Hour 4. Configuring User Accounts and Access Control
What You’ll Learn in This Hour:
Creating users accounts on MongoDB databases
Listing users on MongoDB databases
Removing users from MongoDB databases
Creating a user administrator account
Creating a database administrator account
Implementing access control in your MongoDB environment
One of the most important aspects of implementing a MongoDB solution is to implement user accounts to that you can control access to the database. The MongoDB shell provides the necessary tools to create, view, and delete user accounts. These user accounts can have rights ranging from read-only up to full database administration.
The hour first focuses on how to use the MongoDB shell to manage user accounts. The second half of this hour deals with implementing access control in your MongoDB environment by creating user and database administrator accounts and then configuring MongoDB to require authentication.
Understanding the Admin Database
When you install MongoDB, an admin database is automatically created for you. The admin database is a special database that provides additional functionality above normal databases.
For example, certain user account roles grant a user rights to multiple databases. These roles can be created only in the admin database. As you will see in subsequent sections, when you want to create a superuser that has rights to all databases, you must add that user to the admin database. When checking for credentials, MongoDB checks the user accounts in the specified database and in the admin database.
Administrating User Accounts
When you have MongoDB up and running, one of the first things you want to do is add users to be able to access the database. Mongo provides the capability to add, remove, and configure users from the MongoDB shell. The following sections discuss using the MongoDB shell to administrate user accounts.
Creating User Accounts
An important part of database administration is creating user accounts that can administrate users and databases, as well as read and write to the databases. User accounts are added using the addUser() method inside the MongoDB shell. The addUser() method accepts a document object that enables you to specify the username, roles, and password that apply to that user. Table 4.1 lists the fields that can be specified in the document object.
MongoDB provides different roles that you can assign to a user account. These roles give you the capability to implement intricate privileges and restrictions on user accounts. Table 4.2 lists some of the more common roles that you can assign to users.
By the Way
The readAnyDatabase, readWriteAnyDatabase, dbAdminAnyDatabase, and userAdminAnyDatabase roles can be applied only to users in the admin database because they must apply to all databases.
To create a user, switch to that database and then use the addUser() method to create the user object. The following MongoDB shell command illustrates creating a basic administrator user for the test database:
use test
db.addUser( { user: "testUser",
pwd: "test",
roles: [ "readWrite", "dbAdmin" ] } )
Now for a more complex example. The following commands add the same user to the newDB database with only read rights and grants readWrite privileges to the testDB2 database:
use newDB
db.addUser( { user: "testUser",
userSource: "test",
roles: [ "read" ],
otherDBRoles: { testDB2: [ "readWrite" ] } } )
Listing Users
User accounts are stored in the db.system.users collection of each database. The User object contains the _id, user, pwd, roles, and sometimes otherDBRoles fields. You can use a couple different methods for getting a list of user objects. The first is to change to the database you want to list users on and then execute the show users command. The following shell commands show changing to the test database and listing users:
use test
show users
You can also use a query such as find on the db.system.users collection. The difference is that db.system.users.find() returns a cursor object that you can use to access the User documents. For example, the following code gets a cursor for users in the admin database and returns the count of users:
use admin
cur = db.system.users.find()
cur.count()
Removing Users
Users can be removed from MongoDB using the removeUser(<username>) method. You first must change to the database the user is on. For example, to remove the testUser user from the testDB database, you would use the following command from the MongoDB shell:
use testDB
db.removeUser("testUser")
Configuring Access Control
One of the first administration tasks you want to perform in the MongoDB shell is to add users to configure access control. MongoDB provides authentication and authorization at a database level, meaning that users exist in the context of a single database. For basic authentication purposes, MongoDB stores user credentials inside a collection called system.users in each database.
Initially, the admin database does not have any users assigned to it. When no users are defined in that admin database, MongoDB allows connections on the local host to have full administrative access to the database. Therefore, your first step in setting up a new MongoDB instance is to create user administrator and database administrator accounts. The user administrator account can create user accounts in the admin and other databases. You also need to create a database administrator account that you can use as a superuser to manage databases, clustering, replication, and other aspects of MongoDB.
By the Way
The user administrator and database administrator accounts are created in the admin database. If you are using authentication for your MongoDB database, you must authenticate to the admin database as one of those users to administrate users or databases. You should also create user accounts for each database, for access purposes, as described in the previous section.
