I am trying to implement some restrictions on my MongoDB server:
Two databases on my server should be restricted regarding delete/drop operations - only a special user account should be allowed to do so. All the other database should be totally unrestricted (of course excluding the admin database):
I tried to model this situation using two users:
| database A & B | all the other databases |
---------------------------------------------------------
user a | read & write | read & write |
user b | read-only | read & write |
Making everybody read all databases is easy using the readAnyDatabaserole.
However modelling that user b can only read database A & B but has read & write access to all the other databases (including those databases that are created later on) gives me a headache.
How can this security model be implemented in MongoDB?
It is not possible.
You can combine multiple roles and inherit them from multiple databases, but:
When granted a role, a user receives all the privileges of that role.
A user can have several roles concurrently, in which case the user
receives the union of all the privileges of the respective roles.
-
Roles always grant privileges and never limit access. For example, if
a user has both read and readWriteAnyDatabase roles on a database, the greater access prevails.
You can find these paragraphs in mongodb authorization doc.
In order to give read write on all future databases, you need to set readWriteAnyDatabase role to userb. That means, you can't downgrade to read role, for the A and B databases.
I am afraid you need to set the roles manually for the new dbs.
First of all enable authentication in your mongodb.conf file
auth = true
Create a database perm for holding user permissions that we are going to create below.
use perm
then create userb with read-only permissions for DatabaseA and DatabaseB
db.createUser(
{
user: "userb",
pwd: "12345",
roles: [
{ role: "read", db: "DatabaseA" },
{ role: "read", db: "DatabaseB" }
]
}
)
userb will only be allowed to read DatabaseA and DatabaseB rest all databases access to userb will be read-write
Now userb can login with below command
mongo --port 27017 -u userb -p 12345 --authenticationDatabase perm
You should use
security:
authorization: enabled
instead of auth = true, as for the rest Rohit answer did the job.
See also : https://stackoverflow.com/a/33325891/1814774
Related
I'm working on an application using different databases and struggling to implement the correct user management.
Suppose that we have a user "BasicUser" (created in the admin database), that only has dbAdmin rights to a specific database, called "TestDb" in this example. Furthermore, we have created a user "TestUser" without any access rights to start from.
Is there a possibility for the BasicUser to grant read/write access to the TestDb for the TestUser?
I tried the following options when I login with the BasicUser
use TestDb; db.grantRolesToUser("TestUser", ["read"]) --> This returns an error that the user cannot be found
use TestDb; db.updateUser("TestUser", {roles: ["read"]}) --> This returns an error that we are not autorized to execute the command
To be clear, I do not want to provide the BasicUser any admin rights on the admin database, as I don't want the BasicUser to see any of the other databases. This user should only be able to see the TestDb and perform its admin tasks on this db.
Create the user in the admin database (actually I don't know any reason why a user might be created anywhere else).
Then grant
db.getSiblingDB("admin").grantRolesToUser( "TestUser", [ { role: "dbOwner", db: "TestDb" } ] )
It's not clear what you mean by "give access"? Maybe instead of dbOwner, you just want to grant readWrite, see Built-In Roles
I'm new to Google Cloud SQL. I created two postgres DBs with two new users (one created from web dashboard and one created from commandline). My goal is to prevent the two users to be able to modify each other DB, but I cannot get it to work.
Here is what I want:
UserA all privileges on DB_A
UserA no privileges on DB_B
UserB all privileges on DB_B
UserB no privileges on DB_A
I already tried to grant/revoke permissions from psql prompt, but in the end I still be able to create/drop tables in DB_A as UserB.
Is it possible to achieve what I want? Am I missing something?
Postgres on Cloud SQL is standard Postgres, so it's just like any other Postgres instance:
To give a role all privileges:
GRANT ALL ON <db_name> TO <role_name>;
To remove all privileges:
REVOKE ALL ON <db_name> TO <role_name>;
The Postgres docs on privileges does give the follow caveat for:
The special privileges of an object's owner (i.e., the right to modify
or destroy the object) are always implicit in being the owner, and
cannot be granted or revoked
So keep that in mind - if UserA owns both databases, they can always modify them.
I had create an account on "admin" database with roles :
roles:["readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase”,”root"]
Is it an highest privileges account ?
If not which roles have I missing ?
I want this "admin" account can manage all the action on database mongo includes replicate set , sharding ...
