Configuring MongoDB-CR Authentication as Default on MongoDB 3.x

All users created in MongoDB 3.x are created with SCRAM-SHA1 which breaks backward compatibility with tools that expect MongoDB-CR. There’s a laundry list of tools and drivers that have not yet been updated to support SCRAM-SHA1, such as Robomongo and MongoVUE.

In some cases, even if the newer version of the driver/ORM is available, you might not be ready to upgrade your driver due to some compatibility issues.

MongoDB supports two authentication methods:

  1. MongoDB- CR (Challenge-response)
    Mechanism to authenticate users with passwords. Default authentication mechanism until 2.6.x. Refer to the documentation for more details.
    This is an IETF standard for challenge response mechanisms for authenticating users with passwords. This is the newer and more secure system. It is not backward compatible with MongoDB-CR. Refer to the documentation for more details.

MongoDB CR is the legacy authentication system. MongoDB 3.X switched the default user authentication system to SCRAM-SHA1. So, any new users created in the system are SCRAM-SHA1 users.  Since SCRAM-SHA1 is not backwards compatible it breaks auth with all users using the MONGODB-CR mechasim.

However, you might want to use the new WiredTiger storage engine that’s available in MongoDB 3.x.  Here are the steps to configure MONGODB-CR as the default authentication mechanism in MongoDB 3.x, assuming you’re running a replica set:

  1. Create a 3.x MongoDB cluster.
  2. Stop all nodes of the replica set other than the primary.
  3. Disable auth on the primary and restart the node. I did this by commenting out the following entries in the MongoDB conf file and restarting the server:
    #  authorization: enabled
    #  keyFile: /var/lib/mongo/rskey
    #  replSetName: RS-rsname-0
  4. Connect to the primary and change the schema version:
    use admin;
    var schema = db.system.version.findOne({"_id" : "authSchema"});
    schema.currentVersion = 3;
  5. Undo changes to the mongodb.conf file in step 3 above and restart MongoDB.
  6. Restart MongoDB on the other nodes of the replica set and ensure that the replica set is healthy.Once this is done, all the users created on the system will be MongoDB-CR users. You can validate this by executing the following command:

Note, however, this should only be a temporary workaround. The more secure longer term fix is to upgrade your MongoDB server to use the SCRAM-SHA1 model. Once you are ready to upgrade, run the following script to upgrade the schema version of your users to SCRAM-SHA1: