[MongoDB Series] 3. MongoDB Security Policy: Authentication and Authorization

Language 2023-09-06 14:41:06 views: null

foreword

In the previous article, when connecting to the MongoDB service through client tools (MongoDB Shell, Robo 3T), as long as you have the IP address and port number, you can connect to the database, and then you can operate the database. This is because the default installation of MongoDB does not have authentication enabled and no initial username and password set. However, this can lead to many data security issues.

MongoDB provides various ways to improve the security of the database, such as authentication , access control , encryption , etc.

This article mainly introduces the built-in roles and permissions provided by MongoDB, and then provides database security by enabling authentication and specifying different access permissions for users .

In the previous two articles, we installed the MongoDB database in Windows, Linux and Docker respectively. The content introduced in this article is demonstrated by taking MongoDB in Linux environment as an example. The operation in Windows system is basically the same.

Distinguish between authentication and authorization

Verification is authentication. When users connect to MongoDB service, they need to provide user name, password and verification database for identity verification.

Authorization is permission control. Friends who have done background management systems must be familiar with the RBAC model. MongoDB also adopts the RBAC model. When creating a user, you need to specify a role for it to obtain the corresponding permission to operate the database.

Authentication only restricts whether users can connect to database services, and through permission control, users can more finely control various operations on the database. Analogous to common background management systems, both administrators and ordinary users can log in to the system, but the pages they can access and the operations they can perform are quite different.

MongoDB built-in roles

MongoDB grants users access to data and commands through RBAC, and provides a variety of built-in roles to provide different levels of access typically required in database systems. In addition to using built-in roles, it also supports user-defined roles.

The content of this part is described in detail on the official website . Let's first understand some commonly used roles and permissions.

Database read and write roles:

  • read: Allows the user to read the specified database
  • readWrite: Allows the user to read and write the specified database

DBA role:

  • dbAdmin: Allows users to create and delete indexes, view statistics or access system.profile, but does not have permissions for role and user management
  • dbOwner: Provides the ability to perform any operation on the database. This role combines the privileges granted by the readWrite, dbAdmin, and userAdmin roles
  • userAdmin: Provides the ability to create and modify roles and users in the current database

All database roles:

  • readAnyDatabase: only available in the admin database, giving users read access to all databases
  • readWriteAnyDatabase: only available in the admin database, giving users read and write permissions for all databases
  • userAdminAnyDatabase: only available in the admin database, granting users userAdmin permissions for all databases
  • dbAdminAnyDataBase: only available in the admin database, giving the user adAdmin permissions for all databases

Superuser role:

  • root: only available in the admin database, a super user with super privileges

In this article, we mainly use rootthe role to set the super administrator of the database, and then use the readand dbOwnerroles to create users with different permissions for a certain database.

Authentication

Turn on authentication

When starting the MongoDB service, --authenable authentication on the command line by setting:

$ mongod -f /data/mongodb/mongodb.conf --auth

Or enable it in the configuration file security.authorization:

security: 
  authorization: enabled
  • authorization: Indicates whether to enable user access control, that is, whether the client needs to access the database service through username and password authentication. The default is disabled.

As follows, at this time the MongoDB service has enabled authentication:

image-20221110141908071

Summarize:

Turn on authentication:

When starting the mongod service, use --auth;

Use the mongosh client tool to connect to the mongod service;

Create a super administrator account;

Create super admin user

After MongoDB enables authentication, there is no default username and password, and you need to set it yourself .

Use mongoshthe connection service:

$ mongosh

image-20221110143005242

After enabling authentication, you can enter the database even without entering the username and password, but you do not have permission to operate the database at this time, for example:

image-20221110143232244

The only thing that can be done at this point is to create a user with super administrator role .

To create a super administrator, you need to enter adminthe database, and then use db.createUserthe method to create users:

use admin;

db.createUser({
    
    
  user: "Kunwu",
  pwd: "abc123",
  roles: [
    {
    
     role: "root", db: "admin"}
  ]
});

Description of configuration items:

  • user: The name of the created user.
  • pwd: Created user password.
  • roles: set the user role information, it is an array, you can set a variety of roles.
  • role: Set the role of the user. MongoDB provides several different roles, which are set as the super user role here root.
  • db: Set the database where user permissions take effect. Due to rootthe particularity of the role, it can only be set to admin. But rootusers with the role have super privileges.

image-20221110145315071

Use the super administrator to connect to the service

After enabling authentication, when connecting to the MongoDB service through client tools (MongoDB Shell, Robo 3T, etc.), you need to specify a user name and password, and there are two authentication methods.