The privileges mentioned by you should manage all the actions on a single mongod instance. As you want to manage the replica set also, I would suggest you to add clusterAdmin privilege as well.
It potentially contains the clusterManager, clusterMonitor, and hostManager including dropping database action.
So, update the admin user with clusterAdmin role to get the absolute control on your mongod cluster.
ref: https://docs.mongodb.org/manual/reference/built-in-roles/
I'm trying to connect from a java application to a mongodb database in openshift and I'm having some trouble with roles and actions allowed.
I run the rch port-forward command like so:
rhc port-forward -a test
it all goes great and I'm able to connect to the database using:
mongo admin -u admin -p '*******' --host 127.0.0.1 --port 44506
and I can execute commands like:
> use test
> show databases
But if i connect directly to my database using:
mongo test -u admin -p '*******' --host 127.0.0.1 --port 44506
I'm unable to run the show databases command
listDatabases failed:{ "ok" : 0, "errmsg" : "unauthorized" } at src/mongo/shell/mongo.js:47
How can i give action listDatabases to this user in this database?
I found this page in the mongodb documentation http://docs.mongodb.org/manual/reference/privilege-actions/#security-user-actions
Which talks about Diagnostic Actions but does not mention how to give such action to a user.
Thanks for the help.
As mentioned by wdberkeley, you have to have a user in the admin database with the ability to list databases.
To do this, you first have to create a very minimal "role" for this user allowing them to list databases, and then create a user with both this role and the role for reading and writing your other database:
use admin
db.runCommand({ createRole: "listDatabases",
privileges: [
{ resource: { cluster : true }, actions: ["listDatabases"]}
],
roles: []
})
db.createUser({
user: "<userName>",
pwd: "<passwd>",
roles: [
{ role: "readWrite", db: "test" },
{ role: "listDatabases", db: "admin" }
]
})
The MongoDB documentation has references for both createRole and createUser, if you want to learn more about these commands.
You're logging in as two different users. Users are scoped by namespace, so user John who lives in test is not the same as user John who lives in admin, though both Johns may have rights in the test database. I think this much you may already understand, but I wanted to clarify it just in case.
I don't believe you can give a user scoped to a non-admin database the listDatabases action in a privilege because the listDatabases action must go with the cluster resource (listDatabases is a cluster-wide sort of operation), and a privilege with a cluster resource can only be scoped to a role on the admin database. Cutting out the jargon of MongoDB's authorization model, a non-admin database user can't use listDatabases because it's a cluster-wide operation and only admin database users should be able to do cluster-wide things.
Just want to add the approach mentioned by i80and works on MongoDB 3.2.3
create custom role that contain listDatabase and specify cluster:true, I did it when specify resource as db, it doesn't work
grant this role to user
Note: make sure you are connected to the correct db when performing security task because you will need to be authenticated using this specific db where the user is created
I've created two users, who I thought were userAdmins. Unfortunately, when I login with them, I get permission denied for everything. If I login locally without providing a username or password, I get permission denied for everything. What can I do?
The users were created using the following commands
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles: ["userAdminAnyDatabase" ]
}
)
Does userAdminAnyDatabase not mean what I think it means?
I'm using that you've got authorization security enabled for this to be happening. Why don't you just set security.authorization to disabled and restart mongod?
http://docs.mongodb.org/manual/reference/configuration-options/
As far as the command you issued it looks to be incorrect, should be something like this:
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Note that you have to pass in a document with both the role and the db into the call.
Best starting point is here: http://docs.mongodb.org/manual/tutorial/enable-authentication/
This user is limited to the userAdmin role on all databases. If you want to perform additional actions you'll need to either grant yourself additional roles or create a new user who has them:
userAdminAnyDatabase
Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster. The role also provides the following actions on the cluster as a whole:
authSchemaUpgrade
invalidateUserCache
listDatabases
The role also provides the following actions on the admin.system.users and admin.system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:
collStats
dbHash
dbStats
find
killCursors
planCacheRead
The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.
http://docs.mongodb.org/manual/reference/built-in-roles/#built-in-roles
You can simply restart your MongoD without the auth options and it should happily allow you to login and do any operations.
Alternatively you can also enable the bypass for localhost authentication and connect from the same host where you the MongoD is running. You can find more information about it at http://docs.mongodb.org/manual/core/authentication/#localhost-exception
The above mentioned steps may have different behaviour based on version of MongoDB you are using and I would suggest looking up version specific documentation at the mentioned website.