Wednesday, May 16, 2018

Security Basic Setup – Standalone


Security Basic Setup – Standalone

Here with this example we are going to create a root user who has full access.

1. Start MongoDB without access control.

Start the mongod instance without access control

Config file

net:
  port: 27019
processManagement:
  fork: true
storage:
  dbPath: /data/sand/data
systemLog:
  destination: file
  logAppend: true
  logRotate: rename
  path: /data/sand/logs/mongod.log

# mongod -f /data/sand/conf/mongod.conf



2. Connect to the instance

connect a mongo shell to the instance.

# mongo --port 27019


3. Create the user administrator.

In the admin database, create a user with the root priviledges.

# use admin
db.createUser(
  {
    user: "admin",
    pwd: "admin",
    roles: [ { role: "root", db: "admin" } ]
  }
)


4. Re-start the MongoDB instance with access control.

Re-start the mongod instance with the --auth command line option or, if using a configuration file, the security.authorization setting.

security:
   authorization: enabled

Configuration File

net:
  port: 27019
processManagement:
  fork: true
security:
   authorization: enabled
storage:
  dbPath: /data/sand/data
systemLog:
  destination: file
  logAppend: true
  logRotate: rename
  path: /data/sand/logs/mongod.log

Change the config file entry and restart it –

# mongo admin --port 27019 --eval "db.shutdownServer()"
# mongod -f /data/sand/conf/mongod.conf


5. Connect and authenticate as the user administrator.

To authenticate during connection

# mongo --port 27019 -u "admin" -p "admin" --authenticationDatabase "admin" --quiet


To authenticate after connecting

# mongo --port 27019 –quiet

When you don’t authenticate, you will get an error like this

# use admin
# db.auth("admin","admin")


6. Create additional users as needed for your deployment.

Create a user who will have read and write privileges to test database and only read privilege to reporting database.

# use test
db.createUser(
  {
    user: "myTester",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)


7. Connect and authenticate as myTester.

To authenticate during connection

# mongo --port 27019 -u "myTester" -p "xyz123" --authenticationDatabase "test"

To authenticate after connecting

# mongo --port 27019
# use test
# db.auth("myTester", "xyz123" )

Insert into a collection as myTester.

As myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database).

# db.foo.insert( { x: 1, y: 1 } )


DoneJ









Posted by at No comments:

Tuesday, May 8, 2018

Security Basics - Built-In Roles


Security Basics - Built-In Roles

This is based on MongoDB documentation

Overview

The roles shown below are some of the Built-In Roles provided by MongoDB.

Database User Roles
Database Administration Roles
Cluster Administration Roles
Backup and Restoration Roles
All-Database Roles
Superuser Roles

1. Database User Roles

Read
readWrite

2. Database Administration Roles

dbAdmin - ability to perform administrative tasks
dbOwner - readWrite, dbAdmin and userAdmin
userAdmin - create and modify roles and users on the current database

3. Cluster Administration Roles

clusterAdmin - clusterManager, clusterMonitor, and hostManager / dropDatabase action.
clusterManager - management and monitoring actions on the cluster / can access the config and local databases, which are used in sharding and replication, respectively.
clusterMonitor - read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
hostManager - monitor and manage servers.

4. Backup and Restoration Roles

backup - privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump.
Restore - privileges needed to restore data with mongorestore without the --oplogReplay option or without system.profile collection data.

5. All-Database Roles

readAnyDatabase - read-only permissions as read, except it applies to all databases in the cluster / listDatabases action
readWriteAnyDatabase - read and write permissions as readWrite, except it applies to all databases in the cluster / listDatabases action
userAdminAnyDatabase - access to user administration operations as userAdmin, except it applies to all databases in the cluster.
dbAdminAnyDatabase - access to database administration operations as dbAdmin, except it applies to all databases in the cluster / listDatabases action

6. Superuser Roles

root - readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase and clusterAdmin







Posted by at No comments:

Basic Security - Outline


Basic Security (Creating Users and Giving Privileges) – Outline

This Outline is based on MongoDB documentation

Overview
  • Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves.
  • When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.
User Administrator
  • With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database.
  • This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
Procedure

1. Start MongoDB without access control.

Start the mongod instance without access control

# mongod --port 27017 --dbpath /data/db1

2. Connect to the instance

connect a mongo shell to the instance.
# mongo --port 27017

3. Create the user administrator.

In the admin database, add a user with the userAdminAnyDatabase role.

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

4. Re-start the MongoDB instance with access control.

Re-start the mongod instance with the --auth command line option or, if using a configuration file, the security.authorization setting.

Configuration File

security:
   authorization: enabled

5. Connect and authenticate as the user administrator.

To authenticate during connection

# mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"

To authenticate after connecting

# mongo --port 27017
# use admin
# db.auth("myUserAdmin", "abc123" )

6. Create additional users as needed for your deployment.

The myUserAdmin user only has privileges to manage users and roles. As myUserAdmin, if you attempt to perform any other operations, such as read from a foo collection in the test database, MongoDB returns an error.

use test
db.createUser(
  {
    user: "myTester",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)

7. Connect and authenticate as myTester.

To authenticate during connection

# mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"

To authenticate after connecting

# mongo --port 27017
# use test
# db.auth("myTester", "xyz123" )

Insert into a collection as myTester.

As myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database).

# db.foo.insert( { x: 1, y: 1 } )




Posted by at No comments:
Subscribe to: Posts (Atom)