I am trying to implement some restrictions on my MongoDB server:
Two databases on my server should be restricted regarding delete/drop operations - only a special user account should be allowed to do so. All the other database should be totally unrestricted (of course excluding the admin database):
I tried to model this situation using two users:
| database A & B | all the other databases |
---------------------------------------------------------
user a | read & write | read & write |
user b | read-only | read & write |
Making everybody read all databases is easy using the readAnyDatabaserole.
However modelling that user b can only read database A & B but has read & write access to all the other databases (including those databases that are created later on) gives me a headache.
How can this security model be implemented in MongoDB?
It is not possible.
You can combine multiple roles and inherit them from multiple databases, but:
When granted a role, a user receives all the privileges of that role.
A user can have several roles concurrently, in which case the user
receives the union of all the privileges of the respective roles.
-
Roles always grant privileges and never limit access. For example, if
a user has both read and readWriteAnyDatabase roles on a database, the greater access prevails.
You can find these paragraphs in mongodb authorization doc.
In order to give read write on all future databases, you need to set readWriteAnyDatabase role to userb. That means, you can't downgrade to read role, for the A and B databases.
I am afraid you need to set the roles manually for the new dbs.
First of all enable authentication in your mongodb.conf file
auth = true
Create a database perm for holding user permissions that we are going to create below.
use perm
then create userb with read-only permissions for DatabaseA and DatabaseB
db.createUser(
{
user: "userb",
pwd: "12345",
roles: [
{ role: "read", db: "DatabaseA" },
{ role: "read", db: "DatabaseB" }
]
}
)
userb will only be allowed to read DatabaseA and DatabaseB rest all databases access to userb will be read-write
Now userb can login with below command
mongo --port 27017 -u userb -p 12345 --authenticationDatabase perm
You should use
security:
authorization: enabled
instead of auth = true, as for the rest Rohit answer did the job.
See also : https://stackoverflow.com/a/33325891/1814774
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 相关推荐>> 的文章《MongoDB permissions: restrict access to two databa》','https://www.manongdao.com/article-772171.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}