bugcy013
1/19/2017 - 2:57 PM
mongodb_simple_auth.txt
mongodb_simple_auth.txt
Users & Roles
================
There are a number of predefined roles:
root - All powerful. Use with caution
userAdminAnyDatabase - Can create users and assign roles on any database. Use with caution
userAdmin - Can only create users and assign roles in a specific database
read - Read collections in a specific database.
readWrite - Read and Write to a specific database
> db.getUsers()
or
> db.system.users.find()
STEP - 1
========
Add Users Before Enabling Access Control
Create Admin User :: -
The first thing is to create an admin user, go to the mongo shell
connect to the `admin' database
The first user should be an admin user that can manage the database.
create a user and assign him the role userAdminAnyDatabase
use admin
var user = {
"user" : "root",
"pwd" : "toor",
roles : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
db.createUser(user);
How to check user created or not ?
-----------------------------------
db.getUsers()
[
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
]
STEP - 2
========
Enabling Access Control ::
in /etc/mongod.conf
security:
authorization: enabled
after updating config file we need to restart the mongo instance.
STEP - 3
========
Here after we can use user name and pass for access database.
If you enter with out user and pass, you will see these kind erros,
> show databases;
2016-06-05T08:05:22.960+0530 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
>
$mongo admin -u root -p
MongoDB shell version: 3.2.5
Enter password:
connecting to: admin
>
STEP - 4
========
let's create application User for read/Write
Before we need to create application user, we need to go the perticular database
> use hermes;
var user = {
"user" : "appuser",
"pwd" : "app123",
roles : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
db.createUser(user);
let's verify
> db.getUsers()
[
{
"_id" : "hermes.appuser",
"user" : "appuser",
"db" : "hermes",
"roles" : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
]
>
STEP - 5
========
let's create readonly user to read any database
$mongo admin -u admin -p
var user = {
"user" : "reporting",
"pwd" : "abc123",
roles : [
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
db.createUser(user);
exit
> db.products.insert({ "title" : "MongoDB in Action" });
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on hermes to execute command { insert: \"products\", documents: [ { _id: ObjectId('5753d9af680d6e283c83138f'), title: \"MongoDB in Action\" } ], ordered: true }"
}
})
>
If you try to insert/update/delete document you will receive an exception.
How to update the user role:
=============================
use admin
db.updateUser( "admin",
{
roles : [
{ role : "root", db : "admin" }
]
}
)
Enforce-keyfile-access-control
===================================
cd /var/lib/mongo
openssl rand -base64 755 > dv_mongo.key
chmod 400 dv_mongo.key
chown mongod: dv_mongo.key
security:
authorization: enabled
keyFile: /var/lib/mongo/dv_mongo.key
NOTE :: dv_mongo.key file copy to all slave machine.