MongoDB security and user access control

MongoDB does not offer as fine grained a security model as traditional databases. Never the less what it provides is sufficient as long as best practices are followed and some care is taken in securing the system.

MongoDB offers two levels of access control – system (global) and per database. For each of these types, users can be assigned a series of roles which determine the actions they can perform. The model is pretty simple and straight forward and allows for a least-privilege approach. The only shortcoming (at the time of writing) is that the roles are a little broad. In the future I would really like to see the ability of setting more fine grained restrictions on actions or even the ability to create your own role groups with action rules.

Enabling authentication

The first thing to do before you can start making use of mongo’s UAC features it to enable authentication. Usually this is disabled by default.

This can be enabled either by editing your mongodb.conf file and adding the line

auth = true

You can also start mongod with the auth parameter.

Creating an admin user

Out of the box mongo has no admin user set. Hence once you enable authentication you will be able to gain privileged access via a local mongo shell until an admin user has been created.

Start the shell and type:

use admin
db.addUser({ user:"admin", pwd:"secretpassword", roles:["dbAdminAnyDatabase","clusterAdmin"]})

This will create a user admin with the password secretpassword and grant that user dbAdminAnyDatabase and clusterAdmin roles. I recommend granting the primary admin user both of these roles as they will enable you to perform any action you want on any database.

Note: If you do not set clusterAdmin you will get an unauthorised error when you try to drop a database.

Now that you have an admin account enabled you will be required to authenticate before you can perform any actions.

Creating a database user

You can now add a user to any database and set access restrictions.

First select the database you wish to add a user to.

use example

We are now using the example database. Adding a user is exactly the same to how we created an admin user:

db.addUser({ user:"rwUser", pwd:"password", roles:["readWrite"] })

This will create a user rwUser which will have read/write access to the current database.

Authenticating

Before you can perform an action either globally or within a given database you will need to authenticate.

You can authenticate as a global user or a database user by selecting the appropriate database. Then you can authenticate by typing:

db.auth("rwUser","password")

You will get a response code of 1 for success and 0 for fail. Once authenticated you will be able to execute any action your roles allow you.

User roles

At the time of writing Mongo (2.4) has the following roles:

Database User Roles

  • read
  • readWrite
  • dbAdmin
  • userAdmin

System User Roles

  • clusterAdmin
  • readAnyDatabase
  • readWriteAnyDatabase
  • userAdminAnyDatabase
  • dbAdminAnyDatabase

For detailed information regarding each role please refer to User Privilege Roles in MongoDB in the MongoDB Official Documentation.

Remove a user

You can remove both database and system users in the same way. First select either a specific logical database or the system admin database. Then type:

db.removeUser("testuser")

Which will remove the user testuser.

Note: You technically should not be able to remove the admin user…

Changing passwords

If you wish to change a user password select either a specific logical database or the system admin database. Then type:

db.changeUserPassword("testuser", "newpassword")

Which will update the user testuser with the new password newpassword.

Updating users

If you wish to update an existing user – for instance to change their username or update their roles, you can do so by performing an update against the system.users collection of either either a specific logical database or the system admin database. This works exactly like a standard update() and the same rules and parameters apply.

Here are some typical update scenarios you might wish to perform:

Update a username

use example
db.system.users.update({ user:"testUser" }, { $set:{ user:"tastyUser" } })

Add an additional role to a user

use example
db.system.users.update({ user:"testUser" }, { $push:{ roles:"userAdmin" } })

Remove a user role

use example
db.system.users.update({ user:"testUser" }, { $pull:{ roles:"dbAdmin" } })

Alex Borisov

Alex Borisov

Full Stack Web Engineer Alex Borisov

p>This article is by alex from alexborisov.org.

MongoDB – Add Users and Authenticate

How to add users to MongoDB and make them authenticate?

Before you add users to databases, you need to add admins to the MongoDB server. If the server is not running with the --auth option, all you have to do is call the db.addUser() function on the admin database. If it is running with the --auth option, you need to select the admin database and identify yourself as a valid admin.



> use admin
> db.auth('root', 'w00t')

The admin database comes by default in all MongoDB installation, you don’t have to create it. Assuming, MongoDB is not running with auth, let’s add some admins:



> use admin
> db.addUser('captain', 't3HlulZ')
{
"_id" : ObjectId("4f223e9801f4350f5d09546f"),
"user" : "captain",
"readOnly" : false,
"pwd" : "7893c786c6354f50ca1c8c764f82afae"
}

Notice that "readOnly" : false? What it means that this admin has read-write access to the whole database. Ok. So, how do you add a read-only admin? You do it this way:



> db.addUser('admin', 't3hHAX', true)
{
"user" : "admin",
"readOnly" : true,
"pwd" : "b66423859d0142d1187a30b4c455d9b6"
}

The third parameter of db.addUser() is the read-only option, which is false by default. Meaning, if you don’t set it, it is assumed as false, meaning the user (in this case the admin) will have read-only access.

What does it mean to have and not have read-write access on the admin database?

Users in the admin database with read-write access can add and delete other admins and users; read, write, and delete on all databases on the MongoDB system. Those with read-only access can see all the data on MongoDB but can’t edit or delete them.

