Setting up Kerberos authentication¶
This document provides configuration steps for setting up Kerberos Authentication in Percona Server for MongoDB.
Assumptions¶
The setup of the Kerberos server itself is out of scope of this document. Please refer to the Kerberos documentation for the installation and configuration steps relevant to your operation system.
We assume that you have successfully completed the following steps:
-
Installed and configured the Kerberos server
-
Added necessary realms
-
Added service, admin and user principals
-
Configured the
A
andPTR
DNS records for every host runningmongod
instance to resolve the hostnames onto Kerberos realm.
Add user principals to Percona Server for MongoDB¶
To get authenticated, users must exist both in the Kerberos and Percona Server for MongoDB servers with exactly matching names.
After you defined the user principals in the Kerberos server, add them to the $external
database in Percona Server for MongoDB and assign required roles:
> use $external
> db.createUser({user: "demo@PERCONATEST.COM",roles: [{role: "read", db: "admin"}]})
Replace demo@PERCONATEST.COM
with your username and Kerberos realm.
Configure Kerberos keytab files¶
A keytab file stores the authentication keys for a service principal representing a mongod
instance to access the Kerberos admin server.
After you have added the service principal to the Kerberos admin server, the entry for this principal is added to the /etc/krb5.keytab
keytab file.
The mongod
server must have access to the keytab file to authenticate. To keep the keytab file secure, restrict the access to it only for the user running the mongod
process.
-
Stop the
mongod
service$ sudo systemctl stop mongod
-
Generate the keytab file or get a copy of it if you generated the keytab file on another host. Save the keyfile under a separate path (e.g.
/etc/mongodb.keytab
)$ cp /etc/krb5.keytab /etc/mongodb.keytab
-
Change the ownership to the keytab file
$ sudo chown mongod:mongod /etc/mongodb.keytab
-
Set the
KRB5_KTNAME
variable in the environment file for themongod
process.Edit the environment file at the path
/etc/sysconfig/mongod
and specify theKRB5_KTNAME
variable:KRB5_KTNAME=/etc/mongodb.keytab
If you have a different path to the keytab file, specify it accordingly.
Edit the environment file at the path
/etc/default/mongod
and specify theKRB5_KTNAME
variable:KRB5_KTNAME=/etc/mongodb.keytab
If you have a different path to the keytab file, specify it accordingly.
-
Restart the
mongod
service$ sudo systemctl start mongod
Get expert help¶
If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services.