Hi MongoDB community I’m trying to harden a suite of dotnet applications which write logs to MongoDB.
Our initial implementation was simply to share a connection string like mongodb:#address#:27017 between all apps, and they would all write directly to MongoDB. #address# retrieved the relative address for the calling app (i.e. if calling from the same server as the database, localhost, otherwise the server ip address)
This was changed so all calls to MongoDb are made via an API which runs on the same server as the database, and MongoDb was configured to only allow local requests. Finally, the db was secured with a username and password, and a connection string was written to an encrypted file which is read by the API.
This strategy has worked fine, but is a little cumbersome - the API has to be configured to run as a user with permission to access and decrypt the connection string file, and the file itself has to be created and encrypted manually during install.
We have a SQL db as well as MongoDb, and we handle user auth by checking the logged-in user against a Users table, only allowing access if they are in the table with the required permissions. I’m trying to find a similar solution for our MongoDb database, which would allow us to authenticate to the db on a per-user basis rather than with a username/password. This would mean we no longer need a heavily protected connection string and the db would only allow connections from a given user account
Is such a thing achievable? If not, do we have any other options? Any recommendations on how best to secure the db given our requirements?