I'm working on an application using different databases and struggling to implement the correct user management.
Suppose that we have a user "BasicUser" (created in the admin database), that only has dbAdmin rights to a specific database, called "TestDb" in this example. Furthermore, we have created a user "TestUser" without any access rights to start from.
Is there a possibility for the BasicUser to grant read/write access to the TestDb for the TestUser?
I tried the following options when I login with the BasicUser
use TestDb; db.grantRolesToUser("TestUser", ["read"]) --> This returns an error that the user cannot be found
use TestDb; db.updateUser("TestUser", {roles: ["read"]}) --> This returns an error that we are not autorized to execute the command
To be clear, I do not want to provide the BasicUser any admin rights on the admin database, as I don't want the BasicUser to see any of the other databases. This user should only be able to see the TestDb and perform its admin tasks on this db.
Create the user in the admin database (actually I don't know any reason why a user might be created anywhere else).
Then grant
db.getSiblingDB("admin").grantRolesToUser( "TestUser", [ { role: "dbOwner", db: "TestDb" } ] )
It's not clear what you mean by "give access"? Maybe instead of dbOwner, you just want to grant readWrite, see Built-In Roles
Related
is it possible to create PostgreSQL user so that he can connect and see only one specific database? So that he could only see one database (he couldn't see the others). Ideally, I could also set the visibility of the tables in the database.
I create user like this:
create user user with encrypted password 'password';
GRANT CONNECT ON DATABASE db TO user;
although I have given the user connect privilege to only one database, he can see all other databases :(
By default the connect privilege to every database is granted to the role public, so you need to run:
revoke connect on database ... from public;
for all other databases. Make sure you grant connect back to existing users.
Another option is to restrict connections for this specific user through pg_hba.conf
I am trying to implement some restrictions on my MongoDB server:
Two databases on my server should be restricted regarding delete/drop operations - only a special user account should be allowed to do so. All the other database should be totally unrestricted (of course excluding the admin database):
I tried to model this situation using two users:
| database A & B | all the other databases |
---------------------------------------------------------
user a | read & write | read & write |
user b | read-only | read & write |
Making everybody read all databases is easy using the readAnyDatabaserole.
However modelling that user b can only read database A & B but has read & write access to all the other databases (including those databases that are created later on) gives me a headache.
How can this security model be implemented in MongoDB?
It is not possible.
You can combine multiple roles and inherit them from multiple databases, but:
When granted a role, a user receives all the privileges of that role.
A user can have several roles concurrently, in which case the user
receives the union of all the privileges of the respective roles.
-
Roles always grant privileges and never limit access. For example, if
a user has both read and readWriteAnyDatabase roles on a database, the greater access prevails.
You can find these paragraphs in mongodb authorization doc.
In order to give read write on all future databases, you need to set readWriteAnyDatabase role to userb. That means, you can't downgrade to read role, for the A and B databases.
I am afraid you need to set the roles manually for the new dbs.
First of all enable authentication in your mongodb.conf file
auth = true
Create a database perm for holding user permissions that we are going to create below.
use perm
then create userb with read-only permissions for DatabaseA and DatabaseB
db.createUser(
{
user: "userb",
pwd: "12345",
roles: [
{ role: "read", db: "DatabaseA" },
{ role: "read", db: "DatabaseB" }
]
}
)
userb will only be allowed to read DatabaseA and DatabaseB rest all databases access to userb will be read-write
Now userb can login with below command
mongo --port 27017 -u userb -p 12345 --authenticationDatabase perm
You should use
security:
authorization: enabled
instead of auth = true, as for the rest Rohit answer did the job.
See also : https://stackoverflow.com/a/33325891/1814774
I'm not a DBA and I have got some questions around access controls for schemas. Let's say I have a Postgres server running a several databases. The admin user is postgres. I have another user tmpUser with which I could log in to the remote server using pgadmin3 client.
I now create a database called myDatabase which is by default owned by the postgres user. I then use my admin client to remotely log in to this myDatabase using the tmpUser account.
