- Ubuntu 18.04 (Remote Virtual Machine)
- MongoDB 3.6.3
Goals:
- Install and configure a MongoDB server.
- Create a superuser with full access to the Admin database.
- Create a new User and Database with regular permissions.
Info:
- We will want to create separate users for each database to avoid vulnerabilities if any of the users gets compromised. We can have users with the same name in different databases, since MongoDB use the `database.username` as the ID of the users.
Install:
- sudo apt update
- sudo apt install mongodb-server mongodb mongo-tools mongodb-clients
- sudo systemctl status mongodb.service
- Start MongoDB server:
- How to start server in "do-not-ask-for-authorization" mode
- mongod
- How to start server in "authorization" mode
- mongod --auth --port 27017
- Configure a superuser using a new terminal:
- mongo
- use admin
- switched to db admin
- db.createUser({user: "admin", pwd: passwordPrompt(), roles: [ { role: "root", db: "admin" }]})
- Successfully added user: {"user": "admin", roles: [ { role: "root", db: "admin" }]}
- OR:
- db.createUser({user: "admin", pwd: "PASSWORD", roles: [ { role: "userAdminAnyDatabase", db: "admin"}, { role: "dbAdminAnyDatabase", db: "admin"}]})
- Successfully added user: {"user": "admin", roles: [ { role: "userAdminAnyDatabase", db: "admin"} ...
- Configure a new user and database:
- mongo
- show dbs
- admin 0.000GB
- config 0.000GB
- local 0.000GB
- use new_db
- switched to db new_db
- db.createUser({user: "app_user", pwd: "PASSWORD", roles: [{role: "dbOwner", db: "new_db"}]})
- Successfully added user: {...}
- show users
- {"_id": "new_db.app_user", ... , "roles": [{"role": "dbOwner", "db": "new_db"}]}
- Note: If you use the command show dbs now you will not see the new_db listed. The database will be displayed only after the first document has been inserted.
- Create a collection:
- db.createCollection("test")
- {"ok": 1}
- Insert a document:
- db.test.insert({name: "John Doe", complement: "the true name of this person is unknown or is being intentionally concealed"})
- WriteResult({"nInserted": 1})
- exit
- bye
- Configure Authentication:
- Use SCRAM-SHA1 as Authentication Method in MongoDB. It is more secure than the previously-used MONGODB-CR. In MongoDB 3.x the default authorization mechanism is SCRAM-SHA-1, while in MongoDB 4.0 both SCRAM-SHA-1 and SCRAM-SHA-256 are enabled by default.
- Enable authentication:
- sudo nano /etc/mongodb.conf
- bind_ip = 0.0.0.0
- port = 27017
- auth = true
- sudo systemctl stop mongodb.service
- sudo systemctl start mongodb.service
- sudo systemctl status mongodb.service
Tests:
- Connect to the MongoDB server using authentication
- mongo --port 27017 -u "admin" -p "PASSWORD" --authenticationDatabase "admin"
- MongoDB shell version v3.6.3
- connecting to: mongodb://127.0.0.1:27017/
- MongoDB server version: 3.6.3
- OR
- mongo
- db.auth("admin", "PASSWORD")
- MongoDB shell version ...
More Information:
- To Remove a Database Users:
- db.dropUser("user_to_remove")
- To Update a Database User:
- db.updateUser("user_to_update", { ... })
- To Remove a database:
- use db_to_remove
- db.dropDatabase()
- Rename Database:
- mongo --port 27017 -u "<USER>" -p --authenticationDatabase "admin"
- db.copyDatabase("old-db-name","new-db-name")
- use old-db-name
- db.dropDatabase()
- Superuser Roles
- The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
- dbOwner role - when scoped to the admin database
- userAdmin role - when scoped to the admin database
- userAdminAnyDatabase role
- The following role provides full privileges on all resources:
- root role - provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin, restore, and backup combined
References:
