MongoDB Authentication and Roles: Creating Your First Personalized Role
In this blog post, we’ll walk through the native MongoDB authentication and roles, and learn how to create personalized roles.
by
Join the DZone community and get the full member experience.
Join For FreeMongoDB features a few authentication methods and built-in roles that offer great control of both who is connecting to the database and what they are allowed to do. However, some companies have their own security policies that are often not covered by default roles. This blog post explains not only how to create personalized roles, but also how to grant minimum access to a user.
Authentication Methods
SCRAM-SHA-1 and MONGODB-CR are challenge-response protocols. All the users and passwords are saved encrypted in the MongoDB instance. Challenge-response authentication methods are widely used on the internet in several server-client software. These authentication methods do not send passwords as plain text to the server when the client is starting an authentication. Each new session has a different hash/code, which stops people from getting the password when sniffing the network.
The MONGODB-CR method was deprecated in version 3.0.
The x.509 authentication is an internal authentication that allows instances and clients to communicate to each other. All certificates are signed by the same Certificate Authority and must be valid. All the network traffic is encrypted by a given key, and it is only possible to read data with a valid certificate signed by such key.
MongoDB also offers external authentications such as LDAP and Kerberos. When using LDAP, users can log into MongoDB using their centralized passwords. The LDAP application is commonly used to manage users and passwords in wide networks. Kerberos is a service that allows users to login only once and then generates access tickets so that the users are allowed to access other services. Some configuration is necessary to use external authentication.
Built-in roles:
read:collStats,dbHash,dbStats,find,killCursors,listIndexes,listCollectionsreadWrite: Allreadprivileges +convertToCapped,createCollection,dbStats,dropCollection,createIndex,dropIndex,emptycapped,insert, listIndexes,remove,renameCollectionSameDB,update.readAnyDatabase: Allows the user to performreadin any database except the local and the config databases.
In this tutorial, we are going to give specific privileges to a user who is allowed to only read the database, although he is allowed to write in a specific collection.
For this tutorial, we are using MongoDB 3.4 with previously configured authentication.
Steps:
- Create the database:
mongo --authenticationDatbase admin -u superAdmin -p use percona db.foo.insert({x : 1}) db.foo2.insert({x : 1}) - Create a new user:
> db.createUser({user : 'client_read', pwd : '123', roles : ['read']}) Successfully added user: { "user" : "client_read", "roles" : [ "read" ] } - Log in with the user that has just been created and check the user access:
./mongo localhost/percona -u client_read -p MongoDB shell version v3.4.0-rc5 Enter password: db.foo.find() { "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 } db.foo2.find().count() 1 // If user try to insert documents will receive an error: > db.foo.insert({x : 2}) WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on percona to execute command { insert: "foo", documents: [ { _id: ObjectId('586bc36e7b114fb2517462f3'), x: 2.0 } ], ordered: true }" } }) - Log out and log in again with administrator user to create a new role for this user:
mongo --authenticationDatabase admin -u superAdmin -p db.createRole({ role : 'write_foo2_Collection', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]} ], roles : ["read"] }) db.updateUser('client_read', roles : ['write_foo2_Collection']) - Check the new access:
./mongo db.auth('client_read','123') 1 > show collections foo foo2 > db.foo.find() { "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 } > db.foo2.insert({y : 2}) WriteResult({ "nInserted" : 1 }) > db.foo.insert({y : 2}) //does not have permission. WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on percona to execute command { insert: "foo", documents: [ { _id: ObjectId('586bc5e26f05b3a5db849359'), y: 2.0 } ], ordered: true }" } }) - We can also add access to other database resources. Let’s suppose we would like to grant this just created user permission to execute a
getLogcommand. This command is available in theclusterAdminrole, but we do not want to give all this role’s access to him. See here. There is a caveat/detail/observation here. If we want to grant cluster privileges to a user, we should create the role in the admin database. Otherwise, the command will fail:db.grantPrivilegesToRole( "write_foo2_Collection", [ {resource : {cluster : true}, actions : ["getLog"] } ] ) Roles on the 'percona' database cannot be granted privileges that target other databases or the cluster : - We are creating the same role in the admin database. This user only works properly if the admin database is present in a possible restore. Otherwise, the privileges fail:
use admin db.createRole({ role : 'write_foo2_Collection_getLogs', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]}, {resource : {cluster : true}, actions : ["getLog"]}], roles : [ {role : "read", db: "percona"}] }) use percona db.updateUser( "client_read", { roles : [ { role : "write_foo2_Collection_getLogs", db : "admin" } ] } ) - Now the user has the same privileges as before, plus the
getLogpermission. We can test this user new access with:mongo --authenticationDatabase percona -u read_user -p db.adminCommand({getLog : 'global'}) { "totalLinesWritten" : 287, "log" : [.... …. }
I hope you find this post useful.
Published at DZone with permission of Adamo Tonete, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments