I was practicing ont mongodb documentation : https://docs.mongodb.com/manual/tutorial/enable-authentication/
and I can't figure out if the "admin" database in the example is just a database created for the tutorial or if it is a built-in database made specifically for managing admin users.
Thanks in advance.
The main purpose of this admin database is to store system collections and user authentication and authorization data, which includes the administrator and user's usernames, passwords, and roles. Access is limited to only to administrators, who have the ability to create, update, and delete users and assign roles.
When you create a database in MongoDB you don’t have authentication enabled, the user has all the privileges and roles over that database, you even have access to the database remotely if the firewall doesn’t have port 27017 blocked.
There are two special databases admin and local, users of these databases can perform operations such as those mentioned in the document on other databases to which they have access. In a development environment it is convenient not to worry about users and passwords, however, when users interact with the database remotely on an application, it is essential to activate user authentication.
The admin database is built-in database. Apart from user authentication and authorization data it also includes Roles for administering the whole system rather than just a single database. These roles are mainly related to replica set and sharded cluster administrative functions.
Roles which are created in other database than admin can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the admin database can include privileges that apply to any database or to the cluster resource, and can inherit from roles in other databases as well as the admin database.
Related
So, I've been looking around for more details, but can't find it.
I have a AWS RDS Postgresql cluster. In the typical sense, when I want to add a login to my database, I use the
create user xxxx with password 'yyy'
then I grant that user access to the tables and other rights.
Now, I tried to add another user with secrets manager linked to this RDS database.
I'm not sure what to do next....should that new user I only created in secrets, appear in the login for the database, because I don't see it? How would we grant access to the tables and other things for that user?
We have a production postgres database which is accessible by all team members.
We use pgadmin to administer the database.
For safety reasons, I am willing to make the database readonly. So that, only data can be viewed and cannot be modified
(blocking any update operation to the database).
If any database update is required, then I can make the database to readwrite mode, make the modification
and change to readonly again.
There are ROLES AND PRIVILEGES options which can be used for achieving this functionality.
But I am wondering if there is any Pgadmin UI options for making the database readonly.
Thanks in advance.
Why don't you use Roles and Privileges ??
create multiple users
master_user
readonly_user
etc
Once you have users created, you can grant access on database/ schema or even table level.
Share the readonly user with the team and keep the master user for admins / applications etc
More info on postgres roles and privileges: https://www.postgresql.org/docs/current/user-manag.html
I'm learning databases and I have a question how to prepare the rules and groups configuration for the following assumptions:
I have two databases:
databaseA
databaseB
Each database will have several users connecting using the connectionString (server, port, database, username, password). So I have 3 users to each database:
userA1, userA2, userA3
userB1, userB2, userB3
How to create groups and roles and how to grant permission so that users A can only connect to database A and users B to database B. Can I make A users not see database B, have not seen users assigned to database B?
Probably it is a simple question, but I would like to see an example of how to do it - for now I have A and B database and the postgres user.
There is no point in trying to keep others from seeing a database's or user's metadata, don't try. PostgreSQL does not support that.
You create a user (a “login role”) with
CREATE ROLE user1a LOGIN;
As to the permissions, you first have to remove the default privilege that allows everyone to connect to the database:
REVOKE CONNECT, TEMP ON DATABASE databasea FROM PUBLIC;
Then you have to specifically allow the required users in:
GRANT CONNECT ON DATABASE databasea TO usera1, usera2, usera3;
If you have many users, or the users change frequently, it is better to use a group (a “nologin role”) that has the CONNECTprivilege, and you add the users to the group.
You have to configure pg_hba. conf so that the users are allowed to authenticate, see the documentation.
I'm not a DBA and I have got some questions around access controls for schemas. Let's say I have a Postgres server running a several databases. The admin user is postgres. I have another user tmpUser with which I could log in to the remote server using pgadmin3 client.
I now create a database called myDatabase which is by default owned by the postgres user. I then use my admin client to remotely log in to this myDatabase using the tmpUser account.
I now create a new schema inside this myDatabase called myDbSchema. I created a new role called myDbRole and did a grant usage, grant all on myDatabase, myDbSchema to the myDbRole.
The question now is how should I control access to this myDatabase. I tried to log in to the remote server using the tmpUser and when I tried to execute select * from myTable where myTable is a table in myDatabase, it came back with a permission denied sql message. So I changed the owner of the table to the tmpUser which I really do not want to!
Is there a guide or something on how I should go about creating and organizing roles with schemas in postgres?
It is not entirely clear what your problem is (for instance, what is role "myDbRole" for, is that a group role (NOLOGIN) or a user role (LOGIN)?) but in general you could follow this pattern of permission management:
Create a specific role to own a database and all or most of the objects in it. This should be a group role (NOLOGIN) for security reasons. Do not use the postgres user; if you need to login as that role often to do regular database work, you are doing something wrong. Any superuser (or other user role that has that role granted to it) can "impersonate" that owner role using SET SESSION AUTHORIZATION to do necessary maintenance. In a production environment this should be hardly ever necessary; during development you might want to consider making the role with LOGIN permission for ease of use.
The owner creates all the schemas, tables, views, functions, etc. that you need for your application. By default, all of those objects are only available to the database owner, with the exception of functions.
Define a number of group role profiles, each having specific requirements of the database. You could have, for instance sales_staff, product_managers, accounting and senior_management for a company, or web_user, web_admin, app_developer and app_manager for a web site. The database owner then GRANTs access to the database (CONNECT), schemas (USAGE), tables, views and functions (EXECUTE), as needed. I usually REVOKE ALL ON FUNCTION x() TO public, for security reasons.
Assign group role membership to user roles, as needed: GRANT sales_staff TO jane. The user roles should have LOGIN INHERIT such that they can log in and inherit the permission of group roles that they are a member of. That includes the permission to connect to a database and usage rights on schemas. Note that a single user role can have membership in multiple group roles.
Lastly, update your pg_hba.conf file to enable remote access to the database.
I would like to know how database access roles work in Mongo DB. The 10 gen page below gives ample details on what the rights of each role are but I don't how to implement them.
http://docs.mongodb.org/manual/reference/user-privileges/
Do I need to add each role to my database? or is it already added?
Edit
I understand adding roles to users. However I don't see how the roles can be added to specific databases. I see the following warnings after I have added the user with any of the "default" roles :
warning: No such role, "dbAdminAnyDatabase", in database db1. No privileges will be acquired from this role
User privilege roles in MongoDB are granted to users. Users may have multiple roles, and may have different roles on different logical database. As at MongoDB 2.4, authentication is disabled by default and you must explicitly Enable Authentication and add credentials for an administrative user.
If you want to grant a user access to broader roles that apply to any database (eg. dbAdminAnyDatabase) you need to grant these roles in the admin user database. In your example where you received an error, you were trying to grant the dbAdminAnyDatabase role via database db1 instead of the admin db.
The MongoDB manual includes a tutorial with examples of adding to specific databases as well as the admin database:
Add a User to a Database
It's worth noting that the available roles/privileges have significantly more granularity in MongoDB 2.4 than previous versions. The available user privilege roles are currently pre-defined, but future versions of MongoDB may allow user defined roles -- watch/upvote SERVER-8580 in the MongoDB issue tracker for this feature request.