MongoDB access Rights control

MongoDB access control can effectively ensure the security of the database, access control refers to the binding application listening IP address, set the listening port, using the account and password login

One, the parameters of the access control

1, Bind IP address

mongod parameter:--bind_ip <ip address>

The default is that all IP addresses are accessible, this parameter specifies the binding IP address of MongoDB to provide services to the client application connection, the client can only use the bound IP address to access Mongod, the other IP address is inaccessible.

2. Set the Listening port

Mongod parameter:--port <port>

MongoDB default Listener port is 27017, this parameter explicitly specifies the TCP port that the MongoDB instance listens to, can connect to the MongoDB instance only when the client application connected port and the port that the MongoDB instance listens to is consistent.

3, Enable user authentication

Mongod parameter:--auth

The default value is no validation, that is,--noauth, which enables user access control, and when Mongod starts with this parameter, MongoDB verifies the client connection's account and password to determine whether it has access rights. If the authentication does not pass, then the client cannot access the MongoDB database.

Enables authorization to control user's access to database resources and operations. When authorization are enabled, MongoDB requires all clients to authenticate themselves first on order to determine the ACC ESS for the client.

4, authority authentication

MONGO parameters:--username <username>,-u <username>
MONGO parameters:--password <password>,-P <password>
MONGO parameters:--authenticationdatabase <dbname> Specify create user database, create user in a specific database, the DB is User's authentication Database

When connecting to MONGO, the account and password specified by the-U and-p parameters are authenticated using the parameter --authenticationdatabase. If no validation database is specified, MONGO uses the DB specified in the connection string as the validation data block.

Two, role-based access control (role-based access controls)

The role is to grant user permission to perform the specified action on the specified resource, and the MongoDB official manual defines the role as:

A role grants privileges to perform the specified actions on resource.

MongoDB is a pre-defined built-in role at the DB level to facilitate administrator administration, and MongoDB allows users to create custom roles that control what the user can do at the collection level, if the user needs more granular management of permissions.
MongoDB uses roles to grant user access to resources, and role determines the database resources and actions that user can access. A user can be granted one or more role, and if the user is not granted role, then there is no permission to access the MongoDB system.

A user is granted one or more roles that determine the user's access to database resources and operations. Outside of role assignments, the user has no access to the system.

1, built-in character (built-in Roles)

The built-in role is a pre-defined role for MongoDB, and the resources for the operation are at the DB level. MongoDB has a superuser role:root, with maximum permissions, capable of performing arbitrary operations on all resources of the system.

Database user Role (Roles):

• read: permission to grant user read-only data
• readWrite: Grant user permission to read and write data

Database Management Role (DB Administration Roles):

• DbAdmin: performing administrative operations in the current DB
• Dbowner: perform any action in the current DB
• useradmin: managing user in the current DB

Backup and restore role (backup and restoration Roles):

• Backup
• Restore

Cross-Library roles (All-database Roles):

• readanydatabase: granting permission to read data on all databases
• readwriteanydatabase: granting permission to read and write data on all databases
• useradminanydatabase: granting permissions to administer user on all databases
• dbadminanydatabase: granting permissions to administer all databases

Cluster Management Role (Cluster administration Roles):

• clusteradmin: Granting the highest privileges to administer a cluster
• clustermanager: Grant permissions to administer and monitor the cluster, A user with this role can access the config and local databases, which is used in SH Arding and replication, respectively.
• clustermonitor: Grant permissions to the monitoring cluster with readonly permissions on the monitoring tool
• Hostmanager: Management Server

2, user-defined role (user-defined Roles)

Built-in roles can only control what the user does at the DB level, and administrators can create custom roles that control the actions that users perform at the collection level (Collection-level), that is, control user to perform specific actions on specific collections of the current DB.

When creating a role, you must identify the four attributes of role:

• scope: Role role, the role created in the admin, can be used in other DB, the role created in other DB can only be used in the current DB;
• Resource: A resource controlled by a role that grants permission to perform specific actions on that resource;
• PrivilegeActions: Defines the actions that user can perform on a resource, and the system definition action is: Privilege actions;
• Inherit: Roles can inherit other role permissions

2.1 Scope of Role function (scope)

Roles created in the admin database, scope is global, can be used in admin, other db, and cluster, and can inherit other DB role, and roles created in non-admin, scope is the current database and can only be used in the current DB. Only the roles of the current database can be inherited.

