How MongoDB sets permissions (user names and passwords like relational databases)

MongoDB default is not set authentication, the industry most of the projects using MongoDB also did not set access rights. This means that as long as the port of the MongoDB server is known, anyone who can access the server can query and manipulate the contents of the MongoDB database. In some projects, this type of usage can be seen as a security breach.

This article describes how to set authentication on a single MongoDB server. After Setup, the MongoDB client must be logged in with the correct user name and password in order to operate in the specified database.

First introduce the users and permissions under MongoDB. Each database has its own user, the command to create the user is Db.createuser () (document), and when you create a user, that user belongs to the database you are currently in.

Each user contains three features: a user name, a password, and a list of roles. Here is an example:

{
User: "Dbuser",
PWD: "Dbpass",
roles: ["ReadWrite", "Clusteradmin"]
}

This example represents a user named Dbuser, which has a readWrite and clusteradmin two roles in the current database.

--------------------------------------------------------------------------------------------------------------- -----------

MongoDB has many roles built in, but be aware that not every database has the same built-in role. Where the admin database contains roles that some other databases do not have.

Children familiar with Oracle are aware that there are two types of database users, one is administrator, to manage users, one is a normal user, to access data. Similarly, for MongoDB planning user authentication, at least two roles should be planned: User Administrator and database user. If you build shards or master-slave, you may also want to plan the role of the database schema Administrator, which is specifically designed to adjust the distributed architecture of the database.

Before creating a user, we will first modify the way MongoDB starts. By default, MongoDB is not checked for authentication. We just need to add a--auth parameter after the command that runs MongoDB, for example:

Mongod--dbpath./db1--port 20000--auth

How to create a user administrator

A user administrator is the first user to be created. You can create users as you like without creating any users, but once you have a user in the database, clients that are not logged on do not have permission to do anything unless you log in using the Db.auth (username, password) method.

The role of the user administrator is called Useradminanydatabase, which can only be created in the admin database. Here is an example:

> Use admin
Switched to DB admin
> Db.createuser ({User: "root", pwd: "root123", roles:["Useradminanydatabase"]})
Successfully added User: {"user": "Root", "roles": ["Useradminanydatabase"]}

This example creates a user administrator named Root. After the user is created, we should log in as the user immediately:

> Db.auth ("Root", "root123")
1
The Db.auth () method returns 1 to indicate a successful login. Next we create access to the required accounts for the specified database.

--------------------------------------------------------------------------------------------------------------- -----------

How to create a database user

First, make sure you have logged into the admin database as a user administrator. The use command is then used to switch to the target database, and the Db.createuser () command is used to create the user with the role name "ReadWrite".

There are two types of common database user roles, read and ReadWrite. As the name implies, the former can only read data cannot be modified, the latter may read and modify.
Here is an example:

> Use test
Switched to DB test
> Db.createuser ({User: "TestUser", pwd: "Testpass", roles:["ReadWrite"]})
Successfully added User: {"user": "TestUser", "Roles": ["ReadWrite"]}
> Db.auth ("TestUser", "Testpass")
1

This ensures that the data security of MongoDB is protected, and that clients that are not logged on will not be able to execute any commands.

How MongoDB sets permissions (user names and passwords like relational databases)