Role-Based Access Control – MongoDB 

MongoDB implements a powerful tool to control access and privileges to a database system known as Role-Based Access Control (RBAC). In this blog, We will learn how RBAC works, the meaning and purpose of the principle of least privilege, as well as how to use MongoDB’s access privileges features in practice.

How MongoDB Controls Access with Role-Based Access Control

Access control — also known as permission— is a security technique that involves determining who can gain access to which resources.

Authentication in MongoDB

In contrast, MongoDB implements a more composite user directory structure. In MongoDB users are not only identified by their usernames, but also by the database in which they were created. For each user, the database in which they were created is known as that user’s authentication database. This means that in MongoDB it’s possible to have multiple users with the same username example- app_user, as long as they are created in different authentication databases. To authenticate as a user, you must provide not only a username and password but also the name of the authentication database associated with that user.

Example:

mongo -h <hostname> -u app_user  -p –authenticationDatabase admin

When prompted, enter the password that you set during installation to get access to the shell.

>show dbs

Output

———

admin   0.000GB

config   0.000GB

local    0.000GB

Authorization in MongoDB (Role-Based Access Control)

In MongoDB, you control who has access to what resources on a database and to which degree through a mechanism called Role-Based Access Control(RBAC).

In Role-Based Access Control, users are not given permissions to perform actions on resources directly, such as inserting a new document into the database or querying a particular collection. This would make the security policies difficult to manage and keep consistent with many users in the system. Instead, the rules allowing actions on particular resources are assigned to roles.

In MongoDB two types of roles are available:

Built-In Roles

The following roles will be given by MongoDB.

read Role: Provides the ability to read data on all non-system collections and the system.js collection.

read: Provides the ability to read data on all non-system collections and the system.js collection.

The role provides read access by granting the following actions:

changeStream

collStats

dbHash

dbStats

find

killCursors

listIndexes

listCollections

readWrite Role: Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.

The role provides the following actions on those collections:

changeStream

collStats

convertToCapped

createCollection

dbHash

dbStats

dropCollection

createIndex

dropIndex

find

insert

killCursors

listIndexes

istCollections

remove

renameCollectionSameDB

update

Database Administration Roles

Every database includes the following database administration roles.

Database Administration Roles

dbAdmin

dbOwner

userAdmin

Cluster Administration Roles

clusterAdmin

clusterManager

clusterMonitor

hostManager

Backup and Restoration Roles

backup

restore

All-Database Roles

The following roles are available on the admin database and provide privileges which apply to all databases except local and config:

readAnyDatabase

readWriteAnyDatabase

userAdminAnyDatabase

dbAdminAnyDatabase

Superuser Roles

Several roles provide either indirect or direct system-wide superuser access.

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:

dbOwner role, when scoped to the admin database

userAdmin role, when scoped to the admin database

userAdminAnyDatabase  role

User-Defined Roles

MongoDB provides a huge number of built-in roles. However, if these roles cannot describe the desired set of privileges, you can create new roles.

Create a User-Defined Role

Step 1: Connect to MongoDB with the appropriate privileges.

mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’

Step 2: Create a new role to manage current operations:

Role Name: manageOpRole

use admin

db.createRole(

   {

     role: “manageOpRole”, 

     privileges: [

       { resource: { cluster: true }, actions: [ “killop”, “inprog” ] },

       { resource: { db: “”, collection: “” }, actions: [ “killCursors” ] }

     ],

     roles: []

   }

)

The new role grants permissions to kill any operations.

Example 2:  Create a Role to Run mongostat

Step 1: Login to Mongo Shell

mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’

Step 2: Create role to Run mongostat

use admin

db.createRole(

   {

     role: “mongostatRole”, 

     privileges: [

       { resource: { cluster: true }, actions: [ “serverStatus” ] }

     ],

     roles: []

   }

)

Modify Access for an Existing User

Step 1: Login to mongodb Shell

mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’

Step 2: Update the existing role

use <DB>

db.revokeRolesFromUser(

    “reportsUser”,

    [

      { role: “readWrite”, db: “accounts” }

    ]

)

Grant A Role:

use reporting

db.grantRolesToUser(

    “reportsUser”,

    [

      { role: “read”, db: “accounts” }

    ]

)

Modify the Password for an Existing User

Step 1:  Login to the MongoDB shell

mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’

Step 2: Change the password

db.changeUserPassword(“<user name>”, “<New password>”)

Conclusion

As with any technology it is important to educate yourself on the best practices by reading the documentation, investing in training or working with a trusted partner to get the best out of this fantastic database.

We look forward to posting more on MongoDB’s features, how to use and configure it and a host of other topics.

 

Contact us to schedule your consultation.

Delbridge is a privately held global company with offices in Canada, the USA, Costa Rica, and Romania.

Delbridge Solutions specializes in providing Corporate Performance Management, Sales Performance Management, and Data & Software Engineering.

888.866.6176

 info@delbridge.solutions

Join the Delbridge Community!