Tyk Gateway and role-based access control in MongoDB

Support Installation and Deployment
1

Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:38:22 +0000.
Sender:[email protected].
Date:Tuesday, 22 December 2015 15:00:05 UTC.

Hi,

We may be attempting the impossible here, or, more likely, I’m mis-conffiguring something, but we’re trying to secure access to our MongoDB instances through role-based access controls and we’re running into some problems with Tyk accessing MongoDB.

We run three MongoDB instances as a replica set, and without any access control applied to MongoDB then Tyk behaves just fine. When we enable role-based access control on MongoDB then tyk fails to connect with an “Mongo connection failed:auth failed” message.

At the MongoDB end I’ve created a user named ‘tyk’ for the tyk_analytics database with a password of ‘tok’ (say) and the role of dbOwner. Using the mongo client I can access the database as this user and authenticate. When I configure the mongo_url parameter in tyk.conf as:

“mongo_url”: “mongodb://tyk:[email protected]:27017/tyk_analytics”

then we get the following error message repeatedly:

tyk: time=“2015-12-22T14:15:00Z” level=error msg=“Mongo connection failed:auth failed”

The tyk-mongo.service.consul address is because we’re using Hashicorp’s Consul as a service discovery mechanism which effectively resolves tyk-mongo.service.consul to one of three MongoDB instances in a round-robin fashion.

Some more detail. The whole tyk.conf file looks like this:

{
“listen_port”: 5000,
“secret”: “njRiQMcdWEbHaj5PoaUvCLXnTOeL4P14”,
“template_path”: “/etc/tyk/templates”,
“tyk_js_path”: “/etc/tyk/js/tyk.js”,
“use_db_app_configs”: true,
“app_path”: “/etc/tyk/apps”,
“middleware_path”: “/etc/tyk/middleware”,
“enable_analytics”: true,
“analytics_config”: {
“type”: “mongo”,
“csv_dir”: “/tmp”,
“mongo_url”: “mongodb://tyk:[email protected]/tyk_analytics”,
“mongo_db_name”: “tyk_analytics”,
“mongo_collection”: “tyk_analytics”,
“purge_delay”: 10,
“ignored_ips”: []
},
“storage”: {
“type”: “redis”,
“host”: “redis-master.service.consul”,
“port”: 6379,
“username”: “”,
“password”: “”,
“database”: 0,
“optimisation_max_idle”: 100
},
“health_check”: {
“enable_health_checks”: true,
“health_check_value_timeouts”: 60
},
“optimisations_use_async_session_write”: true,
“allow_master_keys”: true,
“policies”: {
“policy_source”: “mongo”,
“policy_record_name”: “tyk_policies”
},
“hash_keys”: false,
“suppress_redis_signal_reload”: false
}

Running service tyk status gives:

Redirecting to /bin/systemctl status tyk.service
tyk.service - tyk
Loaded: loaded (/etc/systemd/system/tyk.service; enabled)
Active: active (running) since Tue 2015-12-22 14:07:55 GMT; 24min ago
Main PID: 2665 (tyk)
CGroup: /system.slice/tyk.service
└─2665 /etc/tyk/tyk

Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”
Dec 22 14:32:30 tyk-gateway-i-6e3d56e3 tyk[2665]: time=“2015-12-22T14:32:30Z” level=error msg=“Mongo connection failed:auth failed”

I hope that’s enough information for someone to point us in the right direction.

Many thanks,


Trevor Marshall

2

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 22 December 2015 15:29:56 UTC.

Hi Trevor,

Interesting, what version of Tyk and MongoDB are you using?

We upgraded the driver in 1.9 to support MongoDB 3 which might play nicer with a setup like this.

You can run Tyk with --debug to see more verbose output, it might spit out more detail regarding the error on the connection.

Let me know what you find.

Cheers,
Martin

From: [email protected]
Sent: Tuesday, December 22, 2015 15:00
Subject: Tyk Gateway and role-based access control in MongoDB
To: Tyk Community Support [email protected]

  • show quoted text -


You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/67912bf5-4285-40bb-be00-cf2b0f017bf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

3

Imported Google Group message.
Sender:Trevor Marshall.
Date:Tuesday, 22 December 2015 15:48:30 UTC.

Hi Martin,

Thanks for the prompt reply.

I’ve just checked, and we’re on Tyk 1.8 and MongoDB 3.0.8 - which is interesting because I thought we’d made the move to Tyk 1.9.

Hmmm… Different version of the mgo interface to MongoDB too… That might be the problem! I’ll see if we can update to Tyk 1.9 and see if that makes a difference.

Thanks, and I’m feeling just a bit embarrassed…

  • show quoted text -


Trevor Marshall
Senior Developer

Crunch
www.crunch.co.uk | @teamcrunch | +44 (0) 33 3311 8000
Unit 11, Hove Business Centre, Fonthill Road, Hove, BN3 6HA
Registered in England No. 06014477

Let us say thank you - get a free month for every new client you refer to Crunch!

This email and any files transmitted with it are confidential and intended solely for the use of the addressee. If you have received this email in error, please let us know by replying to the sender and immediately delete this email. In these circumstances, the use, disclosure, distribution or copying of this information is strictly prohibited.

4

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 22 December 2015 16:11:26 UTC.

Hi Trevor,

No worries - though I’d be careful with the update to 1.9 as it’s a little different, it should all be backwards compatible but it does make use of different configuration folder defaults (all on /opt instead of /etc)

If you install with tarball you can control it better, but Deb or RPM will make some decisions based on distro.

There’s some guidance on the site regarding updating, let us know if there’s something off.

Cheers,
Martin

  • show quoted text -