Start Mongo with enabled access control #77
Comments
My proposal for fixing the issue is edgex-mongo-launch.sh to be modified like this:
First mongo is started without access control, bound to From developers point of view, working with |
If Mongo starts without any protection then it is a serious issue and would be a good candidate of ticket for SIR team. We may need to develop a fix, record the issue into SIR and notify the community. This would be a common practice. |
It was discussed at a meeting this wasn't SIR worthy as mongo is optional and going away next release. The official mongo docker image handles auth quite well I'd suggest lifting what they do wrt |
Fix of the current issue will remove some of the warning messages, reported by issue #9
|
@hutchic
Both are executed if there is no data populated in In addition the script handle automatically set/remove --auth param if |
Right now I think docker-edgex-mongo overrides the entrypoint but the better solution IMO would be to place custom startup scripts into |
@hutchic In addition, we have used java script file responsible for initializing the data inside mongo, but the logic was re-written , so now we have go application inside Sо, I do not think we could use the original mongo entry point. At all, I see that this script also restarts mongo in order to do data initialization. Nevertheless, I suggest current So, my suggestion is as th original one + give root privileges to the admin user
Note: Another thing I have noticed in this script is that mongo is started with |
@hutchic |
@hutchic If, yes, I would say that I am not in favor of rewriting again everything just to take advantage of the official endpoint. Plus, there are additional thoughts around database schema initialization - like each micro-service should own the schema and should be responsible for data initialization thus keeping micro services encapsulated. So, I guess that in the future releases this will be rewritten anyway. I agree with adding root user. I only have concerns with the way credentials are provided.
But from developers perspective this looks like the easiest solution - having root user with human readable credentials. What about .. if env variables are set (developers case) - use their values for root user creation, otherwise use the credentials coming from vault ? This way, we will need to update developers related documentation, and this manual work will be done by the developers, if needed at all. |
For the scope of this issue I'd agree it's not worth the rewrite 👍 I think the use cases you've captured would be achievable via something like this
reference: https://www.frodehus.dev/running-mongodb-in-docker-with-authentication/
In the future EdgeX should probably consider using vault secret engines https://www.vaultproject.io/docs/secrets/databases/mongodb/ |
@tingyuz @hutchic By adding the Any idea how could we gracefully handle development vs production mode without forcing the client to do extra actions and all this still to be convenient for the developers ? |
Not having setup a production environment I might not have the knowledge to weigh in here.
For the purposes of "start mongo with enabled access control" I still think do what gets it secured easily / now and punt on dynamic secrets / secret leasing for a future time |
So, lets approach this issue by the easiest way - just enable the authentication mode. |
Currently, mongo database is started by
mongod --bind_ip_all &
(see edgex-mongo-launch.sh).Because the authentication is not explicitly enabled (by setting it in
mongod.conf
file , or using--auth
parameter), mongo comes without access control.Once mongo is started, edgex-mongo app creates User for each service. Each User has privileges to manipulate the data in specific database (exp, user "meta" could access only "metadata" database and etc)
Nevertheless,the existence of all these users, restriction free control could be taken over the entire database if the client do not provide any credentials at all.
The text was updated successfully, but these errors were encountered: