What You’ll Learn in This Hour:
Creating users accounts on MongoDB databases
Listing users on MongoDB databases
Removing users from MongoDB databases
Creating a user administrator account
Creating a database administrator account
Implementing access control in your MongoDB environment
One of the most important aspects of implementing a MongoDB solution is to implement user accounts to that you can control access to the database. The MongoDB shell provides the necessary tools to create, view, and delete user accounts. These user accounts can have rights ranging from read-only up to full database administration.
The hour first focuses on how to use the MongoDB shell to manage user accounts. The second half of this hour deals with implementing access control in your MongoDB environment by creating user and database administrator accounts and then configuring MongoDB to require authentication.
When you install MongoDB, an admin
database is automatically created for you. The admin
database is a special database that provides additional functionality above normal databases.
For example, certain user account roles grant a user rights to multiple databases. These roles can be created only in the admin
database. As you will see in subsequent sections, when you want to create a superuser that has rights to all databases, you must add that user to the admin
database. When checking for credentials, MongoDB checks the user accounts in the specified database and in the admin
database.
When you have MongoDB up and running, one of the first things you want to do is add users to be able to access the database. Mongo provides the capability to add, remove, and configure users from the MongoDB shell. The following sections discuss using the MongoDB shell to administrate user accounts.
An important part of database administration is creating user accounts that can administrate users and databases, as well as read and write to the databases. User accounts are added using the addUser()
method inside the MongoDB shell. The addUser()
method accepts a document
object that enables you to specify the username, roles, and password that apply to that user. Table 4.1 lists the fields that can be specified in the document object.
MongoDB provides different roles that you can assign to a user account. These roles give you the capability to implement intricate privileges and restrictions on user accounts. Table 4.2 lists some of the more common roles that you can assign to users.
By the Way
The readAnyDatabase
, readWriteAnyDatabase
, dbAdminAnyDatabase
, and userAdminAnyDatabase
roles can be applied only to users in the admin
database because they must apply to all databases.
To create a user, switch to that database and then use the addUser()
method to create the user object. The following MongoDB shell command illustrates creating a basic administrator user for the test database:
use test
db.addUser( { user: "testUser",
pwd: "test",
roles: [ "readWrite", "dbAdmin" ] } )
Now for a more complex example. The following commands add the same user to the newDB
database with only read
rights and grants readWrite
privileges to the testDB2
database:
use newDB
db.addUser( { user: "testUser",
userSource: "test",
roles: [ "read" ],
otherDBRoles: { testDB2: [ "readWrite" ] } } )
User accounts are stored in the db.system.users
collection of each database. The User
object contains the _id
, user
, pwd
, roles
, and sometimes otherDBRoles
fields. You can use a couple different methods for getting a list of user objects. The first is to change to the database you want to list users on and then execute the show users
command. The following shell commands show changing to the test
database and listing users:
use test
show users
You can also use a query such as find
on the db.system.users
collection. The difference is that db.system.users.find()
returns a cursor object that you can use to access the User
documents. For example, the following code gets a cursor for users in the admin
database and returns the count of users:
use admin
cur = db.system.users.find()
cur.count()
Users can be removed from MongoDB using the removeUser(<username>)
method. You first must change to the database the user is on. For example, to remove the testUser
user from the testDB
database, you would use the following command from the MongoDB shell:
use testDB
db.removeUser("testUser")
One of the first administration tasks you want to perform in the MongoDB shell is to add users to configure access control. MongoDB provides authentication and authorization at a database level, meaning that users exist in the context of a single database. For basic authentication purposes, MongoDB stores user credentials inside a collection called system.users
in each database.
Initially, the admin
database does not have any users assigned to it. When no users are defined in that admin
database, MongoDB allows connections on the local host to have full administrative access to the database. Therefore, your first step in setting up a new MongoDB instance is to create user administrator and database administrator accounts. The user administrator account can create user accounts in the admin and other databases. You also need to create a database administrator account that you can use as a superuser to manage databases, clustering, replication, and other aspects of MongoDB.
By the Way
The user administrator and database administrator accounts are created in the admin
database. If you are using authentication for your MongoDB database, you must authenticate to the admin
database as one of those users to administrate users or databases. You should also create user accounts for each database, for access purposes, as described in the previous section.