Creating a User Administrator Account
The first step in configuring access control is implementing a user administrator. The user administrator should have only rights to create users and should not be able to manage the databases or other administration functions. This keeps a clean separation between database administration and user account administration.
Creating a user administrator is done by executing the following two commands in the MongoDB shell to access the admin database and then add a user with userAdminAnyDatabase rights.
use admin
db.addUser( { user: "<username>",
pwd: "<password>",
roles: [ "userAdminAnyDatabase" ] } )
The user administrator account should be created with userAdminAnyDatabase as the only role. This gives the user administrator the capability to create new user accounts but not to manipulate the database beyond that. For example, the following lines create a user administrator with the username useradmin and password test:
use admin
db.addUser( { user: "useradmin",
pwd: "test",
roles: [ "userAdminAnyDatabase" ] } )
Turning on Authentication
After you have created the user administrator account, restart the MongoDB database using the --auth parameter or by setting the auth setting in the configuration file. For example:
mongod –dbpath <mongo_data_location>/data/db –auth
Clients now have to use a username and password to access the database. Also, when you access MongoDB from the shell, you must execute the following commands to authenticate to the admin database so that you can add users with rights to the databases:
use admin
db.auth("useradmin", "test")
You can also authenticate to the admin database when starting the MongoDB shell using the --username and --password options. For example:
mongo --username "useradmin " --password "test"
Creating a Database Administrator Account
Creating a Database Administrator is done by executing the addUser method in the MongoDB shell to access the admin database and then adding a user with readWriteAnyDatabase, dbAdminAnyDatabase, and clusterAdmin rights. This gives the user the capability to access all databases in the system, create new databases, and manage MongoDB clusters and replicas. The following example illustrates creating a database administrator named dbadmin:
use admin
db.addUser( { user: "dbadmin",
pwd: "test",
roles: [ "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] } )
You can then use that user in the MongoDB shell to administrate databases. After you have created the new administrator account, you can authenticate as that user using the following commands:
use admin
db.auth("dbadmin", "test")
You can also authenticate to the admin database as the database administrator when starting the MongoDB shell using the --username and --password options. For example:
mongo --username "dbadmin" --password "test"
Summary
Implementing access control is an important part of deploying a MongoDB solution in your environment. Access control is the process of creating user accounts that act in various roles and requiring that users authenticate to be able to access MongoDB database servers.
Users can be assigned different roles, such as read, read/write, or administration. These roles restrict the activities that the user can perform when connected to the database. When implementing access control, you can create one user that has rights to administrate user accounts only and a separate user that has only rights to administrate the database, thus providing for tighter access control.
In this chapter, you got a chance to create, view, and delete users. You also saw an example that set up a user administrator and a database administrator and configured the MongoDB server to require authentication.
Q&A
Q. Are other methods available for implementing access control to a MongoDB data store?
A. Sort of. A common approach is to not require authentication to the MongoDB server directly, but to host MongoDB behind a secure firewall so that it can be accessed only via a back-end web server or other server. All requests to the MongoDB server are done on a system that is also behind the firewall. This method does reduce some overhead in authentication and makes coding simpler, but you must make sure that the network behind the firewall is completely secure.
Workshop
The workshop consists of a set of questions and answers designed to solidify your understanding of the material covered in this hour. Try answering the questions before looking at the answers.
Quiz
1. What role would you assign a user you do not want to be able to write to the database?
2. How to you delete a user from a database?
3. True or false: A user with a readWrite role can perform validations on a database.
4. True or false: A user can be assigned to only one role.
5. How do you tell the MongoDB server to require authentication?
Quiz Answers
1. read.
2. Call db.removeUser("<username>") on the database the user is created in.
3. False. The user needs to have a dbAdmin role to be able to perform validations.
4. False. A user can be assigned multiple roles.
5. Use the --auth command-line switch when starting mongod or add auth=true to the configuration file.
Exercises
1. Go back and add the userReader account that you deleted earlier in the chapter.
2. Try authenticating to the MongoDB on the MongoDB shell command line. You need to specify something similar to the following. After you have started the MongoDB shell, verify that you can connect to the test database and list the users.
mongo admin --username "useradmin" --password "test"
3. Write a script and use the db.auth() function to authenticate as the useramdin on the admin database. Then list the users on the test database.