Enabling MongoDB Role-Based Access Control
By default, the MongoDB Role-Based Access Control (RBAC) is disabled in MongoDB. Enabling RBAC allows the utilization of access control using the pre-defined roles setup for the MongoDB users. These users are created during MongoDB initialization based on the x.509 certificate for each Component Pack client. Perform the steps detailed in this section to enable RBAC.
Procedure
Note
This procedure uses "connections" as the namespace. Substitute it with your corresponding namespace if necessary.
-
Verify that the Mongo pod is ready by running the following command:
You should see an output similar to this:kubectl -n connections get pod mongo5-0
mongo5-0 2/2 Running 0 5m
-
Run the following command to check the sidecar log for "success" messages to verify that the users have been created.
Look for the following messages in the output:kubectl -n connections logs mongo5-0 -c mongo5-sidecar
...... updateUser command successfully! ...... createUser command successfully! createUser command successfully!
-
Edit the Mongo statefulset to add security settings by running the following command:
Add the environment variableskubectl -n connections edit sts mongo5
MONGO_security_authorization
andMONGO_security_clusterAuthMode
under thecontainers
section for the mongodb5 container:containers: - env: ...... - name: MONGO_security_authorization value: enabled - name: MONGO_security_clusterAuthMode value: x509
-
Execute the following command to restart the Mongo pod:
You should see an output similar to this:kubectl -n connections delete pod $(kubectl get pods -n connections| grep mongo5 | awk '{print $1}')
pod "mongo5-0" deleted
-
When the pod is ready, run the following command to check the MongoDB configuration file to verify the security settings:
The new settings should be found:kubectl -n connections exec -it mongo5-0 -c mongo5 -- cat /etc/mongodb/mongod.conf.yaml
...... security.authorization: enabled security.clusterAuthMode: x509 ......