|
|
MongoDB Security—quick notes |
Russ Bateman
24 April 2013
last update:
There are two aspects to this question. First, establishing that a MongoDB database has and uses usernames and password. Second, coding from Java (what I do) to connect to a database with such requirements.
Note that this MongoDB feature is not typically used. A good installation would consist of
For this reason, and the relative weakness of the MongoDB username and password solution (easily worked around if you have access to the node itseld), it's usually of little interest to use this feature of MongoDB. I'm treating this subject only because I'm going to have to use it in the course of my work for cookie-cutter decision-makers who find what I've just said here irrelevant.
By "database" is meant not MongoDB itself, but any database created in it, but not necessarily every database you create. Therefore, you can set up a user to control access to one database, but not others. Nevertheless, if you set up any authentication requirement for any database, you prohibit access to any and all databases belonging to that MongoDB instance without username and password.
Effectively, you deny access to anyone except for the administrator user you set up if you:
You can set up more than one instance of MongoDB on your host by duplicating mongodb.conf and adding a new dbpath and logpath that are separate from any other, running instance. However, from your application you would have some difficulty connecting to these separate instances. Doing so is beyond the scope of this discussion.
Access to individual MongoDB databases in a host installation is controlled by an administrator, which must be set up. Here are the steps to adding an admininstrator and password to a MongoDB database. This uses the MongoDB shell.
Note that show dbs does not reveal the existence of the admin database in MongoDB. Nevertheless, these steps require "using" that database.
> use admin
> db.addUser( { "user":"admin", "pwd":"Test123", "roles":[ "userAdminAnyDatabase"* ] })
* Other roles include the list below. You'll need this list when creating other database users.
| read | readWrite | |
| dbAdmin | userAdmin | clusterAdmin |
| readAnyDatabase | readWriteAnyDatabase | |
| dbAdminAnyDatabase | userAdminAnyDatabase |
This sets up an administrator user, admin, that will have rights to manage users and passwords for other databases.
If you're doing this live in your database, you're now obliged to bounce MongoDB. You'll need to restart with a command-line argument ‐-auth. In order to have access to it, you'll now need to supply the username and password. Here are two ways.
$ mongo -u admin -p Test123
> use admin
> db.auth( "admin", "Test123" )
For each database for which you want users to have access, you must "use" that database and create one or more users, assign passwords and roles, etc. Here, we create a username that's really for an account management application we've written that is the primary consumer of database accountdb. Also, for variety in our example, we create another user, perhaps for a different application or a monitor, that has only read access.
> use accountdb
> db.addUser( { "user":"accountapp", "pwd":"Test123", "roles":[ "readWrite" ] } )
> db.addUser( { "user":"monitor", "pwd":"asdf234#aa", "roles":[ "read" ] } )
You may wish to refer to documentation on User Privilege Roles in MongoDB as linked to in the table above. Listed with read, readWrite, etc. are the specific operations each role supports.
Of course, you've got a pile of databases and only wish to create the users, passwords and roles in one or two places without having to repeat the exercises multiple times.
There is a "copy" operation, in the person of userSource as a keyword (or left-side key). Assume the new user, password and role created for our account management application above.
> use newdb
> db.addUser( { "user":"accountapp", "userSource":"accountdb", "roles":[ "read" ] })
> db.addUser( { "user":"monitor", "userSource":"accountdb", "roles":[ "read" ] })
It's worth noting that, logically, if you copy over a user from another database, you endow that user with only the roles you specify with that copy. Hence, our account management application has read-only privileges over newdb
Not covered here, it should be noted that, since version 2.4, MongoDB supports Kerberos authentication.
This example uses MongoDB Java driver, version 2.11.x, hence the need to suppress warnings for the deprecated call to Mongo.
"Older" technology (not MongoClient-based) example of MongoDB authentication. The DB.authenticate() method, however, is still valid, so that approach can be mixed with MongoClient in place of using MongoCredential.
Before running this Java example, the following MongoDB shell experience must be conducted and MongoDB bounced to include the ‐‐auth option.
Warning: Unless you've already been running MongoDB in authentication mode, this exercise will make it stop working for whatever else you've been doing with it. To reverse the experiment, simply relaunch MongoDB without the ‐-auth option.
> use admin
> db.addUser( { "user":"admin", "pwd":"Test123", "roles":[ "userAdminAnyDatabase" ] } )
> use test
> db.addUser( { "user":"jack", "pwd":"Test123", "roles":[ "readWrite" ] } )
package com.etretatlogiciels.mongodb;
import java.net.UnknownHostException;
import com.mongodb.BasicDBObject;
import com.mongodb.DB;
import com.mongodb.DBCollection;
import com.mongodb.Mongo;
import com.mongodb.ServerAddress;
public class OldMongoDB
{
private Mongo mongo;
@SuppressWarnings( "deprecation" )
public OldMongoDB()
{
try
{
mongo = new Mongo( new ServerAddress( "localhost", 27017 ) );
}
catch( UnknownHostException e )
{
e.printStackTrace();
}
}
public Mongo getMongo() { return this.mongo; }
public static void main( String[] args )
{
OldMongoDB mongodb = new OldMongoDB();
DB database = mongodb.getMongo().getDB( "test" );
if( database.authenticate( "test", "Test123".toCharArray() ) )
{
DBCollection collection = database.getCollection( "fun" );
BasicDBObject document = new BasicDBObject();
document.put( "notice", "This is a document in an authenticated database." );
collection.insert( document );
}
}
}
This example uses MongoDB Java driver, version 2.11.x.
"Newer" technology (MongoClient/MongoCredential) example of MongoDB authentication.
Before running this Java example, the following MongoDB shell experience must be conducted and MongoDB bounced to include the ‐‐auth option.
Warning: Unless you've already been running MongoDB in authentication mode, this exercise will make it stop working for whatever else you've been doing with it. To reverse the experiment, simply relaunch MongoDB without the ‐‐auth option.
> use admin
> db.addUser( { "user":"admin", "pwd":"Test123", "roles":[ "userAdminAnyDatabase" ] } )
> use test
> db.addUser( { "user":"jack", "pwd":"Test123", "roles":[ "readWrite" ] } )
package com.etretatlogiciels.mongodb;
import java.net.UnknownHostException;
import java.util.Arrays;
import com.mongodb.BasicDBObject;
import com.mongodb.DBCollection;
import com.mongodb.MongoClient;
import com.mongodb.MongoCredential;
import com.mongodb.ServerAddress;
public class MongoDB
{
private MongoCredential credential;
private MongoClient client;
public MongoDB()
{
try
{
credential = MongoCredential.createMongoCRCredential( "jack", "test", "Test123".toCharArray() );
client = new MongoClient( new ServerAddress( "localhost", 27017 ), Arrays.asList( credential ) );
}
catch( UnknownHostException e )
{
e.printStackTrace();
}
}
public MongoClient getClient() { return this.client; }
public static void main( String[] args )
{
MongoDB mongodb = new MongoDB();
DBCollection collection = mongodb.getClient().getDB( "test" ).getCollection( "fun" );
BasicDBObject document = new BasicDBObject();
document.put( "notice", "This is a document in an authenticated database." );
collection.insert( document );
}
}
auth = true
keyFile = /srv/mongodb/keyfile
nohttpinterface = true
rest = false
bind_ip = 10.10.0.25,10.10.0.26