1. Authentication
MongoDB provides a number of authentication mechanisms for users to connect to data. Choose the mechanism that provides the best balance of security and management. Although authentication is optional, the recommended security practice is to enable authentication on all production systems.
Challenge Response Authentication (MongoDB-CR)
This is the traditional authentication based on username and password. Users can be created within a database or the entire cluster. If a user only needs to access data in a specific database, it is recommended to create users only in that database. Cluster-level access should be restricted to administrators.
X.509 certificate authentication (X.509 certificate Authentication)
Users can use X.509 certificates to authenticate to their MongoDB database. For this to work, the MongoDB instance needs to have SSL enabled. By default, MongoDB Community Edition does not have SSL enabled. You'll need to move to your own version or sign up to use the enterprise version. You can create a user in MongoDB with a unique header for each X.509 certificate. Refer to the MongoDB X.509 certificate setup guide for more operation wizard details.
Kerberos Authentication
MongoDB Enterprise Edition supports the use of Kerberos authentication, an industry standard for client/server authentication. For example, if you are an enterprise with Active Directory installed, you can use the Kerberos authentication mechanism to authenticate users - this avoids the hassle of managing usernames/passwords or certificates. Click here for a guide to integrating MongoDB into Active Directory.
2. Authorization The
authorization system determines what actions users can perform once they are authorized. MongoDB supports a role-based access control (RBAC) model. Each user is assigned a specific role, which determines what operations he is allowed to perform. MongoDB has a number of built-in roles and you can also create your own roles. Each role is assigned a set of permissions to allow operations on the resource. MongoDB provides built-in roles in the following scopes:
Database user roles -- read, readWrite
Database administrator roles -- dbAdmin, dbOwner, userAdmin
Cluster administrator roles -- clusterAdmin , clusterManager, clusterMonitor, hostManager
Backup and restore roles -- backup, restore
All Database roles -- readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase
Superuser roles -- root
refer to the built-in roles documentation, A more detailed understanding requires roles assigned to users.
3. Auditing
MongoDB 2.6 Enterprise Edition adds support for auditing. You can configure a MongoDB instance to generate audit events for MongoDB operations of interest, such as user login, DDL modification, replica set configuration modification, etc. This allows you to capture and process the required events using already existing enterprise auditing tools. Refer to the list of MongoDB auditable events for more details.