How to use MySQL to learn MongoDB authorization and permissions

In the above article, we learned how to use MySQL to learn the SQL Syntax of MongoDB. In this article, we will continue our learning journey and learn the authorization and permissions of the two.

Database security is a key concern of every DBA. After the database is established, data security is particularly important.

For a database administrator, security means that he must ensure that users with special data access permissions can log on to the database server, in addition, DBAs can access data and perform operations with various permissions on database objects. At the same time, DBAs must prevent unauthorized operations by all unauthorized users.

1. MySQL authorization and permissions

MySQL has two levels of permissions: management and user. All permissions can be granted and revoked using the GRANT and REVOKE statements respectively. You can grant create, select, update, delete, insert, execute, and index permissions to users, as well as alter, drop, shutdown, and other system permissions. Root users have all permissions by default.

2. MongoDB authorization and permissions

When the MongoDB service is enabled in the official documentation without adding any parameters, you can perform any operations on the database and remotely access the database. Therefore, we recommend that you do not set any parameters only during development. If the -- auth parameter is specified at startup, access and connection at the root layer can be blocked.

(1) only allow access from an ip address

Mongod -- bind_ip 127.0.0.1

(2) Specify the service port

Mongod -- bind_ip 127.0.0.1 -- port27888

(3) Add User Authentication

Mongod -- bind_ip 127.0.0.1 -- port27888-auth

(4) Add a user

At the beginning of the installation, MongoDB has an admin database by default, and admin. system. users will save more user information than the user permissions set in other databases.

When admin. system. there is no user in users sometimes. Even if the -- auth parameter is added when mongod is started, if the user is not added to the admin database, no authentication is performed or any operation can be performed, in admin. system. A user is added to users.

The following two users are created respectively. In foo, the user with user1 and pwd1 is created as follows:

 
 

  
  
[root@localhost bin]# ./mongo --port 27888   
  
  
MongoDB shell version: 1.8.1   
  
  
connecting to: test   
  
  
> use foo   
  
  
switched to db foo   
  
  
> db.addUser("user1","pwd1")   
  
  
{   
  
  
"user" : "user1",   
  
  
"readOnly" : false,   
  
  
"pwd" : "35263c100eea1512cf3c3ed83789d5e4"   
  
  
}  
 
 

 

In admin, create a user whose username is root and whose password is pwd2, as follows:

 
 

  
  
> use admin   
  
  
switched to db admin   
  
  
> db.addUser("root", "pwd2")   
  
  
{   
  
  
"_id" : ObjectId("4f8a87bce495a88dad4613ad"),   
  
  
"user" : "root",   
  
  
"readOnly" : false,   
  
  
"pwd" : "20919e9a557a9687c8016e314f07df42"   
  
  
}   
  
  
> db.auth("root", "pwd2")   
  
  
1   
  
  
>  
 
 

If the authentication succeeds, 1 is displayed. Run the following command to view the user information of a specific database:

 
 

  
  
> use admin   
  
  
switched to db admin   
  
  
> db.system.users.find();   
  
  
{ "_id" : ObjectId("4f8a87bce495a88dad4613ad"), "user" : "root", "readOnly" : false, "pwd" : "20919e9a557a9687c8016e314f07df42" }   
  
  
> use foo   
  
  
switched to db foo   
  
  
> db.system.users.find();   
  
  
{ "_id" : ObjectId("4f92966d77aeb2b2e730c1bb"), "user" : "user1", "readOnly" : false, "pwd" : "35263c100eea1512cf3c3ed83789d5e4" }   
  
  
>  
 
 

Next we will test whether the user's permission settings are correct:

 
 

  
  
[root@localhost bin]# ./mongo --port 27888   
  
  
MongoDB shell version: 1.8.1   
  
  
connecting to: 127.0.0.1:27888/test   
  
  
> use foo   
  
  
switched to db foo   
  
  
> db.system.users.find();   
  
  
error: {   
  
  
"$err" : "unauthorized db:foo lock type:-1 client:127.0.0.1",   
  
  
"code" : 10057   
  
  
}   
  
  
> use admin   
  
  
switched to db admin   
  
  
> db.system.users.find();   
  
  
error: {   
  
  
"$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1",   
  
  
"code" : 10057   
  
  
}   
  
  
>  
 
 

Notifying the above experiment results indicates that an error is reported when no user name or password is specified during logon, that is, the security deployment takes effect. Next, let's look at another scenario:

 
 

  
  
[root@localhost bin]# ./mongo --port 27888 -uroot -ppwd2   
  
  
MongoDB shell version: 1.8.1   
  
  
connecting to: 127.0.0.1:27888/test   
  
  
Sat Apr 21 19:23:15 uncaught exception: login failed   
  
  
exception: login failed  
 
 

It is strange that we have clearly specified the user name and the password is correct. Then, let's check whether there is some valuable information in the system log:

Auth: couldn't find user root, test. system. users

Oh, it turns out that, if you do not specify the database name when connecting to mongodb, the database test will be automatically connected, but the users we just created are not created on the database test, therefore, we need to display the name of the database to be connected:

 
 

  
  
[root@localhost bin]# ./mongo --port 27888 admin -uroot -ppwd2   
  
  
MongoDB shell version: 1.8.1   
  
  
connecting to: 127.0.0.1:27888/admin   
  
  
> show collections;   
  
  
system.indexes   
  
  
system.users   
  
  
> use foo   
  
  
switched to db foo   
  
  
> show collections   
  
  
system.indexes   
  
  
system.users   
  
  
t1   
  
  
>  
 
 

We can see that the root user has operation permissions for all databases. What permissions does the user have for user1? We will know after a try:

 
 

  
  
[root@localhost bin]# ./mongo --port 27888 foo -uuser1 -ppwd1   
  
  
MongoDB shell version: 1.8.1   
  
  
connecting to: 127.0.0.1:27888/foo   
  
  
> show collections;   
  
  
system.indexes   
  
  
system.users   
  
  
t1   
  
  
> use test   
  
  
switched to db test   
  
  
> show collections   
  
  
Sat Apr 21 19:28:25 uncaught exception: error: {   
  
  
"$err" : "unauthorized db:test lock type:-1 client:127.0.0.1",   
  
  
"code" : 10057   
  
  
}   
  
  
>  
 
 

As we can see from the results, because user1 is a user created in the foo library, it does not have the permission to operate other databases or even test databases.