Untitled

Users & Roles
================

There are a number of predefined roles:

root - All powerful. Use with caution
userAdminAnyDatabase - Can create users and assign roles on any database. Use with caution
userAdmin - Can only create users and assign roles in a specific database
read - Read collections in a specific database.
readWrite - Read and Write to a specific database


> db.getUsers()
or
> db.system.users.find()

STEP - 1
========

Add Users Before Enabling Access Control

Create Admin User :: -

The first thing is to create an admin user, go to the mongo shell
connect to the `admin' database

The first user should be an admin user that can manage the database.

create a user and assign him the role userAdminAnyDatabase

use admin

var user = {
    "user" : "root",
    "pwd" : "toor",
    roles : [
	{
	    "role" : "userAdminAnyDatabase",
	    "db" : "admin"
	}
    ]
}

db.createUser(user);

How to check user created or not ?
-----------------------------------

db.getUsers()
[
	{
		"_id" : "admin.root",
		"user" : "root",
		"db" : "admin",
		"roles" : [
			{
				"role" : "userAdminAnyDatabase",
				"db" : "admin"
			}
		]
	}
]


STEP - 2
========
Enabling Access Control ::

in /etc/mongod.conf

security:
   authorization: enabled

after updating config file we need to restart the mongo instance.

STEP - 3
========
Here after we can use user name and pass for access database.

If you enter with out user and pass, you will see these kind erros,

> show databases;
2016-06-05T08:05:22.960+0530 E QUERY    [thread1] Error: listDatabases failed:{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
	"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
>

$mongo admin -u root -p
MongoDB shell version: 3.2.5
Enter password:
connecting to: admin
>

STEP - 4
========

let's create application User for read/Write

Before we need to create application user, we need to go the perticular database

> use hermes;

var user = {
    "user" : "appuser",
    "pwd" : "app123",
    roles : [
        {
            "role" : "readWrite",
            "db" : "hermes"
        }
    ]
}

db.createUser(user);

let's verify

> db.getUsers()
[
	{
		"_id" : "hermes.appuser",
		"user" : "appuser",
		"db" : "hermes",
		"roles" : [
			{
				"role" : "readWrite",
				"db" : "hermes"
			}
		]
	}
]
>

STEP - 5
========

let's create readonly user to read any database

$mongo admin -u admin -p

var user = {
    "user" : "reporting",
    "pwd" : "abc123",
    roles : [
        {
            "role" : "readAnyDatabase",
	    "db" : "admin"

        }
    ]
}

db.createUser(user);
exit

> db.products.insert({ "title" : "MongoDB in Action"  });
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on hermes to execute command { insert: \"products\", documents: [ { _id: ObjectId('5753d9af680d6e283c83138f'), title: \"MongoDB in Action\" } ], ordered: true }"
	}
})
>

If you try to insert/update/delete document you will receive an exception.

How to update the user role:
=============================
use admin

db.updateUser( "admin",
               {

                 roles : [
                           { role : "root", db : "admin"  }
                         ]
                }
             )


Enforce-keyfile-access-control
===================================
cd /var/lib/mongo
openssl rand -base64 755  > dv_mongo.key
chmod 400 dv_mongo.key
chown mongod: dv_mongo.key

security:
    authorization: enabled
    keyFile: /var/lib/mongo/dv_mongo.key

NOTE :: dv_mongo.key file copy to all slave machine.