Skip to content

Activating the User Authentication

Caution - installation and configuration order

Mind the order of installation and configuration. The installation of the complete system including all its components, i. e. PLOSSYS Output Engine, SEAL Operator, easyPRIMA, and others, must be finished before you start to configure the user authentication.

Getting the Master Node

Find the master node in the MongoDB cluster:

mongosh --quiet --host `hostname` --tls --tlsAllowInvalidCertificates -eval 'rs.isMaster()'

Example - result of the above command to get the master node

The hosts entry contains a list of all known cluster nodes and the primary entry contains the host name of the master node.

{
"topologyVersion" : {
  "processId" : ObjectId("62da51692acff423bc8b8a92"),
  "counter" : NumberLong(4)
},
"hosts" : [
  "db:27017",
  "db2:27017",
  "db3:27017"
],
"setName" : "rs",
"setVersion" : 5,
"ismaster" : false,
"secondary" : true,
"primary" : "db3:27017",
"me" : "db:27017",
"lastWrite" : {
  "opTime" : {
  "ts" : Timestamp(1658474882, 1),
  "t" : NumberLong(20)
  },
  "lastWriteDate" : ISODate("2022-07-22T07:28:02Z"),
  "majorityOpTime" : {
  "ts" : Timestamp(1658474872, 2),
  "t" : NumberLong(20)
  },
  "majorityWriteDate" : ISODate("2022-07-22T07:27:52Z")
},
"maxBsonObjectSize" : 16777216,
"maxMessageSizeBytes" : 48000000,
"maxWriteBatchSize" : 100000,
"localTime" : ISODate("2022-07-22T07:28:02.477Z"),
"logicalSessionTimeoutMinutes" : 30,
"connectionId" : 9,
"minWireVersion" : 0,
"maxWireVersion" : 13,
"readOnly" : false,
"ok" : 1,
"$clusterTime" : {
  "clusterTime" : Timestamp(1658474882, 1),
  "signature" : {
  "hash" : BinData(0,"hgMLa+1zoaSPY1zOSOsiS1yr0bQ="),
  "keyId" : NumberLong("7116508179495649285")
  }
},
"operationTime" : Timestamp(1658474882, 1)
}

Single System and Replica Set Primary

The user authentication of MongoDB is disabled by default. Activate the user authentication to enhance the security.

Execute the following shell script as administrator and follow the instructions:

/opt/seal/seal-mongodb/secure-mongo.sh

The script creates a random password, please read the output of the script for the password. The user for accessing the different databases is plossys, the user for administration tasks is root.

Example - configuration of PLOSSYS Output Engine

service:
  any:
    tag:
      any:
        MONGO_JOBS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-jobs?replicaSet=p5
        MONGO_PRINTERS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-printers?replicaSet=p5
        MONGO_EVENTS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-events?replicaSet=p5
        MONGO_NOTIFICATIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-notifications?replicaSet=p5
        MONGO_PREPROCESS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-preprocess?replicaSet=p5
        MONGO_CONFIGS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-configs?replicaSet=p5
        MONGO_LOCKS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-locks?replicaSet=p5
        MONGO_ACTIONS_URL: mongodb://plossys:<the random passwort>@<host1>:27017,<host2>:27017,<host3>:27017/spooler-actions?replicaSet=p5

Example - configuration of SEAL Operator

service:
  any:
    tag:
      any:
        MONGO_SERVER_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-server
        MONGO_FILEUPLOAD_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/operator-fileupload
        MONGO_PREPROCESS_URL: mongodb://plossys:<the random password>@<host1>:27017,<host2>:27017,<host3>:27017/preprocess

Example - calling MongoDB client

mongosh --tls --tlsAllowInvalidCertificates -u root -p <the random password> -eval 'rs.status()'

Secondary Members of the Replica Set

  1. On the secondary member, create the /opt/seal/secure/ directory, if not yet existing:

    sudo mkdir /opt/seal/secure
sudo chown seal:seal /opt/seal/secure
sudo mv /path/to/mongod.keyfile /opt/seal/secure
sudo chown mongod:mongod /opt/seal/secure/mongod.keyfile
sudo chmod 0400 /opt/seal/secure/mongod.keyfile

  2. Copy the key file created by secure-mongo.sh to the replica set primary

    /opt/seal/secure/mongod.keyfile

    into the same directory on your current member of the replica set:

    /opt/seal/secure

  3. Add the following lines to the /opt/seal/etc/mongod.conf file:

    security:
  authorization: enabled
  keyFile: /opt/seal/etc/mongod.keyfile

  4. Restart MongoDB:

    sudo systemctl restart mongod

  5. Proceed with step 1 on the next member of the replica set.

Back to top