Connect node app to MongoDB without kerberos

Question

Im trying to access a mongoDB dB in our dev environment which is hosted on Unix servers and seems to use some GSSAPI authentication

For our deployed spring java and node microservices, it is hosted on OpenShift along with several files like krb5.conf/some keytab file/some MongoLongin.conf etc

App will use a connection string like: "mongodb://serviceaccount:password@unixServerA:27018,unixServerB:27018,unixServerC:27018/mydb?replicaSet=myreplica"

I'm not too familiar with kubernetes authentication but I presume these files are required to successfully allow the app from its hosted dev environment to connect to the dev DB (hosted on different servers)

However on my local windows machine with mongo downloaded, I can access the same dev database just fine without any of these files if I create a bat file with below connection string:

...\mongo.exe "mongodb://unixServerA:27018,unixServerB:27018,unixServerC:27018/mydb?replicaSet=myreplica" --authenticationMechanism=GSSAPI --authenticationDatabase=$external --username "me@mydomain.com" --password "mypassword" -tls -tlsCAFile C:\path\ca.pem

I.e similar connection string but with credentials passed as additional parameters (my own credentials since I have access to DB) along with tls parameters

My question is, whether it is possible to connect to the same DB via running a java or node app on Windows local machine without needing kerberos?

I have java/node apps that can connect to a local running mongoDB (localhost). I presume if I can connect to the external DB via a bat script without needing these kerberos files then it should be possible to connect my local apps to it the same way?

Below is a test node app I created to try and connect to the external DB:

const { MongoClient } = require('mongodb');
const path = require('path');
const myCert = path.join(__dirname, '..\\ca.pem');

async function main(){
    const mongoUri="mongodb://myusername:password@unixServerA:27018,unixServerB:27018,unixServerC:27018/mydb?replicaSet=myreplica";
    //note im using same credentials here as in my Windows bat file and not the app service account like above

    var mongoOpt = {
        authMechanism: "GSSAPI",
        tlsAllowInvalidHostnames: true,
        tlsAllowInvalidCertificates: true,
        tlsCertificateFile: myCert
    };

    const client = new MongoClient(mongoUri, mongoOpt);
    client.db("myDB", {authSource: "$external"};
    try{
        await client.connect();
        console.info("connected");
    } catch (e) {
        console.error(e);
    } finally {
        await client.close();
    }
}

Above will give MongoSelectionError: connection < monitor > to < some ip > closed

Reason: ReplicaSetNoPrimary

If I go along the kerberos route it seems like I will be jumping into a rabbit hole of many other issues including needing to npm install kerberos which seems to require annoying multi language support for dependencies like node-gyp /python

When you use Kerberos, then you don't provide any password - that's the idea of Kerberos tickets. Invalid SSL/TLS certificates (you set `tlsAllowInvalidCertificates: true`) are used only to encrypt the connection, they cannot be used for authentication. — Wernfried Domscheit, May 21 '23 at 17:39

Connect node app to MongoDB without kerberos

0 Answers0