Saturday, 21 November 2015

Configure MongoDB with Kerberos Authentication on Linux

In my previous blog I explained MongoDB functionality, now configure it with Kerberos Authentication on Linux machine.
Make sure authenticationMechanism always be "GSSAPI". In case of without Kerberos authenticationMechanism always be "PLAIN".

Following steps need to follow:

Step1: Start mongod without Kerberos.

For the initial addition of Kerberos users, start mongod without Kerberos support.
If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start mongod with Kerberos support.

Step2: Connect to mongod.

Connect via the mongo shell to the mongod instance. If mongod has --auth enabled, ensure you connect with the privileges required to create a user.

Step3: Add Kerberos Principal(s) to MongoDB.

Add a Kerberos principal, <username>@<KERBEROS REALM> or <username>/<instance>@<KERBEROS REALM>, to MongoDB in the $external database. Specify the Kerberos realm in all uppercase. The $external database allows mongod to consult an external source (e.g. Kerberos) to authenticate. To specify the user’s privileges, assign roles to the user.
The following example adds the Kerberos principal application/reporting@EXAMPLE.NET with read-only access to the records database:


Example:

use $external
db.createUser(
   {
     user: "application/krishnachourasiya@TECHSPACE.COM",
     roles: [ { role: "read", db: "records" } ]
   }
)

Add additional principals as needed. For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB. For more information about creating and managing users, see User Management Commands.

Step4: Start mongod with Kerberos support.

To start mongod with Kerberos support, set the environmental variable KRB5_KTNAME to the path of the keytab file and the mongod parameter authenticationMechanisms to GSSAPI in the following form:
Example:
 
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \
/opt/mongodb/bin/mongod --auth \
--setParameter authenticationMechanisms=GSSAPI \
--dbpath /opt/mongodb/data

The path to your mongod as well as your keytab file may differ. Modify or include additional mongod options as required for your configuration. The keytab file must be only accessible to the owner of the mongod process.

Step5: Connect mongo shell to mongod and authenticate.

Connect the mongo shell client as the Kerberos principal application/krishnachourasiya@TECHSPACE.COM. Before connecting, you must have used Kerberos’s kinit program to get credentials for application/krishnachourasiya@TECHSPACE.COM.


 You can connect and authenticate from the command line.

 mongo --authenticationMechanism=GSSAPI --authenticationDatabase='$external' \ --username application/krishnachourasiya@TECHSPACE.COM

 Or, alternatively, you can first connect mongo to the mongod, and then from the mongo shell, use the db.auth() method to authenticate in the $external database.

use $external
db.auth( { mechanism: "GSSAPI", user: "application/krishnachourasiya@TECHSPACE.COM" } )









at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Monads in Scala

Monads belongs to Advance Scala   concepts. It  is not a class or a trait; it is a concept. It is an object which covers other object. A Mon...