scalegrid logo 308x56

Configuring MongoDB-CR Authentication as Default on MongoDB 3.x

Posted:
Tweet
Share1
Share
Pin
1 Shares

All users created in MongoDB 3.x are created with SCRAM-SHA1 which breaks backward compatibility with tools that expect MongoDB-CR. There’s a laundry list of tools and drivers that have not yet been updated to support SCRAM-SHA1, such as Robomongo and MongoVUE.

In some cases, even if the newer version of the driver/ORM is available, you might not be ready to upgrade your driver due to some compatibility issues.

MongoDB supports two authentication methods:

  1. MongoDB- CR (Challenge-response)
    Mechanism to authenticate users with passwords. Default authentication mechanism until 2.6.x. Refer to the documentation for more details.
  2. SCRAM-SHA1
    This is an IETF standard for challenge response mechanisms for authenticating users with passwords. This is the newer and more secure system. It is not backward compatible with MongoDB-CR. Refer to the documentation for more details.

MongoDB CR is the legacy authentication system. MongoDB 3.X switched the default user authentication system to SCRAM-SHA1. So, any new users created in the system are SCRAM-SHA1 users.  Since SCRAM-SHA1 is not backwards compatible it breaks auth with all users using the MONGODB-CR mechasim.

However, you might want to use the new WiredTiger storage engine that’s available in MongoDB 3.x.  Here are the steps to configure MONGODB-CR as the default authentication mechanism in MongoDB 3.x, assuming you’re running a replica set:

  1. Create a 3.x MongoDB cluster.
  2. Stop all nodes of the replica set other than the primary.
  3. Disable auth on the primary and restart the node. I did this by commenting out the following entries in the MongoDB conf file and restarting the server: 
    #security:
#  authorization: enabled
#  keyFile: /var/lib/mongo/rskey
#replication:
#  replSetName: RS-rsname-0
  4. Connect to the primary and change the schema version: 
    use admin;
var schema = db.system.version.findOne({"_id" : "authSchema"});
schema.currentVersion = 3;
db.system.version.save(schema)
  5. Undo changes to the mongodb.conf file in step 3 above and restart MongoDB.
  6. Restart MongoDB on the other nodes of the replica set and ensure that the replica set is healthy.Once this is done, all the users created on the system will be MongoDB-CR users. You can validate this by executing the following command: 
    db.system.users.find().pretty();

Note, however, this should only be a temporary workaround. The more secure longer term fix is to upgrade your MongoDB server to use the SCRAM-SHA1 model. Once you are ready to upgrade, run the following script to upgrade the schema version of your users to SCRAM-SHA1:

db.getSiblingDB("admin").runCommand({authSchemaUpgrade});

 

Tweet
Share1
Share
Pin
1 Shares

Check out Related Posts

Handling Index Creation with MongoEngine in Python
MongoEngine is an Object Document Mapper (ODM) for working with MongoDB from Python. The ODM layer maps an object model to a  document database in a w...
Understanding MongoDB Client Timeout Options
MongoDB drivers provide several options for Mongo clients to handle different network timeout errors that may occur during usage. In some cases, the d...
Mastering Disk Space Management with MongoDB Storage Engines
MongoDB offers several storage engines that cater to various use cases. The default storage engine in earlier versions was MMAPv1, which utilized memo...

Anton is part of the marketing team at ScaleGrid. He has a Bachelor's degree in Information Systems and Digital Media with background in digital marketing for a wide variety of different industries.

Start Your Free 30 Day Trial

Search:

About us:

ScaleGrid is a fully managed database hosting service for MongoDB® , Redis™, MySQL, and PostgreSQL on public and private clouds.

Get more database tips, articles and the latest news by subscribing to our monthly newsletters!

scalegrid logo 308x56
Follow us
Facebook-f Twitter Linkedin-in Youtube
Products
Pricing
Company
Resources