Database Reference
In-Depth Information
That's the tricky part about moving data in and out of MongoDB: the way the data
is modeled may differ between systems. In these cases, be prepared to use the drivers
as your conversion tools.
10.1.4
Security
Most RDBMSs feature elaborate security subsystems, allowing authorization of users
and groups with fine-grained control over permissions. By contrast, MongoDB v2.0
supports only a simple, per-database authentication mechanism. This makes the secu-
rity of the machines on which MongoDB is run all the more important. Here we'll dis-
cuss a few considerations for running MongoDB in a secure environment and you'll
show how authentication works.
S
ECURE
ENVIRONMENTS
MongoDB, like all databases, should be run in a secure environment. Production
users of MongoDB must take advantage of the security features of modern operating
systems to ensure the safety of their data. Probably the most important of these fea-
tures is the firewall. The only potential difficulty in using a firewall with MongoDB is
knowing which machines need to communicate with each other. Fortunately, the com-
munication rules are simple. With a replica set, each node must be able to reach every
other node. In addition, all database clients must be able to connect with every replica
set node that the client might conceivably talk to.
A shard cluster consists in part of replica sets. So all the replica set rules apply; the
client in the case of sharding is the
mongos
router. Additionally:
All shards must be able to communicate directly with one another.
Both the shards and the
mongos
routers must be able to talk to the config
servers.
A related security concern is the
bind address
. By default, MongoDB will listen on all
addresses on the machine. But you may want MongoDB to listen on one or more spe-
cific addresses instead. For this you can start
mongod
and
mongos
with the
--bind_ip
option, which takes a list of one or more comma-separated IP addresses. For example,
to listen on the loopback interface as well as on the internal IP address 10.4.1.55,
you'd start
mongod
like this:
mongod --bind_ip 127.0.0.1,10.4.1.55
Do note that data between machines will be sent in the clear. Official
SSL
support is
scheduled to be release in MongoDB v2.2.
A
UTHENTICATION
MongoDB's authentication was originally built for users hosting MongoDB servers in
shared environments. It's not feature-rich, but it's useful when a little extra security is
required. Here we'll first discuss the authentication
API
and then describe how to use
it with replica sets and sharding.
