diff --git a/source/administration/production-notes.txt b/source/administration/production-notes.txt index 238204936ce..07e73c97ed0 100644 --- a/source/administration/production-notes.txt +++ b/source/administration/production-notes.txt @@ -141,6 +141,16 @@ command returns information regarding the number of open connections to the current database for :program:`mongos` instances and :program:`mongod` instances in sharded clusters. +Disable HTTP Interfaces +~~~~~~~~~~~~~~~~~~~~~~~ + +:program:`mongod` provides interfaces to check the status of the +server and, optionally, run queries on it, over HTTP. Ensure that +these are disabled in production environments. + +See :ref:`http-interface-security`. + + Hardware Considerations ----------------------- diff --git a/source/core/security-interface.txt b/source/core/security-interface.txt index e40b03c3ee6..e17b3e56a73 100644 --- a/source/core/security-interface.txt +++ b/source/core/security-interface.txt @@ -38,9 +38,13 @@ behavior by passing the :option:`mongo --norc` option. the :file:`.mongorc.js` file from :file:`{%HOME%}\.mongorc.js` or :file:`{%HOMEDRIVE%}\{%HOMEPATH%}\.mongorc.js`. +.. _http-interface-security: + HTTP Status Interface --------------------- +.. include:: /includes/warning-http-interface.rst + The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status reports regarding the :program:`mongod` or :program:`mongos` instance. The HTTP interface is @@ -49,20 +53,22 @@ always available on the port numbered ``1000`` greater than the primary ``28017``, but is indirectly set using the :setting:`~net.port` option which allows you to configure the primary :program:`mongod` port. -Without the :setting:`net.http.RESTInterfaceEnabled` setting, this interface is entirely -read-only, and limited in scope; nevertheless, this interface may -represent an exposure. To disable the HTTP interface, set the -:setting:`~net.http.enabled` run time option or the +Without the :setting:`net.http.RESTInterfaceEnabled` setting, this +interface is entirely read-only, and limited in scope; nevertheless, +this interface may represent an exposure. To disable the HTTP +interface, set the :setting:`~net.http.enabled` run time option or the :option:`--nohttpinterface ` command line option. See also :ref:`security-port-numbers`. +.. include:: /includes/note-http-interface-auth.rst + .. _rest-api: REST API -------- The REST API to MongoDB provides additional information and write -access on top of the HTTP Status interface. While the REST API does not +access on top of the HTTP status interface. While the REST API does not provide any support for insert, update, or remove operations, it does provide administrative access, and its accessibility represents a vulnerability in a secure environment. The REST interface is *disabled* diff --git a/source/core/security-network.txt b/source/core/security-network.txt index 91ad33704ca..b443e96be36 100644 --- a/source/core/security-network.txt +++ b/source/core/security-network.txt @@ -41,7 +41,7 @@ The status interface is read-only by default, and the default port for the status page is ``28017``. Authentication does not control or affect access to this interface. -.. important:: Disable this interface for production deployments. If +.. warning:: Disable this interface for production deployments. If you *enable* this interface, you should only allow trusted clients to access this port. See :ref:`security-firewalls`. @@ -62,7 +62,7 @@ to connect to this port. You may also enable this interface on the command line as :option:`mongod --rest <--rest>` :option:`--httpinterface`. -.. important:: Disable this option for production deployments. If +.. warning:: Disable this option for production deployments. If *do* you leave this interface enabled, you should only allow trusted clients to access this port. diff --git a/source/includes/note-http-interface-auth.rst b/source/includes/note-http-interface-auth.rst new file mode 100644 index 