Backup and restore MongoDB with X.509 authorisation
Background
Before I start I just want to say the mongo docs are great, really detailed but they can't cover every scenario (i.e. my scenario).
Securing a database with X.509 certificates
There is great documentation on this! Without (too) many issues I was able to follow the many blogs out there of people doing just this, connecting from the client etc. However I came against an issue finding any documentation on backing up and restoring a database with this security, no joy.
A bit about the X.509 keys
I'm not going to go into all the details of how I made these keys. If you haven't already get X.509 keys, read my post Creating x.509 certificates for mongodb.
- dba.pem (database admin)
- persistence.pem (read/write user)
- ca.pem (certificate authority used to sign the keys)
My users and roles
I started out with 2 users:
- A the Mongo built in DBA role:
userAdminAnyDatabase
for theadmin
db - A read/write user for the collections to be used by my app (I made a role for this with access to relevant collections)
What did work
I was able to log in using the mongo
command line utility included with the mongo installation with this command.
mongo --ssl --sslPEMKeyFile /etc/ssl/certs/persistence.pem --sslCAFile /etc/ssl/certs/ca.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' --host persistence-mongo
/etc/ssl/certs/persistence.pem
is the location of my X.509 file for the read/write user/etc/ssl/certs/ca.pem
is the location of my ca filepersistence-mongo
is the hostname of the server running mongo (if running locally this will be localhost)
It works!!!! 😺 I can now log in and change things. Now on to the backup and restore.
Backup
This is where things got tricky...
I used the same flags as before and used my database admin key instead of the read/write user key.
mongodump --ssl --sslPEMKeyFile /etc/ssl/certs/dba.pem --sslCAFile /etc/ssl/certs/ca.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' --host persistence-mongo
And received this helpful error
Failed: error getting database names: not authorised on admin to execute command { listDatabases: 1 }
Next failure
After much frustrated clicking around I finally just asked and surprisingly they had the answer. The --username or -u flag.
mongodump --ssl --sslPEMKeyFile /etc/ssl/certs/dba.pem --sslCAFile /etc/ssl/certs/ca.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' --host persistence-mongo --out dump -u "CN=dba,OU=MY AWESOME OU,O=MY ORGANISATION,L=TIMBUKTU,ST=Mali,C=AF"
And the return message was again
Failed: error getting database names: not authorized on admin to execute command { listDatabases: 1 }
Still no joy, then I stumbled on this post. So maybe my issue now was nothing to do with the X.509 keys, but with the role my user had.
Last hurdle
So now all I had to do was add a role that can back things up and restore. I could just change my admin user to have the built in role root
, however this is pretty bad practice. Mongo have helpfully added a role for this, Backup and restore roles. Add these roles, with the corresponding X.509 keys (backup.pem/restore.pem), change the command to use these new users and...
mongodump --ssl --sslPEMKeyFile /etc/ssl/certs/backup.pem --sslCAFile /etc/ssl/certs/ca.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' --host persistence-mongo --out dump -u "CN=backup,OU=DNG-CLIENT,O=DWP,L=Newcastle upon Tyne,ST=Tyne and Wear,C=GB"
No errors, great success!!!
© Peter Grainger.RSS