The first step in configuring access control is implementing a user administrator. The user administrator should have only rights to create users and should not be able to manage the databases or other administration functions. This keeps a clean separation between database administration and user account administration.
Creating a user administrator is done by executing the following two commands in the MongoDB shell to access the admin
database and then add a user with userAdminAnyDatabase
rights.
use admin
db.addUser( { user: "<username>",
pwd: "<password>",
roles: [ "userAdminAnyDatabase" ] } )
The user administrator account should be created with userAdminAnyDatabase
as the only role. This gives the user administrator the capability to create new user accounts but not to manipulate the database beyond that. For example, the following lines create a user administrator with the username useradmin
and password test
:
use admin
db.addUser( { user: "useradmin",
pwd: "test",
roles: [ "userAdminAnyDatabase" ] } )
After you have created the user administrator account, restart the MongoDB database using the --auth
parameter or by setting the auth
setting in the configuration file. For example:
mongod –dbpath <mongo_data_location>/data/db –auth
Clients now have to use a username and password to access the database. Also, when you access MongoDB from the shell, you must execute the following commands to authenticate to the admin
database so that you can add users with rights to the databases:
use admin
db.auth("useradmin", "test")
You can also authenticate to the admin
database when starting the MongoDB shell using the --username
and --password
options. For example:
mongo --username "useradmin " --password "test"
Creating a Database Administrator is done by executing the addUser
method in the MongoDB shell to access the admin
database and then adding a user with readWriteAnyDatabase
, dbAdminAnyDatabase
, and clusterAdmin
rights. This gives the user the capability to access all databases in the system, create new databases, and manage MongoDB clusters and replicas. The following example illustrates creating a database administrator named dbadmin
:
use admin
db.addUser( { user: "dbadmin",
pwd: "test",
roles: [ "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] } )
You can then use that user in the MongoDB shell to administrate databases. After you have created the new administrator account, you can authenticate as that user using the following commands:
use admin
db.auth("dbadmin", "test")
You can also authenticate to the admin
database as the database administrator when starting the MongoDB shell using the --username
and --password
options. For example:
mongo --username "dbadmin" --password "test"
Implementing access control is an important part of deploying a MongoDB solution in your environment. Access control is the process of creating user accounts that act in various roles and requiring that users authenticate to be able to access MongoDB database servers.
Users can be assigned different roles, such as read, read/write, or administration. These roles restrict the activities that the user can perform when connected to the database. When implementing access control, you can create one user that has rights to administrate user accounts only and a separate user that has only rights to administrate the database, thus providing for tighter access control.
In this chapter, you got a chance to create, view, and delete users. You also saw an example that set up a user administrator and a database administrator and configured the MongoDB server to require authentication.
Q. Are other methods available for implementing access control to a MongoDB data store?
A. Sort of. A common approach is to not require authentication to the MongoDB server directly, but to host MongoDB behind a secure firewall so that it can be accessed only via a back-end web server or other server. All requests to the MongoDB server are done on a system that is also behind the firewall. This method does reduce some overhead in authentication and makes coding simpler, but you must make sure that the network behind the firewall is completely secure.
The workshop consists of a set of questions and answers designed to solidify your understanding of the material covered in this hour. Try answering the questions before looking at the answers.
1. What role would you assign a user you do not want to be able to write to the database?
2. How to you delete a user from a database?
3. True or false: A user with a readWrite
role can perform validations on a database.
4. True or false: A user can be assigned to only one role.
5. How do you tell the MongoDB server to require authentication?
1. read.
2. Call db.removeUser("<username>")
on the database the user is created in.
3. False. The user needs to have a dbAdmin
role to be able to perform validations.
4. False. A user can be assigned multiple roles.
5. Use the --auth
command-line switch when starting mongod
or add auth=true
to the configuration file.
1. Go back and add the userReader
account that you deleted earlier in the chapter.
2. Try authenticating to the MongoDB on the MongoDB shell command line. You need to specify something similar to the following. After you have started the MongoDB shell, verify that you can connect to the test
database and list the users.
mongo admin --username "useradmin" --password "test"
3. Write a script and use the db.auth()
function to authenticate as the useramdin
on the admin
database. Then list the users on the test
database.
18.191.254.44