This documentation is for the end of life version of Percona Server for MongoDB and is no longer supported. You may want to see the current documentation.
Setting up Kerberos authentication¶
This document provides configuration steps for setting up Kerberos Authentication in Percona Server for MongoDB.
Assumptions¶
The setup of the Kerberos server itself is out of scope of this document. Please refer to the Kerberos documentation for the installation and configuration steps relevant to your operation system.
We assume that you have successfully completed the following steps:
Installed and configured the Kerberos server
Added necessary realms
Added service, admin and user principals
Configured the
AandPTRDNS records for every host running mongod instance to resolve the hostnames onto Kerberos realm.
See also
MongoDB Documentation: Kerberos Authentication
Add user principals to Percona Server for MongoDB¶
To get authenticated, users must exist both in the Kerberos and Percona Server for MongoDB servers with exactly matching names.
After you defined the user principals in the Kerberos server, add them to the $external database in Percona Server for MongoDB and assigned required roles:
use $external
db.createUser({user: "demo@PERCONATEST.COM",roles: [{role: "read", db: "admin"}]})
Replace demo@PERCONATEST.COM with your username and Kerberos realm.
Configure Kerberos keytab files¶
A keytab file stores the authentication keys for a service principal representing a mongod instance to access the Kerberos admin server.
After you have added the service principal to the Kerberos admin server, the entry for this principal is added to the /etc/krb5.keytab keytab file.
The mongod server must have access to the keytab file to authenticate. To keep the keytab file secure, restrict the access to it only for the user running the mongod process.
Stop the
mongodservice$ sudo systemctl stop mongod
Generate the keytab file or get a copy of it if you generated the keytab file on another host. Save the keyfile under a separate path (e.g. /etc/mongodb.keytab)
$ cp /etc/krb5.keytab /etc/mongodb.keytab
Change the ownership to the keytab file
$ sudo chown mongod:mongod /etc/mongodb.keytab
Set the
KRB5_KTNAMEvariable in the environment file for themongodprocess.Edit the environment file at the path
/etc/default/mongodband specify theKRB5_KTNAMEvariable:KRB5_KTNAME=/etc/mongodb.keytab
If you have a different path to the keytab file, specify it accordingly.
Edit the environment file at the path
/etc/sysconfig/mongodand specify theKRB5_KTNAMEvariable:KRB5_KTNAME=/etc/mongodb.keytab
If you have a different path to the keytab file, specify it accordingly.
Restart the
mongodservice$ sudo systemctl start mongod
Percona Server for MongoDB configuration¶
Enable external authentication in Percona Server for MongoDB configuration. Edit the etc/mongod.conf configuration file and specify the following configuration:
security:
authorization: "enabled"
setParameter:
authenticationMechanisms: GSSAPI
Restart the mongod service to apply the configuration:
$ sudo systemctl start mongod
Test the access to Percona Server for MongoDB¶
Obtain the Kerberos ticket for the user using the
kinitcommand and specify the user password:$ kinit demo Password for demo@PERCONATEST.COM:
Check the user ticket:
$ klist -l Principal name Cache name -------------- ---------- demo@PERCONATEST.COM FILE:/tmp/<ticket>
Connect to Percona Server for MongoDB:
$ mongo --host <hostname> --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username demo@PERCONATEST.COM
The result should look like the following:
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "demo@PERCONATEST.COM",
"db" : "$external"
}
],
"authenticatedUserRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
},
"ok" : 1
}