I now create a new schema inside this myDatabase called myDbSchema. I created a new role called myDbRole and did a grant usage, grant all on myDatabase, myDbSchema to the myDbRole.
The question now is how should I control access to this myDatabase. I tried to log in to the remote server using the tmpUser and when I tried to execute select * from myTable where myTable is a table in myDatabase, it came back with a permission denied sql message. So I changed the owner of the table to the tmpUser which I really do not want to!
Is there a guide or something on how I should go about creating and organizing roles with schemas in postgres?
It is not entirely clear what your problem is (for instance, what is role "myDbRole" for, is that a group role (NOLOGIN) or a user role (LOGIN)?) but in general you could follow this pattern of permission management:
Create a specific role to own a database and all or most of the objects in it. This should be a group role (NOLOGIN) for security reasons. Do not use the postgres user; if you need to login as that role often to do regular database work, you are doing something wrong. Any superuser (or other user role that has that role granted to it) can "impersonate" that owner role using SET SESSION AUTHORIZATION to do necessary maintenance. In a production environment this should be hardly ever necessary; during development you might want to consider making the role with LOGIN permission for ease of use.
The owner creates all the schemas, tables, views, functions, etc. that you need for your application. By default, all of those objects are only available to the database owner, with the exception of functions.
Define a number of group role profiles, each having specific requirements of the database. You could have, for instance sales_staff, product_managers, accounting and senior_management for a company, or web_user, web_admin, app_developer and app_manager for a web site. The database owner then GRANTs access to the database (CONNECT), schemas (USAGE), tables, views and functions (EXECUTE), as needed. I usually REVOKE ALL ON FUNCTION x() TO public, for security reasons.
Assign group role membership to user roles, as needed: GRANT sales_staff TO jane. The user roles should have LOGIN INHERIT such that they can log in and inherit the permission of group roles that they are a member of. That includes the permission to connect to a database and usage rights on schemas. Note that a single user role can have membership in multiple group roles.
Lastly, update your pg_hba.conf file to enable remote access to the database.
I've created two users, who I thought were userAdmins. Unfortunately, when I login with them, I get permission denied for everything. If I login locally without providing a username or password, I get permission denied for everything. What can I do?
The users were created using the following commands
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles: ["userAdminAnyDatabase" ]
}
)
Does userAdminAnyDatabase not mean what I think it means?
I'm using that you've got authorization security enabled for this to be happening. Why don't you just set security.authorization to disabled and restart mongod?
http://docs.mongodb.org/manual/reference/configuration-options/
As far as the command you issued it looks to be incorrect, should be something like this:
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Note that you have to pass in a document with both the role and the db into the call.
Best starting point is here: http://docs.mongodb.org/manual/tutorial/enable-authentication/
This user is limited to the userAdmin role on all databases. If you want to perform additional actions you'll need to either grant yourself additional roles or create a new user who has them:
userAdminAnyDatabase
Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster. The role also provides the following actions on the cluster as a whole:
authSchemaUpgrade
invalidateUserCache
listDatabases
The role also provides the following actions on the admin.system.users and admin.system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:
collStats
dbHash
dbStats
find
killCursors
planCacheRead
The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.
http://docs.mongodb.org/manual/reference/built-in-roles/#built-in-roles
You can simply restart your MongoD without the auth options and it should happily allow you to login and do any operations.
Alternatively you can also enable the bypass for localhost authentication and connect from the same host where you the MongoD is running. You can find more information about it at http://docs.mongodb.org/manual/core/authentication/#localhost-exception
The above mentioned steps may have different behaviour based on version of MongoDB you are using and I would suggest looking up version specific documentation at the mentioned website.
I have created a ROLE with name Admin and I have given it all accesses (including CREATEDB). I have created a User ekekakos who is member of Admin role and inherints from it. When I am trying to create a new DB with ekekakos I am getting the following message:
ERROR. PERMISSION DENIED TO CREATE DATABASE.
When I enable the option CAN CREATE DB to the user ekekakos, the database is created.
Why the user do not take the privilages of the role Admin?
Thanks
Excerpt from the docs:
The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute.