MongoDB Authentication and Roles: Creating Your First Personalized Role

In this blog post, we’ll walk through the native MongoDB authentication and roles, and learn how to create personalized roles. It is a continuation of Securing MongoDB instances.

As said before, MongoDB features a few authentication methods and built-in roles that offer great control of both who is connecting to the database and what they are allowed to do. However, some companies have their own security policies that are often not covered by default roles. This blog post explains not only how to create personalized roles, but also how to grant minimum access to a user.

Authentication Methods

SCRAM-SHA-1 and MONGODB-CR are challenge-response protocols. All the users and passwords are saved encrypted in the MongoDB instance. Challenge-response authentication methods are widely used on the internet in several server-client software. These authentication methods do not send passwords as plain text to the server when the client is starting an authentication. Each new session has a different hash/code, which stops people from getting the password when sniffing the network.

The MONGODB-CR method was deprecated in version 3.0.

The x.509 authentication is an internal authentication that allows instances and clients to communicate to each other. All certificates are signed by the same Certificate Authority and must be valid. All the network traffic is encrypted by a given key, and it is only possible to read data with a valid certificate signed by such key.

MongoDB also offers external authentications such as LDAP and Kerberos. When using LDAP, users can log in to MongoDB using their centralized passwords. The LDAP application is commonly used to manage users and passwords in wide networks. Kerberos is a service that allows users to login only once, and then generates access tickets so that the users are allowed to access other services. Some configuration is necessary to use external authentication.

Built in roles

• read: collStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections,
• readWrite: all read privileges + convertToCapped, createCollection,dbStats, dropCollection, createIndex, dropIndex, emptycapped, insert, listIndexes,remove, renameCollectionSameDB, update.
• readAnyDatabase: allows the user to perform read in any database except the local and the config databases.

And so on…

In this tutorial, we are going to give specific privileges to a user who is allowed to only read the database, although he is allowed to write in a specific collection.

For this tutorial, we are using MongoDB 3.4 with previously configured authentication.

Steps:

1. Create the database:
   
   Shell

   mongo --authenticationDatbase admin -u superAdmin -p<br>use percona<br>db.foo.insert({x : 1})<br>db.foo2.insert({x : 1})

   1	mongo --authenticationDatbase admin -u superAdmin -p<br>use percona<br>db.foo.insert({x : 1})<br>db.foo2.insert({x : 1})

2. Create a new user:
   
   Shell

   > db.createUser({user : 'client_read', pwd : '123', roles : ['read']})<br>Successfully added user: { "user" : "client_read", "roles" : [ "read" ] }

   1	> db.createUser({user : 'client_read', pwd : '123', roles : ['read']})<br>Successfully added user: { "user" : "client_read", "roles" : [ "read" ] }

3. Log in with the user that has just been created and check the user access:
   
   Shell

   ./mongo localhost/percona -u client_read -p<br>MongoDB shell version v3.4.0-rc5<br>Enter password: <br><br>db.foo.find()<br>{ "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 }<br>db.foo2.find().count()<br>1<br><br>// If user try to insert documents will receive an error:<br><br>> db.foo.insert({x : 2})<br>WriteResult({<br>            "writeError" : {<br>            "code" : 13,<br>            "errmsg" : "not authorized on percona to execute command <br>                 { insert: "foo", documents: [ { _id: ObjectId('586bc36e7b114fb2517462f3'), x: 2.0 } ], ordered: true }"<br>            }<br>})

   1

   ./mongo localhost/percona -u client_read -p<br>MongoDB shell version v3.4.0-rc5<br>Enter password: <br><br>db.foo.find()<br>{ "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 }<br>db.foo2.find().count()<br>1<br><br>// If user try to insert documents will receive an error:<br><br>> db.foo.insert({x : 2})<br>WriteResult({<br>            "writeError" : {<br>            "code" : 13,<br>            "errmsg" : "not authorized on percona to execute command <br>                 { insert: "foo", documents: [ { _id: ObjectId('586bc36e7b114fb2517462f3'), x: 2.0 } ], ordered: true }"<br>            }<br>})

4. Log out and log in again with administrator user to create a new role for this user:
   
   Shell

   mongo --authenticationDatabase admin -u superAdmin -p<br><br>db.createRole({<br>role : 'write_foo2_Collection',<br>privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]}<br>], <br>roles : ["read"]<br>})<br><br>db.updateUser('client_read', roles : ['write_foo2_Collection'])

