Mongodb – How to allow creation and deletion of a database or collections with user and password

mongodbusers

I created a user with the role of userAdminAnyDatabase

db.createUser({user: "Username", pwd: "password", roles: [{role: "userAdminAnyDatabase", db: "admin"}]})

and also user with the role of userAdmin for a single db in the mongo shell.

db.createUser({user: "Username", pwd: "password", roles: [{role: "userAdmin", db: "myDB"}]})

But when I create or delete collections in myDB it's not asking me for the user name or password. What is the point of creating a user then?

I want the creation and deletion of databases and collections only when I give in the admin credentials.

Best Answer

No, system don't work that way. You must enable authentication and authorization of your mongodb.

After that, you log in with userAdmin credentials and you (only) have authorization to do userAdmin work, not system admin work. But remember to create super-admin user (before enabling authenticaton) or you end up to situation that you don't have superuser (root) who can give other needed rights.

Related Solutions

MongoDB Security – Resolving Localhost Exception

Authentication only controls access to clients connecting to a MongoDB deployment. Securing remote access to your server or encrypting your data files are separate security measures.

If an attacker is able to gain access to a shell on your server and run privileged commands (like restarting the mongod service), access control is irrelevant. Similarly, even if your data files were encrypted an attacker with privileged access will be a major security problem.

As the administrator of a server, it is your responsibility to have appropriate access control, firewalls, auditing, and other security measures in place. Security involves multiple layers of defense, and access control is only a starting point. At a minimum you should also enable network encryption (TLS/SSL) and appropriately limit network exposure.

For a list of recommended security measures, see the MongoDB Security Checklist.

Now, if I restart Mongo without the --auth parameter, I shouldn't be able to connect to Mongo using the localhost exception.

If you restart MongoDB without the --auth parameter (or equivalent configuration file directive), you are explicitly disabling access control and allowing clients to connect without requiring authentication. This may be useful for administrative intervention, such as resetting a forgotten admin password.

MongoDB – How to Set Up User Authentication Without Admin Database Access

Not need. You just give user needed rights to the wanted non-admin database. User can use admin database as authentication database even user doesn't have read/write access to admin database.

use products
db.grantRolesToUser("productsUser",[ "readWrite" ])

grantRolesToUser documentation.

UPDATE

Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.

#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
    "user" : "test",
    "roles" : [
        {
            "role" : "readWrite",
            "db" : "test"
        }
    ]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017-09-11T19:06:22.001+0300 E QUERY    [thread1] Error: listCollections failed: {
    "ok" : 0,
    "errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
    "code" : 13,
    "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>

And same from outside:

#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017-09-11T19:17:48.614+0300 E QUERY    [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo>

Best Answer

Related Solutions

MongoDB Security – Resolving Localhost Exception

MongoDB – How to Set Up User Authentication Without Admin Database Access

Related Question