MongoDB and .NET: Securing your MongoDB data with user authentication

In this short article we will secure our MongoDB instance in our network with user authentication. This article is a continuation of a previous article that discussed implementing MongoDB as an alternative database engine for searching in our ASP.NET application. The article can be viewed here: http://www.codeproject.com/Articles/784660/High-Performance-Search-using-MongoDB-and-ASP-NET. However this article can be useful for anyone who has a MongoDB instance in their environment.

Note that my particular MongoDB instance is running on an Ubuntu Linux virtual machine but MongoDB runs on many different platforms including Windows Server. Also this article is a specific example of securing a MongoDB instance against an ASP.NET web application and chooses a the MongoDB CR Authentication over other authentication types because it is the only one supported by .NET applications. However you have other authentication options if you are not implemented .NET clients. For a more exhaustive list of options for securing your MongoDB instance visit the security documentation on the MonogDB web site: http://docs.mongodb.org/manual/core/security-introduction/

1. Connect to the authentication database

You will want to create a user in MongoDB that maps to a real user or application. The user will be identified by a record in the user account store in MongoDB and authenticated to MongoDB with a password. To create a user in MongoDB that uses authentication, you must first create a user or system administrator account - that is an account that has permissions to create other user accounts and typically the first account that is created in your MongoDB instance for system administrators. First connect to the MongoDB instance using a mongo shell specifying the name of the authentication database that will hold the user accounts as "admin".

mongo --authenticationDatabase admin

2. Create a user with permissions to create other users

Then create a user account that will be used by system administrators for creating other user accounts or other administrative functions. For simplicity we will use a simple password but the actual password that you use should have a reasonable amount of lexicographical complexity.

use admin
db.createUser(
{
   user: "siteUserAdmin",
   pwd: "site@dm1n",
   roles:[{role: "userAdminAnyDatabase",db: "admin"}]
})

The role userAdminAnyDatabase gives the account the ability to create user accounts in any database in the MongoDB instance. Now exit the mongo shell and reconnect using the system administrator account.

mongo -u siteUserAdmin -p password--authenticationDatabase admin

3. Create an account for each MongoDB application

Then we will create two user accounts for the footloosefs database (which is the database that will be used by my .NET applications). One account for the Footloose Financial Service web site will only have read access because that is all that it needs for searching MongoDB data and another account for the ETL program will need both read and write access.

use footloosefs
db.createUser(
{
   user: "adminAppUser",
   pwd: "admin@dm1n",
   roles: [{ role: "read", db: "footloosefs" }]
})

use footloosefs
db.createUser(
{
   user: "etlUser",
   pwd: "etl@dm1n",
   roles: [{ role: "readWrite", db: "footloosefs" }]
})

4. Restrict access to MongoDB to authorized users

Finally we need to configure our MongoDB instance to require authentication and effectively disable anonymous authentication. Be sure that you have created a superuser if necessary before you disable anonymous access. Open the file /etc/mongodb.conf using your favorite Linux editor and remove the "#" symbol from the following line and save the file:

auth = true

On Windows there will be a similar file called monogdb.cfg that will exist or you may have to create the file and add the "auth = true" line and specify the configuration file on the MongoDB Windows service commmand line. Then you will need to restart your MongoDB instance so that the changes take effect.

sudo service mongodb restart

5. Add MongoDB authentication to the ASP.NET web site and ETL program

Lastly lets look at how we will need to modify our .NET client applications now that our MongoDB instance requires user authentication.  

The code for my .NET applications are in a Visual Studio 2013 project at the following github address: https://github.com/pcarrasco23/FootlooseFinancialServices. I will be referring to code in the commit labeled "Modifications for MongoDB".

In the FootlooseFSDcoumentDBETL project open the App.config file and change the connection string to MongoDB so that it includes the username we setup for the ETL process, password, and database to which we are authenticating in the format below:

<add key="MongoDBConectionString" value="mongodb://etlUser:etl@dm1n@192.168.1.4/footloosefs" />

Because we are storing a password in a configuration file, at this point we will want to encrypt the appSetting section of the configuration file. This article explains how this cane be done if you have never encrypted a .NET configuration file before: http://msdn.microsoft.com/en-us/library/vstudio/zhhddkxy(v=vs.100).aspx

In the FootlooseFS.Web.AdminUI project, we will want to do the same in the web.config file and encrypt the file.

This is the first step to secure our MongoDB environment and there are a few other actions that can be taken to make your MongoDB instance more secure including implementing SSL. All of these are documented in the Security section of the MongoDB online documentation. Thank you for reading.