Automated mongodump: how to hide password from ps output?

Question

Automated mongodump: how to hide password from ps output?

OK, so we have the mongodump tool, it has the -password option. Everything works fine, except that this simple password is displayed in the ps file to everyone.

Our database has basic user / password authentication.

The only thing I found to work is to do it

echo secretpwd | mongodump --username backup --oplog

there is no password trace in ps and it still works.

Is there a better way?

+6

security passwords mongodb mongodump

user1312695 Aug 22 '15 at 5:28

source share

1 answer

galactocalypse · Accepted Answer · 2015-08-22T07:17:08+0000

From docs :

Changed in version 3.0.2: If you want mongodump to ask the user for a password, pass the --username parameter without a password or specify an empty string as the value -password, as in "password".

It seems that what you are doing is the recommended way.

In addition, this can help:

If the secret does not change between executions, use the special .appsecrets configuration file. Set permissions for the file to be read-only by the owner. Inside the file, an environment variable is set for the secret. The file should be in the user's home directory by running the command.

Automated mongodump: how to hide password from ps output?

More articles: