2.3 Ensure authentication is enabled in the sharded cluster

Information

Authentication is enabled in a sharded cluster when keyfiles are created and configured for all components. This ensures that every client that accesses the cluster must provide credentials, to include MongoDB instances that access each other within the cluster.

Rationale:

Enforcing a key on a sharded clusterprevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component.

Solution

To enable authentication in the sharded cluster, perform the following steps:

Generate a key file.

http://docs.mongodb.org/v2.4/tutorial/generate-key-file/#generate-key-file

On each component in the shared cluster, enable authentication by doing one of the following:

o In the configuration file /etc/mongod.conf, set the keyFile option to the key files path and then start the component with this command:

keyFile = /srv/mongodb/keyfile

When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key files path.





Default Value:

Not configured

See Also

https://workbench.cisecurity.org/files/168

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: Unix

Control ID: 388f4192baba9161dd0ac12457b828e7bab41ad13ed12b9ae7727aa1848480b4