Skip to content
logo
Percona Server for MongoDB 4.2
Setting up Kerberos authentication
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Install Percona Server for MongoDB on Debian and Ubuntu
      • Install Percona Server for MongoDB on Red Hat Enterprise Linux and derivatives
      • Install Percona Server for MongoDB from binary tarball
      • Run Percona Server for MongoDB in a Docker container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication
        • Enable authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Setting up Kerberos authentication
          • Assumptions
          • Add user principals to Percona Server for MongoDB
          • Configure Kerberos keytab files
          • Percona Server for MongoDB configuration
          • Test the access to Percona Server for MongoDB
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrate from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling rate limit
      • Log redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.0 to 4.2
        • Upgrade Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Release notes index
      • Percona Server for MongoDB 4.2.24-24 (2023-03-09)
      • Percona Server for MongoDB 4.2.23-23 (2022-11-08)
      • Percona Server for MongoDB 4.2.22-22 (2022-09-06)
      • Percona Server for MongoDB 4.2.21-21 (2022-06-29)
      • Percona Server for MongoDB 4.2.20-20 (2022-05-23)
      • Percona Server for MongoDB 4.2.19-19 (2022-03-29)
      • Percona Server for MongoDB 4.2.18-18 (2022-01-19)
      • Percona Server for MongoDB 4.2.17-17 (2021-10-11)
      • Percona Server for MongoDB 4.2.15-16 (2021-07-26)
      • Percona Server for MongoDB 4.2.14-15 (2021-05-13)
      • Percona Server for MongoDB 4.2.13-14 (2021-04-01)
      • Percona Server for MongoDB 4.2.12-13 (2021-02-03)
      • Percona Server for MongoDB 4.2.11-12 (2020-12-07)
      • Percona Server for MongoDB 4.2.10-11 (2020-11-02)
      • Percona Server for MongoDB 4.2.9-10 (2020-10-09)
      • Percona Server for MongoDB 4.2.9-9 (2020-09-03)
      • Percona Server for MongoDB 4.2.8-8 (2020-07-07)
      • Percona Server for MongoDB 4.2.7-7 (2020-06-04)
      • Percona Server for MongoDB 4.2.6-6 (2020-05-07)
      • Percona Server for MongoDB 4.2.5-5 (2020-04-02)
      • Percona Server for MongoDB 4.2.3-4 (2020-02-20)
      • Percona Server for MongoDB 4.2.2-3 (2019-12-24)
      • Percona Server for MongoDB 4.2.1-1 (2019-11-13)
      • Percona Server for MongoDB 4.2.0-1 (2019-09-09)
    • Glossary
      • Copyright and Licensing Information
      • Trademark Policy

    • Assumptions
    • Add user principals to Percona Server for MongoDB
    • Configure Kerberos keytab files
    • Percona Server for MongoDB configuration
    • Test the access to Percona Server for MongoDB

    Setting up Kerberos authentication¶

    This document provides configuration steps for setting up Kerberos Authentication in Percona Server for MongoDB.

    Assumptions¶

    The setup of the Kerberos server itself is out of scope of this document. Please refer to the Kerberos documentation for the installation and configuration steps relevant to your operation system.

    We assume that you have successfully completed the following steps:

    • Installed and configured the Kerberos server

    • Added necessary realms

    • Added service, admin and user principals

    • Configured the A and PTR DNS records for every host running mongod instance to resolve the hostnames onto Kerberos realm.

    Add user principals to Percona Server for MongoDB¶

    To get authenticated, users must exist both in the Kerberos and Percona Server for MongoDB servers with exactly matching names.

    After you defined the user principals in the Kerberos server, add them to the $external database in Percona Server for MongoDB and assign required roles:

    > use $external
    > db.createUser({user: "demo@PERCONATEST.COM",roles: [{role: "read", db: "admin"}]})
    

    Replace demo@PERCONATEST.COM with your username and Kerberos realm.

    Configure Kerberos keytab files¶

    A keytab file stores the authentication keys for a service principal representing a mongod instance to access the Kerberos admin server.

    After you have added the service principal to the Kerberos admin server, the entry for this principal is added to the /etc/krb5.keytab keytab file.

    The mongod server must have access to the keytab file to authenticate. To keep the keytab file secure, restrict the access to it only for the user running the mongod process.

    1. Stop the mongod service

      $ sudo systemctl stop mongod
      
    2. Generate the keytab file or get a copy of it if you generated the keytab file on another host. Save the keyfile under a separate path (e.g. /etc/mongodb.keytab)

      $ cp /etc/krb5.keytab /etc/mongodb.keytab
      
    3. Change the ownership to the keytab file

      $ sudo chown mongod:mongod /etc/mongodb.keytab
      
    4. Set the KRB5_KTNAME variable in the environment file for the mongod process.

      Edit the environment file at the path /etc/default/mongod and specify the KRB5_KTNAME variable:

      KRB5_KTNAME=/etc/mongodb.keytab
      

      If you have a different path to the keytab file, specify it accordingly.

      Edit the environment file at the path /etc/sysconfig/mongod and specify the KRB5_KTNAME variable:

      KRB5_KTNAME=/etc/mongodb.keytab
      

      If you have a different path to the keytab file, specify it accordingly.

    5. Restart the mongod service

      $ sudo systemctl start mongod
      

    Percona Server for MongoDB configuration¶

    Enable external authentication in Percona Server for MongoDB configuration. Edit the etc/mongod.conf configuration file and specify the following configuration:

    security:
      authorization: "enabled"
    
    setParameter:
      authenticationMechanisms: GSSAPI
    

    Restart the mongod service to apply the configuration:

    $ sudo systemctl start mongod
    

    Test the access to Percona Server for MongoDB¶

    1. Obtain the Kerberos ticket for the user using the kinit command and specify the user password:

      $ kinit demo
      Password for demo@PERCONATEST.COM:
      
    2. Check the user ticket:

      $ klist -l
      

      Output:

      Principal name                 Cache name
      --------------                 ----------
      demo@PERCONATEST.COM           FILE:/tmp/<ticket>
      
    3. Connect to Percona Server for MongoDB:

      $ mongo --host <hostname> --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username demo@PERCONATEST.COM
      

      The result should look like the following:

      > db.runCommand({connectionStatus : 1})
      {
           "authInfo" : {
                   "authenticatedUsers" : [
                           {
                                   "user" : "demo@PERCONATEST.COM",
                                   "db" : "$external"
                           }
                   ],
                   "authenticatedUserRoles" : [
                           {
                                   "role" : "read",
                                   "db" : "admin"
                           }
                   ]
           },
           "ok" : 1
      }
      

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: January 31, 2023
    Created: December 8, 2022
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.