Can you have collection level permissions in MongoDB? Similar to table level permissions in a SQL database?
This is the only thing I could find on it. Looks like an old ticket.
https://jira.mongodb.org/browse/SERVER-1105
For anyone coming to this late (like I did), MongoDB now has support for collection-level authorization.
See: http://docs.mongodb.org/manual/core/collection-level-access-control/
Nope, not yet, MongoDB access control is currently only available at the database level. Depending on your requirements, it might be an option to implement a security model in application code that controls access down to the collection level.
Related
We want to save audit4j events/logs (which are usually stored in text file) to mongodb.
Is it possible with some existing adapter/plugin? Or need to write on? If we need to write any documentation which can be referred to?
Most of the article talks about auditing mongodb changes itself, hence we are confused.
Any pointer will be appreciated.
Thanks and regards
There's a plugin available on github https://github.com/nipunthathsara/Audit4j-MongoDB
Recently we are working with a customer who want's one of our mongodb collection to be shared with them. I'm pretty new to Dev/Sys Ops so I'm wondering what would be the best way to share collection with them?
Client needs to be able to specify dates and then pull all of the data in that range from collection (so some sort of query is needed).
I was considering giving them access to mongo through ssh, but would that be secure and appropiate?
Second thing I consider was by creating some simple webapp and then sending it over as POST
Thoughts? Cheers
Posting my comment as an answer after a small discussion with OP
A simple REST API should suffice - sending the search criteria to your API, then querying MongoDB.
Returning in JSON format would be easier - though this depends on your customers requirements.
Thanks for your help. I have ended up simply creating username and password to mongo to my client and set correct permissions leaving them with doing all the heavy lifting.
Does MongoDB support Cell Level security? I have found a few references claiming that it does (as of MongoDB 2.6), but I cannot find anything to verify this. I was hoping that if MongoDB did support this that I could find something in the documentation referencing this, but I have not.
If this is supported, do you use roles to handle this?
I do not even understand how "cell based security" really fits into the MongoDB model since documents are stored as JSON.
I am told that the application is essentially identical to the governments way of handling classified materials. I might have something "business sensitive" that only a person with an "employee role" role could access. I might also have project level roles, or even a manager for that project to limit what is seen.
Any help, pointers, or links are appreciated.
MongoDB has field-level access via $redact. It isn't as secure as Accumulo's cell-level security because it isn't enforced by default. Read more here, https://docs.mongodb.org/manual/tutorial/implement-field-level-redaction.
I'm looking to get a complex sqlserver view into a documentDB like mongoDB for performance reasons. Is it possible to sync the two together? or What's the best approach to get each record/document from the view into the documentDB.
This is for straight up data viewing on the web only. no updates, deletes or inserts.
*wanting to learn about documentDBs, this would be a simple project for implementation.
Since the source information is the relational database, you need some sort of an update process that happens when a row is updated.
You can do that either via your application, or using some sort of a trigger.
You get all of the required information from the database, and write that in optimized form inside RavenDB.
That is pretty much it, to tell you the truth.
Document databases that support REST-style JSON over HTTP access seem ideal for supporting AJAX-rich applications where the browser is making direct calls to the database, bypassing the traditional web server / application logic components. An example of this might be retrieving user preferences once a user has been authenticated. (BBC Homepage might be a good example of this, prior to crashing under the load!)
The problem with this scenario is the security issue - if a user is authenticated using a web server (e.g. basic forms authentication), how is this identity carried over to the document DB. Is the only answer to proxy all requests to the DB through the web server anyway - i.e. secure the document DB so that there is no direct external access?
This seems to make most sense, and is the easiest to implement, but I was wondering whether anyone out there had an experience and / or advice on using document dbs in a heterogeneous environment?
This probably differs in every database you mention. Here's how it works in CouchDB.
CouchDB allows you to manage users and roles.
You can use the validate_doc_update function in your design documents to restrict document creation/update. For example, you can write a validation that denies document update to anyone but its author.
To restrict who can read documents from a database, you can edit the /db_name/_security document and list the users or roles.
However, I don't think you can make the read access more granular (i.e. allow a user to read only the documents they created).
To achieve that, you have to put the CouchDB behind a proxy and use views to serve the documents to authenticated users. You can still use CouchDB user management this way. The proxy just hides the direct access to the database.
For more detailed info, check the security overview on CouchDB wiki, the security chapter of the Relax book and this short screencast.
Well, I only have experience with CouchDB, but hope I can help you nonetheless.
CouchDB has a validation process built-in, you write your validation rules in javascript, and have access to the group in which the current user is. It's all handled by CouchDB itself basically, you don't have to care how you get to login information.