Method 1: Verify when connecting

Specify the username and authentication database when connecting to the database service:

$ mongosh -u Kunwu --authenticationDatabase admin

  • -u/–user: specify the username

  • –authenticationDatabase: Specifies the authentication database. The authentication database is the database in which the user was created . The database where Kunwu was created above is admin, so his authentication database is admin.

You will then be prompted for a password on the command line:

image-20221110234434581

After entering the password, press Enter to confirm to log in:

image-20221110234527592

You can also -p/--passwordenter the password directly on the command line through:

$ mongosh -u Kunwu -p abc123 --authenticationDatabase admin

Method 2: Verify after connection

Instead of providing the user name, password and authentication database, after connecting to the database service, enter the authentication database, and use the db.auth method to verify the user name and password.

$ mongosh

Verify identidy:

use admin;

db.auth('Kunwu', 'abc123');

image-20221110160528461

Connect with Robo 3T

Create a new connection. Enter the IP and port of the database service in Connection:

image-20221110162721247

AuthenticationEnter in the second one in turn:

  • Database: The authentication database specified when creating a user
  • User Name: username
  • Password: user password

image-20221110162403451

Then click the test button in the lower left corner to perform a connection test:

image-20221110162311453

Then you can use Robo 3T to manage the database library.

A Supplement on the Authentication Database

The authentication database refers to the database in which the user is created . For example, the previous article is adminthe super administrator user created in the database Kunwu, then the authentication database of this user is admin. When logging in to the database, authenticationDatabaseit needs to be specified as admin.

Verifying the database does not mean that the user can only operate this one database .

MongoDB has a variety of built-in roles. When creating a user, you can specify multiple roles and databases. At this time, the specified database is the database that the user can operate. for example:

db.createUser({
    
    
  user: "Kunwu",
  pwd: "abc123",
  roles: [
    {
    
     role: "read", db: "db1"},
    {
    
     role: "readWrite", db: "db2"},
    {
    
     role: "dbOwner", db: "db2"},
  ]
});

At this point, the user Kunwucan operate the three databases db1, db2, and db3 with different permissions.

Therefore, the conclusion is that the authentication database is not the same as the database that users can operate . These are two different concepts.

Create a separate user for the app

The super user has the highest authority, it is suitable for managing other users, and should not be used to operate specific databases.

We need to create separate users for each application to use database services. For example, if there is a management system manage, multiple users can be created for it, some can only read data, some can read and write data, some have full permissions, and so on.

First log in to MongoDB as a super administrator:

$ mongosh -u Kunwu -p abc123 --authenticationDatabase admin

Then managecreate a different user for the database:

use manage;

db.create({
    
    
  user: 'ManageAdmin',
  pwd: 'admin123',
  roles: [
    {
    
     role: "dbOwner", db: 'manage'}
  ]
});

db.create({
    
    
  user: 'ManageRead',
  pwd: 'user123',
  roles: [
    {
    
     role: "read", db: 'manage'}
  ]
})

dbOwnerUsers of the role have the ability to perform any operation on the manage database. Users with the role readcan only read data from the database.

Log in with the admin user of the manage database:

$ mongosh -u ManageAdmin -p admin123 --authenticationDatabase manage

Log in as a normal user with the manage database:

$ mongosh -u ManageRead -p user123 --authenticationDatabase manage

Summarize

So far, we have briefly introduced the authentication and authorization mechanism of MongoDB.

For newly installed MongoDB, it does not have authentication enabled. You need to go into adminthe database and create a rootsuperadmin user with the role. Then, according to the specific application database, use the administrator user to create users with different permissions, so as to achieve the basic guarantee of database security.

There are many things about role permissions, such as what permissions a role has, how to create custom roles, how to change user passwords, update roles, etc. You can visit the official website or check other information by yourself.

Thanks for reading!

Guess you like

Origin blog.csdn.net/Old_Soldier/article/details/132524338
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com