MongoDB tip: mongodb security with user authentication and role assignment, limiting access via mongodb bi connector

-
This post should be treated as continuation of the previous post on authentication, I will also use mysql workbench to display how this can enhance the access control to mongod via MongoDB BI Connector. Please refer to this post and/or this post for more information on MongoDB BI Connector.


From previous posts, we have created an "admin" user with admin role "root", here is what we had created.

minerva-reports:PRIMARY> db.getUser("admin")

{

        "_id" : "admin.admin",

        "user" : "admin",

        "db" : "admin",

        "roles" : [

                {

                        "role" : "root",

                        "db" : "admin"

                }

        ]

}
Let's check it out admin user connecting via mysql workbench, this post contains information on how to configure the connection via mysql workbench.

As we can see from the screenshot shown below, we have access to everything we specify in the mongosqld (aka. the bi connector process). This post contains how we connect to multiple databases via mongosqld.




Now, let's create our users, I am going to create two users, one with "read" role to "equipment" and another with "read" role to "equipment" and "reference-data". It's recommended by MongoDB to manage username under admin database, however, you can store user information on different databases as well. (at least this is true as of version 3.2.11)

minerva-reports:PRIMARY> use admin

switched to db admin





minerva-reports:PRIMARY> db.createUser({ user:"onedb",  pwd:"onedb", roles:[{ role:"read", db:"equipment" }] })

Successfully added user: {

        "user" : "onedb",

        "roles" : [

                {

                        "role" : "read",

                        "db" : "equipment"

                }

        ]

}



minerva-reports:PRIMARY> db.createUser({ user:"twodb",  pwd:"twodb", roles:[{ role:"read", db:"equipment" },{ role:"read", db:"reference-data" }] })

Successfully added user: {

        "user" : "twodb",

        "roles" : [

                {

                        "role" : "read",

                        "db" : "equipment"

                },

                {

                        "role" : "read",

                        "db" : "reference-data"

                }

        ]

}

Let's first verified our user access restriction from mongo shell

minerva-reports:PRIMARY> use admin

switched to db admin

minerva-reports:PRIMARY> db.auth("twodb","twodb")

1

minerva-reports:PRIMARY> show databases

2017-08-22T10:42:40.620-0400 E QUERY    [thread1] Error: listDatabases failed:{

        "ok" : 0,

        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",

        "code" : 13

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1

shellHelper.show@src/mongo/shell/utils.js:769:19

shellHelper@src/mongo/shell/utils.js:659:15

@(shellhelp2):1:1

minerva-reports:PRIMARY> use equipment

switched to db equipment

minerva-reports:PRIMARY> show collections

equipmentEventTracker

status

system.profile

upDown

minerva-reports:PRIMARY> use task

switched to db task

minerva-reports:PRIMARY> show collections

2017-08-22T10:42:58.195-0400 E QUERY    [thread1] Error: listCollections failed: {

        "ok" : 0,

        "errmsg" : "not authorized on task to execute command { listCollections: 1.0, filter: {} }",

        "code" : 13

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1

DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19

DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16

shellHelper.show@src/mongo/shell/utils.js:762:9

shellHelper@src/mongo/shell/utils.js:659:15

@(shellhelp2):1:1
Note from what are seeing above, the user "twodb" that we created can only read from the databases the user is granted the "read" access to. You can not do show collections on the database that you have no "read" access.


Now, let's verify the same access level holds true for MongoDB BI Connector.

First, we connect as onedb, as you can see, we have only access to the one database that the user is granted the access to.



The same thing applies to twodb, now with two databases listed





Comments

Post a Comment

Popular posts from this blog

MongoDB tip: 4 ways to modify replica set configuration

-
This is just a quick guide on how to modify your replica set settings in 4 different ways. This guide is assuming you have a functional replica set ready, it doesn't matter if it's a single node or multi-node replica set. In each of the four method, I am looking to modify the priority of the _id=0 node Method 1: Via Mongo Shell Login to your Mongo shell,  simply type in mongo , assuming default port is being used and authentication is not enabled [in Mongo shell] cfg = rs.conf() cfg.members[0].priority=99 rs.reconfig(cfg) # "ok":1 indicates the new configuration has been set  MongoDB Enterprise minvera:PRIMARY> rs.reconfig(cfg) {         "ok" : 1,         "operationTime" : Timestamp(1528464949, 1),         "$clusterTime" : {                 "clusterTime" : Timestamp(1528464949, 1),                 "signature" : {                         "hash" : BinData(0
Read more

MongoDB Quick Note: BI Connector Issue

-
This is just a quick note of what can stop mongosqld from working properly that I wasn't aware of. Background: My work runs everything mongodb inside of docker containers, so sometimes it's not as straight forward to see immediately of what's preventing your container from working properly What happened: I ran into issue that my container does not stay up after I updated my drdl to reflect new fields introduced to the underlying collection. How to debug: Go to the host server, copy out entrypoint.sh and add sleep 100000000 to before mongosqld is executed. This force the container to stay up for us to look into issue. Cause of the issue: When I updated the drdl, I used tab instead of space, which is causing the mongsqld to error out Fix: Just replace tab with space and everything is back to normal
Read more

MongoDB Tips: Kill long running processes

-
This is just a quick and simple script to find all active opid that has been running over 10 seconds and they are running against the databases and collections you can specify in the "ns" filter. It's best to first run db.currentOp(    {      "active" : true,      "secs_running" : { "$gt" : 10 },      "ns" : {$in:["equipment.detachment","personnel.detail","personnel.unavailability","personnel.detachment"]}    } ).inprog.forEach(function (doc) { print(doc.opid); }) and verify your output before you execute the kill command in my experience to make sure you are killing the processes that are meant to be killed. Once verifed, simply run: db.currentOp(    {      "active" : true,      "secs_running" : { "$gt" : 10 },      "ns" : {$in:["<db1>.<col1>","<db2>.<col2>","<dbn>.<coln>
Read more