Today I am going to show you how to install MongoDB, create a database admin account and enforce basic security.
Why MongoDB when Slackware already has MariaDB? Well, the two are not comparable. MariaDB is a SQL database server, whereas MongoDB is a “NoSQL” database server, aka “Not only SQL“, and its queries – just like its object storage format – are in JSON. The two types of databases have entirely different usage targets.
MongoDB is a ‘general-purpose, document-based database server‘. It has use-cases where it is more powerful than the traditional row/column model of a relational database management system. NoSQL databases, in particular MongoDB, are preferred over RDBMS in Cloud services, Big Data environments and for high-volume web based data processing services. These are typically environments where flexibility is required to handle big amounts of unstructured data and constantly varying schemas. A distributed cluster of MongoDB servers excels at “map-reduce“, the framework invented by Google for condensing large volumes of data into useful aggregated results – the very paradigm that catapulted Google Search into the number one position of search engines shortly after the turn of the millennium.
Again, why then MongoDB? Who cares?
The above preamble is no sales pitch, rather it is meant to give you some background first. This article is actually meant to bridge a previous and a future article here on the blog. In a previous article I wrote about un-googling your browser experience and promised that I would share with you a solution that allows you to sync your browser’s online passwords and bookmarks (and hopefully soon also your browsing history) to an online server that is fully under your control.
In a future article I will document how to setup that sync service, but to that end I need a working MongoDB server first. Creating a ‘mongodb’ package that I was satisfied with, and that is also usable on Slackware 14.2, proved a bit more time-consuming than I expected, but here it is and here we go.
Caveat: since MongoDB 3.4, the developers dropped support for 32-bit platforms. Current version is 4.4.4 and therefore the packages for MongoDB that I provide are for 64-bit Slackware 14.2 and -current only.
- Download and install a ‘mongodb’ package for your Slackware: http://www.slackware.com/~alien/slackbuilds/mongodb
The installation of that package will create a “mongo” user and a “mongo” group on your computer, it will also install a RC script “/etc/rc.d/rc.mongodb” and add a couple of lines to your “/etc/rc.d/rc.local” so that the MongoDB server will be started automatically every time your computer boots, as long as the “/etc/rc.d/rc.mongodb” script is executable (which it is by default). Also installed is a default configuration file “/etc/mongodb.conf” which is used by the RC script:processManagement: fork: true pidFilePath: "/var/run/mongodb/mongod.pid" net: bindIp: localhost port: 27017 storage: dbPath: /var/lib/mongodb journal: enabled: true systemLog: destination: file path: "/var/log/mongodb/mongod.log" logAppend: true cloud: monitoring: free: state: off security: authorization: disabled
This configures MongoDB to be accessible only at the “127.0.0.1” loopback interface, listen at the MongoDB default TCP port “27017”, and store its databases in “/var/lib/mongodb/”. This MongoDB configuration for Slackware comes out of the box without any form of access control and no authentication. We will fix that below.
- Increase the maximum number of open files (1024 by default) by un-commenting the following line in “/etc/login.defs”:
ULIMIT 2097152
If you omit this, every connection you make to the server will warn you about it.
- Then start the MongoDB server, the first time manually, but next time you boot the computer this will be done automatically. As root, run (‘#’ is the root prompt of course… don’t try to type it):
# /etc/rc.d/rc.mongodb start
- After we have validated that the server is running using the “/etc/rc.d/rc.mongodb status” command, we are now going to enable access control and authentication. The documentation for that, as well as more recommendations on how to secure your database server, is available at: https://docs.mongodb.com/manual/administration/security-checklist/ . Based on that documentation we take the following steps to enable access control and enforce authentication:
- Add an administrative account to MongoDB. In this example I will use the name “slackadmin” with a password “slackpass” – change these to something you like better.
Remember that the server runs without authentication or access control out of the box, so connecting to it will be quite easy, You can start the “mongo” client from any user account, for instance your own regular login account (‘$’ is the Bash shell’s user prompt of course… don’t try to type it). By default, the “mongo” client program will connect to a server on the “localhost” address at port 27017 and since the Slackware package uses these defaults, no commandline parameters are required:
$ mongo
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("12345678-1234-1234-1234-123456789012") }
MongoDB server version: 4.4.4
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
https://community.mongodb.com
>
At the mongo shell prompt, enter these lines to create the administrative account. Note that in MongoDB, the “admin” database is the default database in which user accounts are created and user access control to the other databases is defined:use admin db.createUser( { user: "slackadmin", pwd: "slackpass", // or use passwordPrompt(), roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } ) quit()
- Now that we have added a user to the ‘admin’ database who has full access, we can stop the server and change its configuration to enforce authentication. As root:
# /etc/rc.d/rc.mongodb stop
… and then change “authorization: disabled” to “authorization: enabled” in the file “/etc/mongod.conf”. After that change, start MongoDB again with the RC script and if you then attempt to run the “mongo” client just like that and try to run a command that needs privileges, you’ll get an error:
$ mongo > show roles uncaught exception: Error: command rolesInfo requires authentication :
We will have to login to the server now, in order to do meaningful things. Since we have only one user still, we use that. Note that you will be asked to enter the user’s password after pressing ENTER, and this time we will get better feedback for our “show roles” command:
$ mongo -u slackadmin -p > show roles { "role" : "dbAdmin", "db" : "test", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "dbOwner", ...
In case you forgot to authenticate when starting the mongo client , i.e. you just executed “mongo“, don’t worry. You can authenticate from within the mongo client shell also:
$ mongo > use admin > db.auth("slackadmin", passwordPrompt())
What you do with the database is now up to you. In any case, I will expect that you have a running and pre-configured MongoDB database instance, next time when I write an article about browser sync. Don’t let that limit you! There will probably be other good uses for this article, you just need to go find them now.
- Add an administrative account to MongoDB. In this example I will use the name “slackadmin” with a password “slackpass” – change these to something you like better.
Good luck! Eric
Recent comments