Put basic login/pw for mongodb #452
Comments
|
valya: The MongoDB docs, http://www.mongodb.org/display/DOCS/Security+and+Authentication, recommend to run MongoDB in trusted environment. This is what we have by default in cmsweb cluster. I need to understand if it is acceptable. |
|
lat: vocms53 is in firewalled territory where accesses are allowed only from front-ends and the host itself. Fortunately this machine isn't one of the reallocated systems with high ports available to half the world. The access to MongoDB from front-end does concern me, although it's not a direct risk. Is it possible for you to configure MongoDB to listen only on localhost interface, not on 0.0.0.0 = all interfaces? This would be the exact reverse we've done to our own services, as you might recall. So as long as DAS + MongoDB will run in restricted port range actually verified not to be accessible from other hosts, and MongoDB itself is not listening on outward facing network interfaces, you don't need to add extra layer of security in front. (Copied from HN, as it was possibly relevant to other people there too.) |
|
valya: MongoDB provides this flag: --bind_ip Specifies a single IP that the database server will listen for which we can use to setup which host it should listen to. In our case it should be localhost, since DAS cache server runs on the same node as MongoDB. And as we agreed (I hope we're) I will run MongoDB on specific allocated port range. |
|
lat: Yes, that sounds what you want: --bind_ip 127.0.0.1 or localhost, depending on whether it wants address or name is ok. |
|
valya: MongoDB is installed with --bind_ip 127.0.0.1. |
ghost
assigned 
Clarify with HTTP group if I need to put login/pw for mongodb.
The text was updated successfully, but these errors were encountered: