Put basic login/pw for mongodb about das HOT 5 CLOSED

valya: The MongoDB docs, http://www.mongodb.org/display/DOCS/Security+and+Authentication, recommend to run MongoDB in trusted environment. This is what we have by default in cmsweb cluster. I need to understand if it is acceptable.

from das.

lat: vocms53 is in firewalled territory where accesses are allowed only from front-ends and the host itself. Fortunately this machine isn't one of the reallocated systems with high ports available to half the world.

The access to MongoDB from front-end does concern me, although it's not a direct risk. Is it possible for you to configure MongoDB to listen only on localhost interface, not on 0.0.0.0 = all interfaces? This would be the exact reverse we've done to our own services, as you might recall.

So as long as DAS + MongoDB will run in restricted port range actually verified not to be accessible from other hosts, and MongoDB itself is not listening on outward facing network interfaces, you don't need to add extra layer of security in front.

(Copied from HN, as it was possibly relevant to other people there too.)

from das.

valya: MongoDB provides this flag:

--bind_ip Specifies a single IP that the database server will listen for

which we can use to setup which host it should listen to. In our case it should be localhost, since DAS cache server runs on the same node as MongoDB. And as we agreed (I hope we're) I will run MongoDB on specific allocated port range.

from das.

lat: Yes, that sounds what you want: --bind_ip 127.0.0.1 or localhost, depending on whether it wants address or name is ok.

from das.

valya: MongoDB is installed with --bind_ip 127.0.0.1.

from das.