6

I am needing to shard a database fairly soon, and am unclear on what the best practice is for enabling authentication on the mongos and config servers.

I would like to have everything be secured with passwords.

  1. Should each config server have auth enabled?
  2. If so, then setup the same user across each? Just for the admin db? Or is there a need to create one for the config database?
  3. I am guessing you don't need to create any users while on the mongos, since it should inherit from the config and the shards themselves, is this correct?
  4. When adding a new shard, is it needed to go and setup the same users for each sharded database on the new shard?

Thanks!

nakkor
  • 163
  • 1
  • 4

2 Answers2

3

I'll take these one at a time:

Should each config server have auth enabled?

Yes, basically every instance of mongod you run should have auth enabled (and keyfile, which implies auth).

If so, then setup the same user across each? Just for the admin db? Or is there a need to create one for the config database?

The admin database in a sharded environment will actually live on the config servers. Hence you will have a copy of the admin database on all three (they will be identical to each other). You should always be connecting to the config database through the mongos and you will not be creating other databases there, so no need to add specific users.

I am guessing you don't need to create any users while on the mongos, since it should inherit from the config and the shards themselves, is this correct?

The first shard you add, if it has existing databases, will be the primary shard for those databases (forever). That primary shard will contain the authentication records for those databases, even if you subsequently shard the collections across multiple shards. Any subsequent databases that are created after you shard may live on another shard, and their credentials will be stored there. Basic rule of thumb is: use mongos to manage your users in a sharded environment.

Note: The above is true in MongoDB 2.4 and below. The planned changes in 2.6 will centralize all credentials to the config database in a sharded environment and remove some of the complexity. However, the rule of thumb is still applicable, use mongos

When adding a new shard, is it needed to go and setup the same users for each sharded database on the new shard?

As the answer to the previous question implies, no this is not necessary as long as you always connect via mongos (recommended - it knows what the primary shard is for each database and will route your auth request appropriately). There are some edge cases where you might need to have the users on all shards, in which case you would have to add (and maintain) them on each shard, but for general use it is not required.

Adam C
  • 5,132
  • 2
  • 28
  • 49
1

Have a look at the here to find your answer. You are suggested to use keyFile as well as network-level access control, usually a firewall to keep your server secure.

Kerberos authentication is also supported in recent versions of mongodb. You can find information here.

yaoxing
  • 111
  • 8
  • Thank you for responding! I agree on network level restrictions, and everything has a keyfile. It is best to have a un/pw on top of those as well? – nakkor Jan 27 '14 at 17:22
  • The keyfile is used for the servers to authenticate each other. while un/pw is mostly for client side to access servers. IMHO, security settings are never too much, thus I suggest to enable both. – yaoxing Jan 29 '14 at 11:48