An Overview of MongoDB User Management

Agus Syafaat

Database User Management is a particularly important part of data security, as we must understand who is accessing the database and set the access rights of each user. If a database does not have a proper user management, user access is going to get very messy and difficult to maintain as time goes on.

MongoDB is a NoSQL database and document store. Applying the RBAC (Role Based-Access Control) concept is key to implementing proper user management to manage user credentials.

What is Role Based Access Control (RBAC)?

RBAC is an approach which restricts the system only to authorized users. In an organization, roles are created for various job functions, in the database we then create the access rights to carry out some operations assigned to a particular role. 

Staff members (or other system users) are assigned certain roles and through them are assigned permissions to perform computer system functions. Users are not given permissions directly, but only get them through their role (or roles). Managing individual user rights becomes a matter of simply placing the appropriate role into the user's account; this simplifies general operations (such as adding users or changing user departments).

Three main rules are set for RBAC are:

  • Role Assignment: A subject can execute permissions only if the subject has been chosen or has been assigned a role.
  • The Role of Authorization: the active role of a subject must be authorized for the subject. With rule 1 above, this rule ensures that users can take roles only for those who are authorized.
  • Permission Authorization: A subject can execute permits only if permission is authorized for the active role of the subject. With rules 1 and 2, this rule ensures that users can exercise permission only for those who are authorized.

This blog will briefly review Role Based Access Control in the MongoDB database.

MongoDB User Roles

MongoDB has several types of roles in the database, those are...

Built-in Roles

Provides access to data and actions to MongoDB through role-based authorization and has built-in roles that provide several levels of access in the database.

Role gives several privileges to do something on the resource that has been created. MongoDB built-in roles have several categories:

  • User Database: Roles Database users have a role to manipulate data in non-system collection. Examples of User Database roles are: read, readWrite.
  • Database Administration: Roles Database Administration deals with administrative management of databases such as user administration, schema, and objects in it. 
  • Examples of Database Administration roles are: dbAdmin, userAdmin, dbOwner.
  • Cluster Administration: The role of cluster administration is to administer the entire MongoDB system, including its replicasets and shards. Examples of cluster administration roles are: clusterAdmin, clusterManager.
  • Backup and Restoration: This Roles is specific for functions related to database backup in MongoDB. Examples of roles are: backup, restore.
  • All-Database Roles: Roles are in the database admin and have access to all databases except local and config. Examples are: readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase.
  • Superuser: Roles has the ability to grant access to every user, to every privilege, in all databases. Example of this role: root

User Defined Roles

In addition to built-in roles, we can create our own roles according to our needs, what privileges we will give to those roles. To create roles, you can use the db.createRole () function command. Besides being able to create roles, there are several other functions to manage existing roles such as: db.dropRole () which is useful for deleting existing roles in the database, db.getRole () functions to get all information from specific roles.

Privilege Actions in MongoDB

Privileges actions in MongoDB are actions that can be performed by a user on a resource. MongoDB has several action categories, namely:

  • Database Management Actions, actions related to commands relating to database administration such as changePassword, createCollection, createIndex actions. 
  • Query and Write Actions, actions related to executing data manipulation in a collection. For example in the insert action, the command that can be executed in that action is the insert command which can insert into documents.
  • Deployment Management Actions, actions relating to changes in database configuration. Some actions that fall into the Deployment Management category are cpuProfiler, storageDetails, killOp. 
  • Replication Actions, actions relating to the execution of database replication resources such as replSetConfigure, replSetHeartbeat.
  • Server Administration Actions, actions related to commands from server administration resources on mongoDB such as logrotate actions that are used to rotate log databases at the operating system level.
  • Sharding Actions, actions related to commands from database sharding databases such as addShard to add new shard nodes.
  • Session Actions, actions related to resource sessions in a database such as listSessions, killAnySession.
  • Diagnostic Actions, actions related to the diagnosis of resources such as dbStats to find out the latest conditions in the database.
  • Free Monitoring Actions, actions related to monitoring in the database.

Managing MongoDB User & Roles

You can create a user and then assign the user to built-in roles, for example as follows:

db.createUser( {

user: "admin",

pwd: "thisIspasswordforAdmin",

roles: [ { role: "root", db: "admin" } ]

} );

In the script above, meaning the admin user will be made with a password that has been defined with builtin root roles, where the role is included in the Superuser category.

Besides that, you can assign more than one roles to a user, here is an example:

db.createUser(

{user:'businessintelligence', 

pwd:'BIpassw0rd', 

roles:[{'role':'read', 'db':'oltp'}, { 'role':'readWrite', 'db':'olapdb'}]

});

Business intelligence users have 2 roles, first the read roles in the oltp database, and the readWrite roles in the olapdb database.

Creating user defined roles can use the db.createRole () command. You must determine the purpose of creating the role so that you can determine what actions will be in that role. The following is an example of making a role for monitoring the Mongodb database :

use admin

db.createRole(

   {

     role: "RoleMonitoring",

     privileges: [

       { resource: { cluster: true }, actions: [ "serverStatus" ] }

     ],

     roles: []

   }

)

Then we can assign the user defined role to the user that we will create, can use the following command:

db.createUser( {

user: "monuser",

pwd: "thisIspasswordforMonitoring",

roles: [ { role: "RoleMonitoring", db: "admin" } ]

} );

Meanwhile, to assign the role to an existing user, you can use the following command:

db.grantRolesToUser(

    "existingmonuser",

    [

      { role: "RoleMonitoring", db: "admin" }

    ]

)

To revoke an existing user of a role, you can use the following command :

db.revokeRolesFromUser(

    "oldmonguser",

    [

      { role: "RoleMonitoring", db: "admin" }

    ]

)

By using user defined roles, we can create roles as we wish according to the actions we will take on those roles, such as roles to restrict users can only delete rows on certain databases. 

Conclusion

The application of access rights can improve security. Mapping roles and users in the database makes it easy for you to manage user access.

Make sure all of this information regarding roles and rights are documented properly with restrictive access to the document. This helps you share the information to the other DBA or support personnel and is handy for audits and troubleshooting.

 
ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.