Database Authentication

Note

Some of the topics covered in this page require you to have administrator/root access to your database machine. Please consult your local IT staff if in doubt.

Overview

By default, the Deadline Repository installer will install MongoDB with access control, ie: Authentication enabled. The installer will enable SSL/TLS authentication in MongoDB, and automatically generate the necessary certificates.

Purely optional, you may decide to customize how authentication is enabled on your Deadline renderfarm. This page will explain the necessary steps to enable authentication in your Deadline setup via user name and password. It is recommended to install the Deadline DB/Repo first, test and verify all is well, before then proceeding with enabling authentication. Note, you should plan for a small outage period of your farm whilst you configure and deploy these settings.

MongoDB Configuration

First, create a user via the Mongo shell on the DB machine:

>>> use deadline[VERSION]db
switched to db deadline[VERSION]db
>>> db.createUser( { user:"username", pwd:"password",roles:["readWrite"]} )
Successfully added user: { "user" : "username", "roles" : [ "readWrite" ] }
>>> db.auth( "username", "password" )
1

where username and password should be replaced with your applicable settings and [VERSION] is the major version of Deadline such as: 10.

Note that Deadline will try to authenticate on its own database (as opposed to the admin DB, or elsewhere), so it’s easiest to create the user there (default is deadline<VERSION>db as per above example, where <VERSION> is: 10). The ‘clusterMonitor’ role is now also optional in Deadline 8.0 – you should only need readWrite access to Deadline’s database (or plural databases, if ‘splitDB’ is on – which is not recommended in MongoDB 3+).

MongoDB Restart

The current MongoDB service/daemon will now need to be configured to use authentication and restarted. This can be achieved by adding an additional CLI option:

--auth

or more permanently, by un-commenting or adding the following lines in the config.conf file stored in [DeadlineDatabase]/mongo/data/:

#enable authentication
security:
        authorization: enabled

where [DeadlineDatabase] is the root install directory of your Deadline-MongoDB database.

Finally, restart the MongoDB service/daemon to commit this configuration change. Note, this will temporarily take your farm offline during the service restart.

Deadline Configuration

Now to update the Database connection settings, we will use the Deadline client CLI application DeadlineCommand and run two commands:

>>> deadlinecommand UpdateDatabaseSettings ...
and
>>> deadlinecommand StoreDatabaseCredentials ...

UpdateDatabaseSettings

This command will update the settings Deadline pulls in to connect to your database. Here’s the arguments expected by the command:

# Updates the given repository's connection.ini file with the given database settings.

[Repository] The path to the repository root
[Type] The database type (currently only MongoDB)
[Host] The host name or IP address of the database machine
[Name] The database name
[Port] The database port
[AltPort] The alternate database port (not currently used)
[SSL] If SSL should be used to connect (not currently used)
[Authenticate] If authentication is required
[Username] This argument is deprecated, leave it blank.
[Password] This argument is deprecated, leave it blank.
[Replica Set] The Replica set name
[Split DB] If Database should be split (by default, it is disabled)

Here is an example command:

>>> deadlinecommand UpdateDatabaseSettings D:\DeadlineRepository[VERSION] MongoDB 10.10.1.125 deadline[VERSION]db [DB_PORT] -1 False True "" "" "" False

where [VERSION] is the MAJOR version number of Deadline, such as: 10 and [DB_PORT] is the MongoDB port, such as: 27100.

StoreDatabaseCredentials

This command is used to securely store the database credentials. Here’s the arguments expected by the command:

# Securely stores the database credentials
[Username] The username
[Password] The password. Passwords have three modes: 1) Empty - The password will be prompted from standard input 2) A value - The value is treated as the actual password 3) A value with the prefix 'env:' - The portion after 'env:' indicates the environment variable to pull the password from (e.g. env:MY_VARIABLE)

Here is an example command:

>>> deadlinecommand StoreDatabaseCredentials env:DBUSERNAME env:DBPASSWORD

where DBUSERNAME is an environment variable that contains the username and DBPASSWORD is an environment variable that contains the password.

After following the above steps, the Deadline applications (Monitor/Worker/Command) should all be able to connect to the database and authenticate properly.