A role created in the Admin database can include privileges this apply to the admin database, and other databases or to the CL Uster resource, and can inherit from roles on other databases as well as the admin database. Except for roles created in the admin database, a role can only include privileges this apply to it database and can only Inherit from and roles in its database.

2.2 Actions for permissions (Privilege actions)

MongoDB's permission pack consists of two parts: resource (Resource) and action, Privilege actions that define what the user can do on the resource, For example: The list of read and write operations that MongoDB performs on the document level (Document-level) (Query and write actions) is :

• Find
• Insert
• Remove
• Update

3, create a role

Use DB. Createrole () Creates a role in the current DB and creates an example of the following syntax:

Use admindb.createrole (   {     "New_role",     privileges: [       True }, actions: [" Addshard " ]},       " config ", Collection:" "}, Actions: [" Find "," Update "," Insert "," Remove " ]},        "Users", Collection: "Userscollection"}, Actions: ["Update", "Insert", "Remove" ]},       "", Collection: "}, Actions: [" Find " ]}     ],     roles: [       " read ", DB:" admin " }     ]   },   " Majority ", wtimeout:5000 })

In the roles array, specify the inherited role, that is, the newly created New_role inherits permissions from the roles array:

• If the inherited role is in the current DB, the defined format is: roles:["role"];
• If the inherited role is not in the current DB, you need to use DOC to specify the DB in which the role is located: Roles:[{role: "Role_name", DB: "Db_name"}];

4, custom role management functions

• db.createrole () : Creates a role and specifies its privileges.
• db.updaterole () : Updates a user-defined role.
• db.droprole () : Deletes a user-defined role.
• db.dropallroles () : Deletes all user-defined roles associated with a database.
• db.grantprivilegestorole () : Assigns privileges to a user-defined role.
• db.revokeprivilegesfromrole () : Removes the specified privileges from a user-defined role.
• db.grantrolestorole () : Specifies roles from which a user-defined role inherits privileges.
• db.revokerolesfromrole () : Removes inherited roles from a role.
• db.getrole () : Returns information for the specified role.
• db.getroles () : Returns information for all the user-defined roles in a database.

Third, manage users and permissions

1, create user

Use Db_name
Db.createuser ({     "user_name",    "User_pwd",    roles: [   "Clusteradmin ", DB:" admin " },               " Readanydatabase ", DB:" admin " },               " ReadWrite "
           ] })

For the new user, grant one or more roles, implemented by the roles array:

• If role exists in the current DB, the format of roles: roles:["role"];
• If Role does not exist in the current DB, the format of roles: Roles:[role: "Role_name", DB: "Db_name"];

2, authority authentication (authenticate)

MONGO is connected to the Mongod, and there are two ways to access authentication:

• Authenticate user access when connecting, MONGO use parameter --authenticationdatabase <dbname> specify authentication database;
• After the connection, authentication user access permissions, MONGO does not use parameters --authenticationdatabase <dbname> After connecting to Mongod, switch to Verify that the user has permission to access the current database by using Db.auth () in the authentication database.

Use Db_namedb.auth ("user_name", "user_pwd")

3, User management functions

• Db.auth () : Authenticates a user to a database.
• Db.createuser () : Creates a new user.
• Db.updateuser () : Updates to user data.
• Db.changeuserpassword () : Changes an existing user ' s password.
• db.dropallusers () : Deletes all users associated with a database.
• Db.dropuser () : Removes a single user.
• Db.grantrolestouser () : Grants a role and its privileges to a user.
• Db.revokerolesfromuser () : Removes a role from a user.
• Db.getuser () : Returns information about the specified user.
• db.getusers () : Returns information about all users associated with a database.

Reference Documentation:

role-based Access Control

Built-in Roles

Collection-level Access Control

Db.createrole ()

Db.createuser ()

Enable Auth

Manage Users and Roles

Mongod

MongoDB access Rights control