MongoDB tip: mongodb security with user authentication and role assignment, limiting access via mongodb bi connector

This post should be treated as continuation of the previous post on authentication, I will also use mysql workbench to display how this can enhance the access control to mongod via MongoDB BI Connector. Please refer to this post and/or this post for more information on MongoDB BI Connector.


From previous posts, we have created an "admin" user with admin role "root", here is what we had created.
minerva-reports:PRIMARY> db.getUser("admin")
{
        "_id" : "admin.admin",
        "user" : "admin",
        "db" : "admin",
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
Let's check it out admin user connecting via mysql workbench, this post contains information on how to configure the connection via mysql workbench.

As we can see from the screenshot shown below, we have access to everything we specify in the mongosqld (aka. the bi connector process). This post contains how we connect to multiple databases via mongosqld.




Now, let's create our users, I am going to create two users, one with "read" role to "equipment" and another with "read" role to "equipment" and "reference-data". It's recommended by MongoDB to manage username under admin database, however, you can store user information on different databases as well. (at least this is true as of version 3.2.11)
minerva-reports:PRIMARY> use admin
switched to db admin
minerva-reports:PRIMARY> db.createUser({ user:"onedb",  pwd:"onedb", roles:[{ role:"read", db:"equipment" }] })
Successfully added user: {
        "user" : "onedb",
        "roles" : [
                {
                        "role" : "read",
                        "db" : "equipment"
                }
        ]
}
minerva-reports:PRIMARY> db.createUser({ user:"twodb",  pwd:"twodb", roles:[{ role:"read", db:"equipment" },{ role:"read", db:"reference-data" }] })
Successfully added user: {
        "user" : "twodb",
        "roles" : [
                {
                        "role" : "read",
                        "db" : "equipment"
                },
                {
                        "role" : "read",
                        "db" : "reference-data"
                }
        ]
}

Let's first verified our user access restriction from mongo shell
minerva-reports:PRIMARY> use admin
switched to db admin
minerva-reports:PRIMARY> db.auth("twodb","twodb")
1
minerva-reports:PRIMARY> show databases
2017-08-22T10:42:40.620-0400 E QUERY    [thread1] Error: listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
        "code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:769:19
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
minerva-reports:PRIMARY> use equipment
switched to db equipment
minerva-reports:PRIMARY> show collections
equipmentEventTracker
status
system.profile
upDown
minerva-reports:PRIMARY> use task
switched to db task
minerva-reports:PRIMARY> show collections
2017-08-22T10:42:58.195-0400 E QUERY    [thread1] Error: listCollections failed: {
        "ok" : 0,
        "errmsg" : "not authorized on task to execute command { listCollections: 1.0, filter: {} }",
        "code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Note from what are seeing above, the user "twodb" that we created can only read from the databases the user is granted the "read" access to. You can not do show collections on the database that you have no "read" access.


Now, let's verify the same access level holds true for MongoDB BI Connector.

First, we connect as onedb, as you can see, we have only access to the one database that the user is granted the access to.



The same thing applies to twodb, now with two databases listed





Comments

Popular posts from this blog

MongoDB Tips: Kill long running processes

Oracle Goldengate Extract, Pump, and Replicat

MongoDB Ops Manager Basic Installation and Configuration