Tuesday, May 8, 2018

Basic Security - Outline


Basic Security (Creating Users and Giving Privileges) – Outline

This Outline is based on MongoDB documentation

Overview
  • Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves.
  • When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.
User Administrator
  • With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database.
  • This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
Procedure

1. Start MongoDB without access control.

Start the mongod instance without access control

# mongod --port 27017 --dbpath /data/db1

2. Connect to the instance

connect a mongo shell to the instance.
# mongo --port 27017

3. Create the user administrator.

In the admin database, add a user with the userAdminAnyDatabase role.

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

4. Re-start the MongoDB instance with access control.

Re-start the mongod instance with the --auth command line option or, if using a configuration file, the security.authorization setting.

Configuration File

security:
   authorization: enabled

5. Connect and authenticate as the user administrator.

To authenticate during connection

# mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"

To authenticate after connecting

# mongo --port 27017
# use admin
# db.auth("myUserAdmin", "abc123" )

6. Create additional users as needed for your deployment.

The myUserAdmin user only has privileges to manage users and roles. As myUserAdmin, if you attempt to perform any other operations, such as read from a foo collection in the test database, MongoDB returns an error.

use test
db.createUser(
  {
    user: "myTester",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)

7. Connect and authenticate as myTester.

To authenticate during connection

# mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"

To authenticate after connecting

# mongo --port 27017
# use test
# db.auth("myTester", "xyz123" )

Insert into a collection as myTester.

As myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database).

# db.foo.insert( { x: 1, y: 1 } )




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)