Mongod access control

Mongodb runs with no access control. Our security people won’t allow that. In an attempt to meet security needs, I changed this to bind to localhost rather than listening on the public IP address, but found that breaks access by CryoSparc server. If I ad basic access control to mongod, this will also break access.

Is there a way to get Cryosparc to use credentials to access mongod, and to access via 127.0.0.1? Ideally both of these should be implemented. As of now, I am using iptable filtering to block external access.

1 Like

Hi @Juno,

Our discussion forum went down for a couple of days and there may have been a post that was lost from this thread.
We currently are not supporting access control in mongo - but in general cryoSPARC should (of course) never be run on machines that are publicly accessible directly. Could you clarify your use case? Our recommendation is to use nginx as a reverse-proxy to allow outside users (if necessary) to access cryoSPARC over the public internet via HTTPS+auth of your choice. Mongodb should only ever be accessible within the local network (which is needed for worker nodes to communicate and write results).

Sorry for the SLOW reply. I didn’t see your response.

I have a system set up with no worker nodes. In this case, mongo has no need to listen on the LAN IP. Secondly, with worker nodes on the local LAN, it still is sensible to configure mongo access control to limit connections to cryosparc nodes.

While this LAN is behind a firewall, our security is strict here, so I cannot run Cryosparc with mongo accessible on the local LAN. Even with multiple nodes, it would be mandated to have access control list to only the worker nodes. I had to block access by the firewall. It should be easier to configure mongo access control, as it is built into the software.

While you might think locally exposed mongo port behind a firewall isn’t a risk, it’s still an internal security risk if a local system is compromised (never impossible), which is why access control even in an internal LAN matters.

I just created a post (The MongoDB instance used by cryoSPARC appears to be wide open) addressing this same issue (not knowing someone had already asked about this).

It seems that only the worker nodes need access to the MongoDB port? Consequently I opened the firewall on the cryoSPARC server up to port 39000 only, and this seems to be working without exposing a world-writeable database to the internet. The full range of ports (39000:39010) is open to the cryoSPARC worker nodes. Port 39000 goes to the web interface, which is password protected.