All Products
Search

This Product

    ApsaraDB for MongoDB:Data security

    Document Center

    ApsaraDB for MongoDB:Data security

    Last Updated:May 19, 2025

    This topic describes data security issues in ApsaraDB for MongoDB.

    Whitelist group names and sources

    Follow the procedure in Modify a whitelist to open the Whitelist Settings page and view the whitelist groups of your instance.

    Initially, your instance contains only the default whitelist group. As you perform data migration or other operations on the instance, the number of whitelist groups gradually increases. The following table describes whitelist group names and their sources.

    Whitelist group name

    Source

    default

    The default whitelist group that cannot be deleted.

    ddsdts

    If you perform a data migration operation on the instance, the system automatically creates this group and adds the IP addresses of Data Transmission Service (DTS) servers to this group.

    Note

    If the instance is currently executing a data migration task, do not delete this group. Otherwise, the data migration task fails.

    Does ApsaraDB for MongoDB support KMS encryption?

    You can enable Transparent Data Encryption (TDE) in the ApsaraDB for MongoDB console to perform real-time I/O encryption and decryption on data files. This encrypts data before it is written to disks and decrypts it when it is read from disks into memory.

    Unable to perform MONGODB-CR authentication in ApsaraDB for MongoDB

    Issue description

    ApsaraDB for MongoDB only supports the SCRAM-SHA-1 authentication but not the MONGODB-CR authentication. If you modify the settings of schema.currentVersion=3, the following error is returned.

    WriteResult({
        "writeError" : {
                "code" : 13,
                "errmsg" : "not authorized on admin to execute command { 
                            update: \"system.version\", updates: [ { q: { _id: \"authSchema\" }, 
                            u: { _id: \"authSchema\", currentVersion: 3 }, 
                            multi: false, upsert: true } ], ordered: true }"
        }
})

    Cause

    MONGODB-CR authentication has security issues. ApsaraDB for MongoDB does not support this authentication method and only supports the default SCRAM-SHA-1 authentication.

    Solutions

    No solutions are available due to product design limits.

    Additional information

    SCRAM-SHA-1 is the currently recommended authentication method. Process for SCRAM-SHA-1 authentication:

    1. The client initiates a SCRAM authentication request.

    2. The server issues a challenge response.

    3. The client responds with proof data and a combined string.

    4. The server generates a signature by using the stored key combined with random parameters and utilizing the same algorithm and verifies the client proof data.

    5. The client verifies the server signature data.

    SCRAM-SHA-1 authentication has the following advantages over the MONGODB-CR authentication:

    • Flexibly adjustable security coefficient.

    • Independent random coefficient exclusive to each user.

    • More secure HASH function.

    • Support for mutual authentication.