Skip to content
Percona Software for MongoDB Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Setting up Kerberos authentication

This document provides configuration steps for setting up Kerberos Authentication in Percona Server for MongoDB.

Assumptions

The setup of the Kerberos server itself is not included in this document. Please refer to the Kerberos documentation for the installation and configuration steps relevant to your operating system.

We assume that you have successfully completed the following steps:

  • Installed and configured the Kerberos server

  • Added necessary realms

  • Added service, admin, and user principals

  • Configured the A and PTR DNS records for every host running mongod instance to resolve the hostnames onto Kerberos realm.

Add user principals to Percona Server for MongoDB

To authenticate, users must exist in the Kerberos and Percona Server for MongoDB servers. Their usernames must match exactly.

After you have defined the user principals in the Kerberos server, add them to the $external database in Percona Server for MongoDB and assign required roles:

> use $external
> db.createUser({user: "demo@PERCONATEST.COM",roles: [{role: "read", db: "admin"}]})

Replace demo@PERCONATEST.COM with your username and Kerberos realm.

Configure Kerberos keytab files

A keytab file stores the authentication keys for a service principal representing a mongod instance to access the Kerberos admin server.

After you have added the service principal to the Kerberos admin server, the entry for this principal is added to the /etc/krb5.keytab file.

To authenticate, the mongod server must have access to the keytab file. To keep the keytab file secure, restrict access to it only to the user running the mongod process.

  1. Stop the mongod service

    $ sudo systemctl stop mongod

  2. Generate the keytab file or get a copy of it if you generated the keytab file on another host. Save the key file under a separate path (e.g. /etc/mongodb.keytab)

    $ cp /etc/krb5.keytab /etc/mongodb.keytab

  3. Change the ownership to the keytab file

    $ sudo chown mongodb:mongodb /etc/mongodb.keytab

  4. Set the KRB5_KTNAME variable in the environment file for the mongod process.

    Edit the environment file at the path /etc/sysconfig/mongod and specify the KRB5_KTNAME variable:

    KRB5_KTNAME=/etc/mongodb.keytab

    If you have a different path to the keytab file, specify it accordingly.

    Edit the environment file at the path /etc/default/mongod and specify the KRB5_KTNAME variable:

    KRB5_KTNAME=/etc/mongodb.keytab

    If you have a different path to the keytab file, specify it accordingly.

  5. Restart the mongod service

    $ sudo systemctl start mongod