New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mongodb: Add authentication support #36421
Conversation
545faef
to
1e65762
Compare
1e65762
to
cde7ad2
Compare
ping |
1 similar comment
ping |
ping @bluescreen303 @offline @wkennington @cstrahan @rvl We have been using this PR for the last 2 months in production without any problem. |
ping |
sorry, this seems to have gotten very little attention. I would test it, if you rebase it on the current master. |
Rebased on current master. |
Wouldn't the option |
I think you are right, I am wondering a bit about discoverability though. It may not be clear that |
Maybe it's enough to mention the authentication in the description of initialRootPassword. I'm not entirely sure, that this is better though. |
Co-Authored-By: Lassulus <github@lassul.us>
So I prefer the current way with both |
I'm ok with having both. |
do you want to squash or should I do it? |
Thank you for taking this up and merging it 👍 |
@phile314-fh Doesn't I know I'm a little bit late to the game here, seeing how this PR was merged 2 months ago, but it seems likely I'll have to start using |
I do agree that the current state is by far not an optimal solution, just the best I could come up with ..... What exactly do you mean by socket authentication? Do you have a link? |
@phile314-fh I'm not a That being said after some research I have discovered there is Would this be more or less desirable than what is currently in place? The one advantage I see is that it forces the db admin to securely set a password, whereas with I'll be updating this module to remove the |
ping @phile314-fh any opinion on that? |
I just checked if mongodb would support hashed passwords, but it seems it requires the cleartext password for account creation. So I agree, removing the |
Motivation for this change
Add support for authentication to the MongoDB NixOS module.
MongoDB makes this a bit difficult, because it has no default admin/root user. So if we would just enable authentication this would make MongoDB completely inaccessible. I chose to instead create a default root db user. Users can then change the root password or create additional users using the normal MongoDB functions. There is a minimal security risk, as during initial setup MongoDB is started without authorization on the local loopback interface. Similarly, there will be a time window between the first startup and the time the initial root password can be changed by the user.
This is the best approach I have come up so far. Better ideas are welcome ;-)
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)