MongoDB implements a powerful tool to control access and privileges to a database system known as Role-Based Access Control (RBAC). In this blog, We will learn how RBAC works, the meaning and purpose of the principle of least privilege, as well as how to use MongoDB’s access privileges features in practice.
How MongoDB Controls Access with Role-Based Access Control
Access control — also known as permission— is a security technique that involves determining who can gain access to which resources.
Authentication in MongoDB
In contrast, MongoDB implements a more composite user directory structure. In MongoDB users are not only identified by their usernames, but also by the database in which they were created. For each user, the database in which they were created is known as that user’s authentication database. This means that in MongoDB it’s possible to have multiple users with the same username example- app_user, as long as they are created in different authentication databases. To authenticate as a user, you must provide not only a username and password but also the name of the authentication database associated with that user.
Example:
mongo -h <hostname> -u app_user -p –authenticationDatabase admin
When prompted, enter the password that you set during installation to get access to the shell.
>show dbs
Output
———
admin 0.000GB
config 0.000GB
local 0.000GB
Authorization in MongoDB (Role-Based Access Control)
In MongoDB, you control who has access to what resources on a database and to which degree through a mechanism called Role-Based Access Control(RBAC).
In Role-Based Access Control, users are not given permissions to perform actions on resources directly, such as inserting a new document into the database or querying a particular collection. This would make the security policies difficult to manage and keep consistent with many users in the system. Instead, the rules allowing actions on particular resources are assigned to roles.
In MongoDB two types of roles are available:
Built-In Roles
The following roles will be given by MongoDB.
read Role: Provides the ability to read data on all non-system collections and the system.js collection.
read: Provides the ability to read data on all non-system collections and the system.js collection.
The role provides read access by granting the following actions:
changeStream
collStats
dbHash
dbStats
find
killCursors
listIndexes
listCollections
readWrite Role: Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.
The role provides the following actions on those collections:
changeStream
collStats
convertToCapped
createCollection
dbHash
dbStats
dropCollection
createIndex
dropIndex
find
insert
killCursors
listIndexes
istCollections
remove
renameCollectionSameDB
update
Database Administration Roles
Every database includes the following database administration roles.
Database Administration Roles
dbAdmin
dbOwner
userAdmin
Cluster Administration Roles
clusterAdmin
clusterManager
clusterMonitor
hostManager
Backup and Restoration Roles
backup
restore
All-Database Roles
The following roles are available on the admin database and provide privileges which apply to all databases except local and config:
readAnyDatabase
readWriteAnyDatabase
userAdminAnyDatabase
dbAdminAnyDatabase
Superuser Roles
Several roles provide either indirect or direct system-wide superuser access.
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
dbOwner role, when scoped to the admin database
userAdmin role, when scoped to the admin database
userAdminAnyDatabase role
User-Defined Roles
MongoDB provides a huge number of built-in roles. However, if these roles cannot describe the desired set of privileges, you can create new roles.
Create a User-Defined Role
Step 1: Connect to MongoDB with the appropriate privileges.
mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’
Step 2: Create a new role to manage current operations:
Role Name: manageOpRole
use admin
db.createRole(
{
role: “manageOpRole”,
privileges: [
{ resource: { cluster: true }, actions: [ “killop”, “inprog” ] },
{ resource: { db: “”, collection: “” }, actions: [ “killCursors” ] }
],
roles: []
}
)
The new role grants permissions to kill any operations.
Example 2: Create a Role to Run mongostat
Step 1: Login to Mongo Shell
mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’
Step 2: Create role to Run mongostat
use admin
db.createRole(
{
role: “mongostatRole”,
privileges: [
{ resource: { cluster: true }, actions: [ “serverStatus” ] }
],
roles: []
}
)
Modify Access for an Existing User
Step 1: Login to mongodb Shell
mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’
Step 2: Update the existing role
use <DB>
db.revokeRolesFromUser(
“reportsUser”,
[
{ role: “readWrite”, db: “accounts” }
]
)
Grant A Role:
use reporting
db.grantRolesToUser(
“reportsUser”,
[
{ role: “read”, db: “accounts” }
]
)
Modify the Password for an Existing User
Step 1: Login to the MongoDB shell
mongosh –port 27017 -u myUserAdmin -p ‘abc123’ –authenticationDatabase ‘admin’
Step 2: Change the password
db.changeUserPassword(“<user name>”, “<New password>”)
Conclusion
As with any technology it is important to educate yourself on the best practices by reading the documentation, investing in training or working with a trusted partner to get the best out of this fantastic database.
We look forward to posting more on MongoDB’s features, how to use and configure it and a host of other topics.