[openstack-dev] [OSSN-0066] (Errata) MongoDB guest instance allows any user to connect

Luke Hinds lhinds at redhat.com
Thu Nov 10 12:04:59 UTC 2016


MongoDB guest instance allows any user to connect
---

### Summary ###
When creating a new MongoDB single instance or cluster the default
setting in MongoDB `security.authorization` was set as disabled. This
resulted in no need to provide user credentials to connect to the mongo
instance and perform read / write operations from any network that is
attached on instance create.

### Affected Services / Software ###
Trove, Liberty

### Discussion ###
MongoDB contains a security config set within `mongo.conf` as follows:

    security:
        authorization: "enabled"

When creating a new MongoDB instance, or cluster within Trove the
`security` value was not populated resulting in MongoDB adopting the
default value of `disabled`. With security authorization disabled there
would be no enforcement of user authentification, allowing users to
connect and perform read/write data operations from any network that is
attached on instance create.

A fix was implemented within Mitaka and back ported to Liberty that
addresses the problem by enabling authorization by default on single
instances. This can be toggled via configuration groups.

Cluster security is determined by the Trove config variable
`mongodb.cluster_secure`. This cannot be toggled once the cluster is
created.

### Recommended Actions ###
Single instances now use role based access control (RBAC) by default. To
disable RBAC, the Trove user can attach a security group with
`security.authorization` set to `disabled`. It can be re-enabled by
detaching the security group or changing the value to `enabled`.

The Trove config variable `mongodb.cluster_secure`
(boolean type, in `trove.conf`) determines the RBAC state of MongoDB
clusters that are created. Setting this to true enables RBAC while false
disables it. This applies to all MongoDB clusters, and requires a
restart of the trove-api service to change, and cannot be toggled on
running clusters.

Existing mongoDB instances can be secured by using the following changes
to `mongo.conf`

   security:
       authorization: "enabled

### Errata ###
This OSSN previously incorrectly stated that the fix was back ported to
Liberty release. This is not the case and the fix was applied only to
Mitaka.

### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bugs.launchpad.net/trove/+bug/1507841
Mailing List : [Security] tag on openstack-dev at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x3C202614.asc
Type: application/pgp-keys
Size: 1698 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161110/03ce5c72/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161110/03ce5c72/attachment.pgp>


More information about the OpenStack-dev mailing list