Local AAA Adapter

Local AAA Configuration

A Local AAA adapter may be used in lab and development environments to locally authenticate users against a MongoDB collection inside the local AAA database.

Configure the Local AAA adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.

The Local AAA adapter no longer uses the persistence broker; you can point Local AAA to any MongoDB database you choose. You must add the "database" configuration property, as shown in the example below.

Sample Config

{
  "id": "Local AAA",
  "type": "local_aaa",
  "properties": {
    "database": {
      "db": "LocalAAA",
      "url": "mongodb://127.0.0.1:27017",
      "credentials": {
        "dbAuth": false
      }
    }
  },
  "brokers": [ "aaa" ]
}

Adding Users and Groups

To add more users for testing and development, you can create and import a new user JSON document.

1. Install the bcrypt-cli node module required to generate a bcrypt hash.

   npm install --global bcrypt-cli
   

   
   

2. Encrypt the user password using bcrypt-cli to create a hash.

   $ bcrypt-cli password 10
   $2a$10$5KXKzv9Ech1w2nOSSPWCMuaqOS6aFCpKZV6IzfaYRRgN/xkwXYso2
   

   
   

3. Be sure to create group documents for each group referenced by the accounts. After each group is created, configure the group from the Authorization menu by logging in as the IAP administrator.

Sample User Account Document (Local AAA User)

$ mongo db01/pronghorn --ssl -u pronghorn -p
MongoDB shell version v3.6.6
Enter password:
connecting to: mongodb://db01:27017/ph6
MongoDB server version: 3.6.6
$ use LocalAAA
switched to db LocalAAA
$ db.accounts.find();
{
    "_id": ObjectId("5b6f9fc3fe38e3bd73795d4d"),
    "username" : "admin@pronghorn",
    "activeTenant" : "*",
    "firstname" : "admin",
    "groups" : [ "pronghorn_admin" ],
    "password" : "$2a$10$5KXKzv9Ech1w2nOSSPWCMuaqOS6aFCpKZV6IzfaYRRgN/xkwXYso2",
    "tenants": []
}

Sample Group Document (Local AAA Group)

$ mongo db01/pronghorn --ssl -u pronghorn -p
MongoDB shell version v3.6.6
Enter password:
connecting to: mongodb://db01:27017/ph6
MongoDB server version: 3.6.6
$ use LocalAAA
switched to db LocalAAA
$ db.groups.find();
{
    "_id": ObjectId("5b6f9fc3fe38e3bd73795d56"),
    "name": "pronghorn_users",
    "group": "pronghorn_admin"
}

If you need to use local AAA encryption for securing IAP to MongoDB, learning how to encrypt the password for use in an adapter, or obfuscating the password, refer to the Encrypt Passwords in Local AAA section below.

Secure MongoDB Connectivity in Local AAA

To set up Local AAA adapter in IAP using a password and SSL protected MongoDB:

1. Set up the Admin user.

   db.createUser(
   {
       "user":"admin",
       "pwd":"password",
       "roles":[
           {
               "role":"root",
               "db":"admin"
           },
           {
               "role":"userAdminAnyDatabase",
               "db":"admin"
           },
           {
               "role":"clusterMonitor",
               "db":"admin"
           },
           {
               "role":"dbOwner",
               "db":"LocalAAA"
           },
           {
               "role":"dbOwner",
               "db":"pronghorn"
           }
       ]
   }
   )
   

2. Set up the Pronghorn user.

   db.createUser(
   {
       "user":"pronghorn",
       "pwd":"password",
       "roles":[
           {
               "role":"dbOwner",
               "db":"pronghorn"
           },
           {
               "role":"dbOwner",
               "db":"LocalAAA"
           },
           {
               "role":"clusterMonitor",
               "db":"admin"
           }
       ]
   }
   )
   

3. Set up the local AAA user.

   db.createUser(
   {
       "user":"localaaa_user",
       "pwd":"pronghorn",
       "roles":[
           {
               "role":"dbOwner",
               "db":"LocalAAA"
           }
       ]
   }
   )
   

4. Modify the mongod.conf file to turn on authorization.

   /etc/mongod.conf
   

   # network interfaces
   net:
       port: 27017
       bindIp: 0.0.0.0  
   # Listen to local interface only, comment to listen on all interfaces.
   security:
       authorization: enabled
   

5. Modify the properties.json file.

   /opt/pronghorn/current/properties.json
   

   "id": "profile1",
   "mongoProps": {
       "credentials": {
       "dbAuth": true,
       "passwd": "password",
       "user": "pronghorn"
       },
       "db": "pronghorn",
       "url": "mongodb://127.0.0.1:27017"
   }
   

6. Modify properties for the MongoDB adapter via IAP (navigate to Admin Essentials > Adapters).

   "properties": {
       "id": "mongo",
       "properties": {
           "credentials": {
               "dbAuth": true,
               "passwd": "password",
               "user": "pronghorn"
           },
           "db": "pronghorn",
           "url": "mongodb://127.0.0.1:27017"
       },
   

7. Modify Local AAA properties.

   Note: In this example, "pronghorn" was used for the password. This is consistent with how the Local AAA user was set in Step 3 above.

   "properties": {
       "id": "Local AAA",
       "type": "local_aaa",
       "properties": {
           "database": {
               "db": "LocalAAA",
               "url": "mongodb://127.0.0.1:27017",
               "credentials": {
                   "dbAuth": true,
                   "passwd": "pronghorn",
                   "user": "localaaa_user"
               }
           }
       },
       "brokers": [
           "aaa"
       ],
       "groups": []
   },
   

8. Restart MongoDB.

   systemctl restart mongod
   

9. Stop Pronghorn (Itential).

   systemctl stop pronghorn
   

10. Start Pronghorn (Itential).

    systemctl start pronghorn
    

11. Check status of Pronghorn (Itential).

    systemctl status pronghorn
    

Encrypting Passwords in Local AAA (Optional)

Itential recommends that all passwords are encrypted. This can be achieved by using the encryption script that is included within the pronghorn-core package or by using HashiCorp Vault Encryption.