadbwp-d3 tests]$ 

Also available in: Atom PDF