MongoDB permissions: restrict access to two databa

2019-04-29 04:02发布

站内问答 / MongoDB
798 3 6

I am trying to implement some restrictions on my MongoDB server:

Two databases on my server should be restricted regarding delete/drop operations - only a special user account should be allowed to do so. All the other database should be totally unrestricted (of course excluding the admin database):

I tried to model this situation using two users:

       |   database A & B   |  all the other databases |
---------------------------------------------------------
user a |    read & write    |       read & write       |
user b |      read-only     |       read & write       |

Making everybody read all databases is easy using the readAnyDatabaserole. However modelling that user b can only read database A & B but has read & write access to all the other databases (including those databases that are created later on) gives me a headache.

How can this security model be implemented in MongoDB?

3条回答
Lonely孤独者°
2楼-- · 2019-04-29 04:49

It is not possible.

You can combine multiple roles and inherit them from multiple databases, but:

When granted a role, a user receives all the privileges of that role. A user can have several roles concurrently, in which case the user receives the union of all the privileges of the respective roles.

-

Roles always grant privileges and never limit access. For example, if a user has both read and readWriteAnyDatabase roles on a database, the greater access prevails.

You can find these paragraphs in mongodb authorization doc.

In order to give read write on all future databases, you need to set readWriteAnyDatabase role to userb. That means, you can't downgrade to read role, for the A and B databases.

I am afraid you need to set the roles manually for the new dbs.

查看更多
0人赞 添加讨论(0) 举报
走好不送
3楼-- · 2019-04-29 04:52

First of all enable authentication in your mongodb.conf file

auth = true

Create a database perm for holding user permissions that we are going to create below.

use perm

then create userb with read-only permissions for DatabaseA and DatabaseB

db.createUser(
    {
      user: "userb",
      pwd: "12345",
      roles: [
         { role: "read", db: "DatabaseA" },
         { role: "read", db: "DatabaseB" }
      ]
    }
)

userb will only be allowed to read DatabaseA and DatabaseB rest all databases access to userb will be read-write

Now userb can login with below command

mongo --port 27017 -u userb -p 12345 --authenticationDatabase perm
查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
4楼-- · 2019-04-29 04:58

You should use 

security:
    authorization: enabled

instead of auth = true, as for the rest Rohit answer did the job.

See also : https://stackoverflow.com/a/33325891/1814774

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)