Skip to content

Activating the User Authentication

Caution - installation and configuration order

Mind the order of installation and configuration. The installation of the complete system including all its components, i. e. PLOSSYS 5, SEAL Operator, easyPRIMA, and others, must be finished before you start to configure the user authentication.


Getting the Master Node

Check which node in the cluster is the MongoDB master node:

mongo --quiet --host `hostname` --tls --tlsAllowInvalidCertificates -eval 'rs.isMaster()'

Example - result of the above command to get the master node

The hosts entry contains a list of all known cluster nodes and the primary entry contains the host name of the master node.

{
"topologyVersion" : {
  "processId" : ObjectId("62da51692acff423bc8b8a92"),
  "counter" : NumberLong(4)
},
"hosts" : [
  "db:27017",
  "db2:27017",
  "db3:27017"
],
"setName" : "rs",
"setVersion" : 5,
"ismaster" : false,
"secondary" : true,
"primary" : "db3:27017",
"me" : "db:27017",
"lastWrite" : {
  "opTime" : {
  "ts" : Timestamp(1658474882, 1),
  "t" : NumberLong(20)
  },
  "lastWriteDate" : ISODate("2022-07-22T07:28:02Z"),
  "majorityOpTime" : {
  "ts" : Timestamp(1658474872, 2),
  "t" : NumberLong(20)
  },
  "majorityWriteDate" : ISODate("2022-07-22T07:27:52Z")
},
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"maxWriteBatchSize" : 100000,
"localTime" : ISODate("2022-07-22T07:28:02.477Z"),
"logicalSessionTimeoutMinutes" : 30,
"connectionId" : 9,
"minWireVersion" : 0,
"maxWireVersion" : 13,
"readOnly" : false,
"ok" : 1,
"$clusterTime" : {
  "clusterTime" : Timestamp(1658474882, 1),
  "signature" : {
  "hash" : BinData(0,"hgMLa+1zoaSPY1zOSOsiS1yr0bQ="),
  "keyId" : NumberLong("7116508179495649285")
  }
},
"operationTime" : Timestamp(1658474882, 1)
}

Single System and Replica Set Primary

The user authentication of MongoDB is disabled by default. Activate the user authentication to enhance the security.

Execute the following shell script as administrator and follow the instructions:

/opt/seal/seal-mongodb/secure-mongo.sh

The script creates a random password, please read the output of the script for the password. The user for accessing the different databases is plossys, the user for administration tasks is root.

Example - configuration of PLOSSYS 5

service:
  any:
    tag:
      any:
        MONGO_JOBS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-jobs?replicaSet=p5
        MONGO_PRINTERS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-printers?replicaSet=p5
        MONGO_EVENTS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-events?replicaSet=p5
        MONGO_NOTIFICATIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-notifications?replicaSet=p5
        MONGO_PREPROCESS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-preprocess?replicaSet=p5
        MONGO_CONFIGS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-configs?replicaSet=p5
        MONGO_LOCKS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-locks?replicaSet=p5
        MONGO_ACTIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-actions?replicaSet=p5

Example - configuration of SEAL Operator

service:
  any:
    tag:
      any:
        MONGO_SERVER_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-server
        MONGO_FILEUPLOAD_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-fileupload
        MONGO_PREPROCESS_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/preprocess

Example - calling MongoDB client

mongo --tls --tlsAllowInvalidCertificates -u root -p <the random password> -eval 'rs.status()'

Secondary Members of the Replica Set

  1. Copy the key file created by secure-mongo.sh on the replica set primary

    /opt/seal/etc/mongod.keyfile
    

    into the same directory on your current member of the replica set:

    /opt/seal/etc
    
  2. Add the following lines to the /opt/seal/etc/mongod.conf file:

    security:
      authorization: enabled
      keyFile: /opt/seal/etc/mongod.keyfile
    
  3. Restart MongoDB:

    sudo systemctl restart mongod
    
  4. Proceed with step 1 on the next member of the replica set.


Back to top