Authentication and authorization are critical components of database security, ensuring that only authorized users can access and manipulate data. MongoDB, a popular NoSQL database, provides robust authentication mechanisms and role-based access control (RBAC) features to secure data and manage user privileges effectively.

In this article, we will learn about Authentication, Authorization, their Built-In Roles and how to configure RBAC in MongoDB by creating user-defined roles, and modifying access for existing users.

Authentication in MongoDB

• Authentication in MongoDB ensures that only authorized users can access and manipulate data.
• MongoDB supports various authentication mechanisms, including SCRAM-SHA-256, which authenticates users based on their username and password.
• Roles are used to define the privileges and access levels of users, and these roles can be assigned at the database level or for specific collections.
• Authentication is enabled by default in MongoDB, requiring users to authenticate themselves before accessing any data.
• Configuration settings for authentication are specified in the MongoDB server configuration file (mongod.conf).
• MongoDB provides access control features to restrict access based on IP addresses.
• MongoDB supports TLS/SSL encryption for secure communication between clients and the server.
• Authentication mechanisms in MongoDB can be integrated with existing systems, such as LDAP or Active Directory, for centralized user management and authentication.

MongoDB Role-Based Access Control (RBAC)

• MongoDB authorization is based on Role-Based Access Control (RBAC).
• Access privileges are determined by the roles assigned to users.
• Roles specify the operations a user can perform and the resources they can access.
• MongoDB offers various built-in roles designed for different administrative and operational tasks.
• RBAC in MongoDB allows for fine-grained access control, enabling administrators to define custom roles with specific permissions.
• Roles can be assigned at the database level or the collection level, providing flexibility in access control.
• MongoDB supports role inheritance, where roles can inherit privileges from other roles, simplifying the management of complex access control policies.
• Users can be assigned multiple roles, allowing them to have different levels of access across databases and collections.
• MongoDB also supports the concept of privilege separation, where administrative tasks can be separated from application data access, improving security.

Built-In Roles

MongoDB provides several built-in roles to cater to different administrative and operational tasks. Some of the key built-in roles include:

1. read: The read allow to read-only access to specific databases or collection.
2. readWrite: The readWriteallow to read and write access to specific databases or collection.
3. dbAdmin: Provides full access to a specific database, including the ability to manage indexes and collections.
4. userAdmin: Provides the ability to create and modify users and roles for a specific database.
5. clusterAdmin: Provides full access to a MongoDB cluster, including the ability to perform administrative tasks on replica sets and sharded clusters.
6. backup: Provides the ability to create backups of a MongoDB deployment.
7. restore: Provides the ability to restore backups to a MongoDB deployment.
8. dbOwner: Provides full access to a specific database, including the ability to perform any operation.
9. root: Provides full access to the MongoDB instance, including the ability to perform any operation on any database.

Database Administration Roles

• dbAdmin: This role provides full administrative access to a specific database. Users with this role can perform administrative tasks such as creating and deleting collections and indexes, as well as managing user roles within the database.
• userAdmin: This role allows the management of users and roles within a specific database. Users with this role can create and delete users, as well as assign roles to users.
• clusterAdmin: This role provides full administrative access to the entire MongoDB cluster. Users with this role can perform administrative tasks at the cluster level, such as adding and removing shards, as well as managing replica sets.
• backup: This role allows users to perform backup operations on a specific database. Users with this role can create and restore backups of the database.

Cluster Administration Roles

• clusterMonitor: Users with this role can view cluster-wide monitoring metrics and statistics, such as the status of replica sets and sharded clusters.

• clusterBackup: This role grants privileges to create backups of the entire cluster, including all databases and collections.
• clusterRestore: Users with this role can restore backups to the entire cluster, replacing existing data.
• clusterAdmin: This role combines the permissions of the clusterManager, clusterMonitor, clusterBackup, and clusterRestore roles, providing full access to manage and monitor the cluster, create backups, and perform restores.

Backup and Restoration Roles

• backup: Authorizes users to create backups of databases.
• restore: Enables users to restore databases from backups.

Superuser Roles:

• root: Grants superuser access to perform any action on any resource.

Creating a User-Defined Role

• Define the Role: Determine the permissions and privileges the role should have, such as read or write access to specific databases or collections.
• Create the Role: Use the db.createRole() method to create the role, specifying the role’s name, privileges, and any other options.

For example:

db.createRole({
  role: "customRole",
  privileges: [
    { resource: { db: "myDatabase", collection: "" }, actions: ["find", "insert"] }
  ],
  roles: []
})

• Assign the Role: Assign the role to a user using the db.grantRolesToUser() method. For example:

db.grantRolesToUser("myUser", ["customRole"])

Modify Access for an Existing User

• To modify access for an existing user in MongoDB Here’s a step-by-step explanation with examples:

List Existing Roles: Use the db.getUser() method to list the roles assigned to the user. For example:

db.getUser("myUser")

• Modify Roles: Use the db.grantRolesToUser() and db.revokeRolesFromUser() methods to add or remove roles from the user. For example, to add a role:

db.grantRolesToUser("myUser", ["customRole"])

Verify Changes: Verify the changes by listing the user’s roles again.

Connect to MongoDB with Appropriate Privileges

• Start MongoDB Shell: Start the MongoDB shell by running the mongo command in your terminal.
• Authenticate: Use the db.auth() method to authenticate with a user that has the appropriate privileges.

For example:

db.auth("myUser", "myPassword")

• Connect to Database: Connect to the desired database using the use command. For example

use myDatabase

• Verify Access: Verify that you have the appropriate access by performing operations such as querying or updating documents.

Conclusion

Security and integrity are critical for MongoDB databases. Authentication and authorization are key to ensuring this. By setting up strong authentication methods and using RBAC features effectively, MongoDB users can control who accesses data, manage user permissions, and protect sensitive information from unauthorized access. After reading the full article, you’ll be able to easily create a custom user role, modify access for an existing user, and connect to MongoDB with the right permissions.