Adding authorization to replica sets in MongoDB

In the previous story we have covered how to configure replica set in MongoDB. To understand the authentication in replica sets, go through the previous story first. Now, we are going to understand how we add authentication layer to the top of replica sets. Creating a database, configuring models are a difficult thing but adding a layer of security is a must. You must add at least this security layer to your database to keep it from malicious attacks. Let’s get started.

Primary secondary communication

Now what we have:
- we have replica set configure.
- we have priorities set for election of primary node.

Now the first step is , we need to start all the replica sets and we need to connect to the primary node. You can check which one is the primary node by simply running the below command in the mongo shell:

rs.status()

Once you are connected to the primary set, we need to create a root user which will have the admin and cluster admin access. Remember one thing we must have to assign cluster admin permission to this user other we’ll not be able to access the database in replica set.

In the mongo shell run the following commands:

use admin

To access the admin section of the mongodb. Then run the below command to create a new user with listed permissions.

db.createUser({user:"test",pwd:"pwd_2020",roles:["clusterAdmin","readWriteAnyDatabase","dbAdminAnyDatabase","userAdminAnyDatabase"]})

To learn more about the roles in mongo db checkout the official website of mongodb or you can check this and this.

Once you have created a new user you will see the success message:

Successfully added user: {
 "user" : "test",
 "roles" : [
  "clusterAdmin",
  "readWriteAnyDatabase",
  "dbAdminAnyDatabase",
  "userAdminAnyDatabase"
 ]
}

Now we need to create a key file for MongoDB that is required to add authentication to the replica sets. You can read about this in detail from here.

openssl rand -base64 756 > <path-to-keyfile>

Change permission for the file.

chmod 400 <path-to-keyfile>

You can choose any name for the key file. i have chosen mongo.key

Now we need to do some modifications to the conf file that we have created before. Add these lines to the end of each conf file.

auth=on
keyFile=<path-to-keyfile>

This is to enable the shell with authentication. Now you need to run each configuration file with the below command:

mongod -f [path to file] --fork --auth

Your replica set’s will be up and running with authentication enabled. How do we check if it working?
Try accessing the shell.

mongo
rs.status()

You will see an error saying “command replSetGetStatus requires authentication”, nothing to worry about, this mean everything is working as expected and you have successfully added authentication to the replica sets.

Now to get authorized in the shell, you must enter your root user details that we have created before. Follow the command:

use admin
db.auth("test","pwd_2020")

This will authenticate you and allow you to use the shell.

Congratulations! you have successfully added authentication to your replica sets. If you run into any issue while configuring authentication, Feel free to leave a comment.

Thanks