00000000000..cebecd5283b --- /dev/null +++ b/source/includes/note-http-interface-auth.rst @@ -0,0 +1,11 @@ +.. note:: + + While MongoDB Enterprise does support Kerberos authentication, + Kerberos is not supported in HTTP status interface in any version of + MongoDB. + + .. versionchanged:: 3.0 + + Neither the HTTP status interface nor the REST API support the + :ref:`SCRAM-SHA-1 ` challenge-response + user authentication mechanism introduced in version 3.0. diff --git a/source/includes/note-http-interface-scram.rst b/source/includes/note-http-interface-scram.rst new file mode 100644 index 00000000000..a8d1d59c68a --- /dev/null +++ b/source/includes/note-http-interface-scram.rst @@ -0,0 +1,7 @@ +.. note:: + + .. versionchanged:: 3.0 + + Neither the HTTP status interface nor the REST API support the + :ref:`SCRAM-SHA-1 ` challenge-response + user authentication mechanism introduced in version 3.0. diff --git a/source/includes/note-kerberos-unsupported-in-http-console.rst b/source/includes/note-kerberos-unsupported-in-http-console.rst deleted file mode 100644 index 983b8f4bc84..00000000000 --- a/source/includes/note-kerberos-unsupported-in-http-console.rst +++ /dev/null @@ -1,4 +0,0 @@ -.. note:: - - In MongoDB Enterprise, the HTTP Console does not support Kerberos - Authentication. diff --git a/source/includes/options-mongod.yaml b/source/includes/options-mongod.yaml index 46023b8c260..0fbdf3c7763 100644 --- a/source/includes/options-mongod.yaml +++ b/source/includes/options-mongod.yaml @@ -542,7 +542,7 @@ description: | Do not use in conjunction with :option:`--rest` or :option:`--jsonp`. - .. include:: /includes/note-kerberos-unsupported-in-http-console.rst + .. include:: /includes/note-http-interface-auth.rst optional: true --- program: mongod @@ -559,7 +559,7 @@ description: | *do* enable this interface, you should only allow trusted clients to access this port. See :ref:`security-firewalls`. - .. include:: /includes/note-kerberos-unsupported-in-http-console.rst + .. include:: /includes/note-http-interface-auth.rst optional: true --- program: mongod diff --git a/source/includes/warning-http-interface.rst b/source/includes/warning-http-interface.rst new file mode 100644 index 00000000000..0498caf929d --- /dev/null +++ b/source/includes/warning-http-interface.rst @@ -0,0 +1,5 @@ +.. warning:: + + Ensure that the HTTP status interface, the REST API, and the JSON + API are all disabled in production environments to prevent + potential data exposure and vulnerability to attackers. diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt index 29ca06f4f5f..523049ba21d 100644 --- a/source/reference/configuration-options.txt +++ b/source/reference/configuration-options.txt @@ -134,8 +134,6 @@ Core Options .. include:: /includes/option/setting-conf-net.wireObjectCheck.rst -.. include:: /includes/option/setting-conf-net.http.enabled.rst - .. PENDING SERVER-13097 .. include:: /includes/option/setting-conf-net.http.port.rst @@ -150,6 +148,10 @@ Core Options .. setting:: net.http +.. include:: /includes/warning-http-interface.rst + +.. include:: /includes/option/setting-conf-net.http.enabled.rst + .. include:: /includes/option/setting-conf-net.http.JSONPEnabled.rst .. include:: /includes/option/setting-conf-net.http.RESTInterfaceEnabled.rst diff --git a/source/release-notes/3.0-compatibility.txt b/source/release-notes/3.0-compatibility.txt index 2c052233cbe..1096bbebf04 100644 --- a/source/release-notes/3.0-compatibility.txt +++ b/source/release-notes/3.0-compatibility.txt @@ -360,6 +360,13 @@ control. If you have a 3.0 MongoDB deployment that requires access control, you must use 3.0 versions of the :program:`mongo` shell. +HTTP Status Interface and REST API Compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Neither the HTTP status interface nor the REST API support the +:ref:`SCRAM-SHA-1 ` challenge-response +user authentication mechanism introduced in version 3.0. + .. _3.0-compatibility-indexes: Indexes