Configuring MongoDB-CR authentication as default on MongoDB 3.x

All users created in MongoDB 3.x are created with SCRAM-SHA1 which breaks backward compatibility with tools that expect MongoDB-CR. There is a laundry list of tools and drivers that have not yet been updated to support SCRAM-SHA1. E.g Robomongo, MongoVUE etc.

In some cases even if the newer version of the driver/ORM is available you might not be ready to upgrade your driver due to some compatibility issues.

MongoDB supports two authentication methods

1. MongoDB- CR (Challenge-response)
Mechanism to authenticate users with passwords. Default authentication mechanism until 2.6.x. Refer to the documentation for more details

2. SCRAM-SHA1
This is an IETF standard for challenge response mechanisms for authenticating users with passwords. This is the newer and more secure system. It is not backward compatible with MongoDB-CR. Refer to the documentation for more details.

MongoDB CR is the legacy authentication system. MongoDB 3.X switched the default user authentication system to SCRAM-SHA1. So any new users created in the system are SCRAM-SHA1 users.  Since SCRAM-SHA1 is not backwards compatible it breaks auth with all users using the MONGODB-CR mechasim.

However you might want to use the new wiredtiger storage engine that is available in MongoDB 3.x.  Here are the steps to configure MONGODB-CR as the default authentication mechanism in MongoDB 3.x assuming you are running a replica set

1. Create a 3.x mongodb cluster
2. Stop all nodes of the replica set other than the primary.
3. Disable auth on the primary and restart the node. I did this by commenting out the following entries in the mongodb conf file and restarting the server

#security:
#  authorization: enabled
#  keyFile: /var/lib/mongo/rskey
#replication:
#  replSetName: RS-rsname-0

4. Connect to the primary and change the schema version

use admin;
var schema = db.system.version.findOne({"_id" : "authSchema"});
schema.currentVersion = 3;
db.system.version.save(schema)

5. Undo changes to the mongodb.conf file in step 3 above and restart mongodb
6. Restart mongodb on the other nodes of the replica set and ensure that the replica set is healthy

Once this is done all the users created on the system will be MongoDB-CR users. You can validate this by executing the following command

db.system.users.find().pretty();

Note however this should only be a temporary workaround. The more secure longer term fix is to upgrade your mongodb server to use the SCRAM-SHA1 model. Once you are ready to upgrade run the following script to upgrade the schema version of your users to SCRAM-SHA1

db.getSiblingDB("admin").runCommand({authSchemaUpgrade});

 


Dharshan is the founder of ScaleGrid.io (formerly MongoDirector.com). He is an experienced MongoDB developer and administrator. He can be reached for further comment at @dharshanrg


9 Shares
+11
Tweet
Share1
Share7
Pin