Monday, June 25, 2018

Securing Access to Your MongodDB Databases

Recently I needed to setup authentication to my mongodb databases which used by Sitecore xDB.

I found following article written by @ankitjoshi2409 which was very helpful and informative.
https://ankitjoshi2409.wordpress.com/2017/05/30/mongodb-authentication-in-sitecore/


Below i'm trying to mention the extra steps and some improvements that I did to fully secure our mongoDB instance.

To achieve that, first you need to open Windows Powershell in your MongoDB installed server and run the following commands as necessary.

#Connect to mongo server
> mongo

 #Switch database to "admin" database
> use admin

#Create root user
> db.createUser({
    user:"admin",
    pwd:"adminPwd",
    roles:[
      {
        role:"userAdminAnyDatabase",
        db:"admin"
      },
      {
        role:"root",
        db:"admin"
      }
    ]
  });

#Verify user with given password created correctly. This command should return "1" if authentication successful
> db.auth("admin", "adminPwd")
1


#Adding user to access other databases collections. We are creating the user in the "admin" database and give read/write permission to access all 4 xDB databases for this user.

> db.createUser(
  {
    user: "mongouser",
    pwd: "mongoPwd",
    roles: [
      {
        role: "readWrite",
        db: "Sitecore_analytics"
      },
      {
        role: "readWrite",
        db: "Sitecore_tracking_live"
      },
      {
        role: "readWrite",
        db: "Sitecore_tracking_history"
      },
      {
        role: "readWrite",
        db: "Sitecore_tracking_contact"
      }
    ]
  });

Note:
As you can see, we created the user in the "admin" database and gave necessary read/write permission for sitecore xDB databases for that user. This approach is recommended by MongoDB instead of creating the same user on each and every database.
Quote:
https://docs.mongodb.com/manual/core/security-users/#user-authentication-database
If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.  


So, now we have created users and assign correct database permissions for those users, its time to adjust our Sitecore connection string.

<add name="analytics" connectionString="mongodb://mongouser:mongoPwd@localhost:27017/Sitecore_analytics?authSource=admin" />
  <add name="tracking.live" connectionString="mongodb://mongouser:mongoPwd@localhost:27017/Sitecore_tracking_live?authSource=admin" />
  <add name="tracking.history" connectionString="mongodb://mongouser:mongoPwd@localhost:27017/Sitecore_tracking_history?authSource=admin" />
  <add name="tracking.contact" connectionString="mongodb://mongouser:mongoPwd@localhost:27017/Sitecore_tracking_contact?authSource=admin" />



Note that "?authSource=admin" at the end of each connection string. This is to inform mongoDB server that the authentication user is created under "admin" database and use that user for the authentication.


Securing MongoDB Server Access by Disabling Anonymous Access


Once you have confirmed your sites are running with new mongoDB users/passwords, its time to disable anonymous access to your mongoDB database.

To do that,

1. Open you mongoDB configuration file (usually named as mongod.conf OR mongod.cfd) under your mongoDB installed folder and add following link
security:
             authorization: enabled

2. Restart your MongoDB service to changes to take effect


Happy Sitecore !!!