Now similar to what we saw on the admin database, every database on MongoDB has db.addUser() function on them. To add users to specific databases you select the database and call the db.addUser() on them. Here are some examples:



> use videos
> db.addUser('jack', 'hax0r')

That added a user called jack who has read-write access to the database videos. jack can add stuff on the database, edit, and delete them; even delete the database itself!



> use videos
> db.addUser('crack', 'l0ll0l', true)

The user crack can only see what’s all there on the videos database.

To delete a user from a database call the db.removeUser() function on the database where you want to delete the user from. If we were to remove the user crack, we’d do this:



> db.removeUser('crack')

Make sure you have selected the right database, else the command will do nothing or you will end up deleting another user from some other database.

So how do you authenticate yourself for a certain database?

You select the database and call the db.auth() on the database. Here is an example of how jack would identify itself to the database called videos.



> use videos
> db.auth('jack', 'hax0r')
1

db.auth() will print 1 for success, and 0 for failure.

And how do you authenticate yourself as an admin? You select the admin database and call the db.auth() on it. Once authenticated, you can continue as an admin anywhere on the system till you authenticate yourself as someone else.

Now, probably the most important part. When you start MongoDB this way:



$ mongod

it will not apply any authentication restrictions to the users connected to the server – even if you have added admins and users to databases. In this mode, anyone connected to MongoDB is an admin!

So how do you enforce authentication? Start MongoDB with the --auth option.



$ mongod --auth

Now everyone will be forced to authenticate themselves before they can issue commands on the system. Now the admins and users you have added will come into play.

To view the users added on a database, do this:



> db.system.users.find()

To change a user’s password, you just re-add the user with a new password:



> db.addUser('captain', 'l0lwtf')

The user captain has just been assigned a new password l0lwtf.

If you have been observant enough, you might have noticed that we don’t really need to add admins before we can add users on databases. All you have to do is start MongoDB without the --auth option, add users to databases, and restart the server with the --auth option. TADA! But just because you can does not mean, you should!

I hope you have fun adding admins and users on your MongoDB and making them authenticate in the greater interest of the data on your system. Any comments, queries, whatever … I’ll be available at the comments. Adios!

hacksparrow

hacksparrow

Captain of the Internets Hack Sparrow

Database Questions and Answers – Relational Database and Database Schema

This set of Database Questions & Answers focuses on “Relational Database and Database Schema”

1. A relational database consists of a collection of
a) Tables
b) Fields
c) Records
d) Keys

View Answers Below

 

2. A ________ in a table represents a relationship among a set of values.
a) Column
b) Key
c) Row
d) Entry

View Answers Below

 

3. The term _______ is used to refer to a row.
a) Attribute
b) Tuple
c) Field
d) Instance

View Answer Below

 

4. The term attribute refers to a ___________ of a table.
a) Record
b) Column
c) Tuple
d) Key
View Answer Below

 

5. For each attribute of a relation, there is a set of permitted values, called the ________ of that attribute.
a) Domain
b) Relation
c) Set
d) Schema

View Answer Below

 

6. Database __________ , which is the logical design of the database, and the database _______,which is a snapshot of the data in the database at a given instant in time.
a) Instance, Schema
b) Relation, Schema
c) Relation, Domain
d) Schema, Instance

View Answer Below

 

7.Course(course_id,sec_id,semester)
Here the course_id,sec_id and semester are __________ and course is a _________ .
a) Relations, Attribute
b) Attributes, Relation
c) Tuple, Relation
d) Tuple, Attributes

View Answer Below

 

8. Department (dept name, building, budget) and Employee (employee_id , name, dept name,salary)
Here the dept_name attribute appears in both the relations .Here using common attributes in relation schema is one way of relating ___________ relations.
a) Attributes of common
b) Tuple of common
c) Tuple of distinct
d) Attributes of distinct

View Answer Below

 

9. A domain is atomic if elements of the domain are considered to be ____________ units.
a) Different
b) Indivisbile
c) Constant
d) Divisible

View Answer Below

 

10. The tuples of the relations can be of ________ order.
a) Any
b) Same
c) Sorted
d) Constant

View Answer Below

 

Sanfoundry Global Education & Learning Series – Database Management System.

If you liked this Database MCQ, kindly share, recommend or like!

Answers

  1. Answer:a
    Explanation: Fields are the column of the relation or tables.Records are each row in relation.Keys are the constraints in a relation .
  2. Answer:c
    Explanation: Column has only one set of values.Keys are constraints and row is one whole set of attributes.Entry is just a piece of data.
  3. Answer:b
    Explanation: Tuple is one entry of the relation with several attributes which are fields.
  4. Answer:b
    Explanation: Attribute is a specific domain in the relation which has entries of all tuples.
  5. Answer:a
    Explanation: The values of the attribute should be present in the domain.Domain is a set of values permitted .
  6. Answer:d
    Explanation: Instance is a instance of time and schema is a representation.
  7. Answer:b
    Explanation: The relation course has a set of attributes course_id,sec_id,semester .
  8. Answer:c
    Explanation: Here the relations are connected by the common attributes.
  9. Answer:b
    Explanation: None.
  10. Answer:a
    Explanation: The values only count .The order of the tuples does not matter.
Manish Bhojasia

Manish Bhojasia

Founder and CTO at Sanfoundry, a high end Technology Training company. Sanfoundry

This article is by Sanfoundry from sanfoundry.com.