   1

   mongo --authenticationDatabase admin -u superAdmin -p<br><br>db.createRole({<br>role : 'write_foo2_Collection',<br>privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]}<br>], <br>roles : ["read"]<br>})<br><br>db.updateUser('client_read', roles : ['write_foo2_Collection'])

5. Check the new access:
   
   Shell

   ./mongo <br><br>db.auth('client_read','123')<br>1<br><br>> show collections<br>foo<br>foo2<br><br>> db.foo.find()<br>{ "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 }<br>> db.foo2.insert({y : 2})<br>WriteResult({ "nInserted" : 1 })<br><br>> db.foo.insert({y : 2}) //does not have permission.<br>WriteResult({<br>      "writeError" : {<br>            "code" : 13,<br>            "errmsg" : "not authorized on percona to execute command { insert: "foo", documents: [ { _id: ObjectId('586bc5e26f05b3a5db849359'), y: 2.0 } ], ordered: true }"<br>                     }<br>})

   1

   ./mongo <br><br>db.auth('client_read','123')<br>1<br><br>> show collections<br>foo<br>foo2<br><br>> db.foo.find()<br>{ "_id" : ObjectId("586bc2e9cac0bbb93f325d11"), "x" : 1 }<br>> db.foo2.insert({y : 2})<br>WriteResult({ "nInserted" : 1 })<br><br>> db.foo.insert({y : 2}) //does not have permission.<br>WriteResult({<br>      "writeError" : {<br>            "code" : 13,<br>            "errmsg" : "not authorized on percona to execute command { insert: "foo", documents: [ { _id: ObjectId('586bc5e26f05b3a5db849359'), y: 2.0 } ], ordered: true }"<br>                     }<br>})

6. We can also add access to other database resources. Let’s suppose we would like to grant this just created user permission to execute a getLog command. This command is available in the clusterAdmin role, but we do not want to give all this role’s access to him. See https://docs.mongodb.com/v3.0/reference/privilege-actions/#authr.getLog.There is a caveat/detail/observation here. If we want to grant cluster privileges to a user, we should create the role in the admin database. Otherwise, the command will fail:
   
   Shell

   db.grantPrivilegesToRole(<br>     "write_foo2_Collection",<br>           [<br>                  {resource : {cluster : true}, actions : ["getLog"] }<br>           ]<br>)<br><br>Roles on the 'percona' database cannot be granted privileges that target other databases or the cluster :

   1	db.grantPrivilegesToRole(<br>     "write_foo2_Collection",<br>           [<br>                  {resource : {cluster : true}, actions : ["getLog"] }<br>           ]<br>)<br><br>Roles on the 'percona' database cannot be granted privileges that target other databases or the cluster :

7. We are creating the same role in the admin database. This user only works properly if the admin database is present in a possible restore. Otherwise, the privileges fail:
   
   Shell

   use admin<br>db.createRole({<br>     role : 'write_foo2_Collection_getLogs',<br>     privileges : [ <br>                       {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]},<br>                       {resource : {cluster : true}, actions : ["getLog"]}],  <br>     roles : [ {role : "read", db: "percona"}]<br>})<br><br>use percona<br>db.updateUser( "client_read",<br>{<br>     roles : [<br>          { role : "write_foo2_Collection_getLogs", db : "admin" }<br>                ]<br>}<br>)

   1

   use admin<br>db.createRole({<br>     role : 'write_foo2_Collection_getLogs',<br>     privileges : [ <br>                       {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]},<br>                       {resource : {cluster : true}, actions : ["getLog"]}],  <br>     roles : [ {role : "read", db: "percona"}]<br>})<br><br>use percona<br>db.updateUser( "client_read",<br>{<br>     roles : [<br>          { role : "write_foo2_Collection_getLogs", db : "admin" }<br>                ]<br>}<br>)

8. Now the user has the same privileges as before, plus the getLog permission. We can test this user new access with:
   
   Shell

   mongo --authenticationDatabase percona -u read_user -p<br><br>db.adminCommand({getLog : 'global'})<br>{<br>          "totalLinesWritten" : 287,<br>          "log" : [....<br>….<br>}

   1	mongo --authenticationDatabase percona -u read_user -p<br><br>db.adminCommand({getLog : 'global'})<br>{<br>          "totalLinesWritten" : 287,<br>          "log" : [....<br>….<br>}

I hope you find this post useful. Please feel free to ping me on twitter @AdamoTonete or @percona and let us know your thoughts.

Learn more about Percona Server for MongoDB