Are you still using root to access all data in your application? In the middle of the night, have you ever worried that if you accidentally delete the library by mistake, what should you do?

If that’s what you’re worried about, make your user privileges smaller now.

Mongodb provides the following four authentication modes

  1. Username and password: the default authentication mode. The user information is stored in the local MongoDB database
  2. Certificate mode: Using the X.509 standard, the server needs to provide a certificate file for startup and the client needs to connect to the server. The certificate is issued by an internal or external CA
  3. LDAP External authentication: Enterprise edition features. Connect to an external LDAP server for authentication
  4. Kerberos External Authentication: Enterprise edition functionality to connect to an external Kerberos server for authentication

Today we’ll look at the simplest and most common: username + password.

When we talk about permission Control, we don’t get around RBAC: role-based Access Control, and MongoDB is no exception.

RBAC is simply what roles a user has and what resources those roles have. In this way, users with corresponding roles can have corresponding permissions.

MongoDB also has three concepts: User,Role, and Action.

Action is a User and a Role. Action is a User and a Role. Action is actually what the user can do to the database, such as add, delete, change, check, etc

More Action can view: docs.mongodb.com/manual/refe…

To enable authentication

By default, authentication is not enabled once mongodb is installed, you can log in without a username or password, and you have all the privileges you need to manipulate the database (this is when you have the most privileges, and the most risks).

After authentication is enabled, you can log in without specifying a user name or password. However, you can only create users.

There are two ways to enable authentication,

  1. Specified in mongod.cfg
security:
  authorization: enabled
Copy the code

Docs.mongodb.com/manual/refe…

  1. Specified by command line argument
mongod --auth --port 27017 --dbpath /data/db
Copy the code

If you try to do something else, such as query data, you will get the following error:

db.demo.find();
Error: error: {
  "ok": 0."errmsg" : "not authorized on test to execute command { find: \"demo\", filter: {}, $db: \"test\" }"."code": 13."codeName" : "Unauthorized"
}

Copy the code

At this point we can choose to create a user, for example we create a root user

use admin;

db.createUser({
  user: "root".pwd: "123456", 
  roles: [
   {
    role: "root", 
    db:"admin"}]})Copy the code

The above command creates a root account, and role is root(with the highest privileges for all databases, which roles are built into mongodb below).

Use the following command to log in to mongodb

 mongo -u root -p 123456 --authenticationDatabase admin
Copy the code

After logging in to mongodb in Auth mode and logging in to mongodb through Mongo, the “–authenticationDatabase” option must be added. “AuthenticationDatabase” specifies the database to verify the user account name and password. We usually store it in the Admin library.

Then run the following command to view the authorization mechanism

db.runCommand({getParameter: 1, authenticationMechanisms: 1})
{
  "authenticationMechanisms" : [
          "MONGODB-X509"."SCRAM-SHA-1"."SCRAM-SHA-256"]."ok": 1}Copy the code

When using the Robo 3T tool to connect, the corresponding user must be authorized by one of the above mechanisms.

MongoDB built-in roles and permission inheritance relationships

You can see that the root role is at the top level.

Use getRole commands when you want to know what permissions a role has

db.getRole('read', {showPrivileges: true});

Copy the code

The getRole command gives the role permissions, inherited permissions, and corresponding actions

Similarly, mongodb supports our own personas.

// Create the sampleRole role // Sample Collection in sampleDB, which can only be ownedreadUpdate db. CreateRole ({"role": "sampleRole"."privileges": [{"resource": {
        "db": "sampledb"."collection": "sample"
      },
      "actions": [
        "update"]}],"roles": [{"role": "read"."db": "sampledb"}}]); Db.createuser ({"user": "sampleUser"."pwd": "password"."roles": [{"role": "sampleRole"."db": "admin"}]})Copy the code

When we log in using sampleUser, we can no longer insert data into the Sample Collection.

Creating an Application User

In actual use, we can create different users and assign different roles according to different scenarios, which can make the permission control smaller and more secure.

Creating a Read-only User

db.createUser({user: "reader".pwd: "abc123", roles: [{ role:"read", db: "mydb" }]})
Copy the code

Creating read and write Users

db.createUser({user: "writer".pwd: "abc123", roles: [{ role:"readWrite", db: "mydb" }]})
Copy the code