Thursday, April 30, 2015

Google Cloud Compute MongoDB Deployment security issue and keyFile issue


I've ran into this super annoying issue today.


Basically, I have setup a MongoDB database using the GCP Marketplace offering. It sets up a primary node, secondary, and an arbiter. Which is super cool.
What it doesn't do is security. Like, at all. So only natural I had to set it up myself. Well, now 20 hours later and a few good punches to my own face I am still struggling to get it running.


Basically, this is my partial config:


security:
authorization: enabled
keyFile: '/etc/mongodKey'

If I comment out the keyFile the instance runs. But it cannot connect to any other nodes, because of the security being enabled. And no, I cannot disable it, are you mad?


The thing about the keyFile though... As I understand, mongod cannot open it, so it won't start. I suppose /etc is not a good place to put it in? I tried other folders, but to no avail. Nothing works.


And I need to have that security measure, since the database needs to be connected to by my colleagues using Robo 3T. So dropping the external IP address is out of the question.


What me do wrong? Please help as I'm pulling my own hair out.


This is the output of sudo service mongod status:


● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-08-21 15:28:08 UTC; 4min 29s ago
Docs: https://docs.mongodb.org/manual
Process: 1024 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=exited, status=1/FAILURE)
Main PID: 1024 (code=exited, status=1/FAILURE)
Aug 21 15:28:08 m-vm-0 systemd[1]: Started MongoDB Database Server.
Aug 21 15:28:08 m-vm-0 systemd[1]: mongod.service: Main process exited, code=exited, status=1/F
Aug 21 15:28:08 m-vm-0 systemd[1]: mongod.service: Unit entered failed state.
Aug 21 15:28:08 m-0 systemd[1]: mongod.service: Failed with result 'exit-code'.

Edit:


I checked the mongod.log. Yes it is a permission issue. And I cannot solve it.


I tried doing sudo chmod 400 /etc/mongodKey but it doesn't do anything.
Please, someone, where do I put the key file so it is readable by mongodb? This is very important!


Answer



If you use the GCP MongoDB marketplace deployment named "MongoDB", that allows you to setup replication, know the following:


They do not setup the security in the initial configuration, thus there are 2 options:



  1. Turn off the External IP

  2. Enable authorization in the mongod.conf


If you go for the first solution, you won't be able to easily connect to the database from any other external sources.


If you go for the second solution, you'll need to do the following:



  1. Generate a key, the whole process can be found here: https://docs.mongodb.com/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set/


  2. Copy the file contents


  3. SSH into all of your Compute Engine instances

  4. Choose a directory

  5. sudo touch

  6. sudo nano

  7. Paste the key you generated on your computer and save

  8. sudo chmod 600

  9. sudo chown mongodb:

  10. Update your mongod.conf which is found under /etc/mongod.conf

  11. Uncomment security, authorization, keyFile

  12. Provide the path under key keyFile to your keyfile

  13. Stop all instances and start them again


Now MongoDB has access to the keyfile.


What as nightmare. And chmod 400 didn't work for me as specified in the documentation. I had to set it to chmod 600 .


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...