Authentication and Authorization

Authentication

  • Description: Authentication verifies the identity of users accessing the MongoDB server. It ensures that only authorized users can connect to the database.
  • Methods:
    • Username/Password Authentication: Users authenticate using a username and password.
    • X.509 Certificates: Authentication using SSL/TLS certificates.
    • Kerberos Authentication: Integrates with Kerberos for secure authentication.
  • Example: 
      mongo --username <user> --password <password> --authenticationDatabase <db>

Authorization

  • Description: Authorization determines what authenticated users can do within the database. It involves assigning roles and permissions to users.
  • Role-Based Access Control (RBAC): Assign roles to users, which grant specific permissions on databases and collections.

Role-Based Access Control

Built-in Roles

  • Description: MongoDB provides several built-in roles with predefined permissions.

  • Examples:

    • read: Provides read access to data.
    • readWrite: Provides read and write access to data.
    • dbAdmin: Provides administrative privileges on a database.
    • clusterAdmin: Provides administrative privileges on the MongoDB cluster.

  • Example:

  db.createUser({
  user: "myUser",
  pwd: "myPassword",
  roles: [{ role: "readWrite", db: "myDatabase" }]
});

Custom Roles

  • Description: Create custom roles with specific permissions tailored to your needs.
  • Example:
  db.createRole({
  role: "customRole",
  privileges: [
    { resource: { db: "myDatabase", collection: "" }, actions: ["find", "insert"] }
  ],
  roles: []
});

## Encryption: In-Transit and At-Rest

### Encryption In-Transit

- Description: Protects data while it is transmitted over the network between MongoDB clients and servers.
- How to Enable:
  - SSL/TLS Encryption: Configure MongoDB to use SSL/TLS for encrypted communication.

- Example:
  ```bash
  mongod --sslMode requireSSL --sslPEMKeyFile /path/to/ssl.pem

Encryption At-Rest

  • Description: Protects data stored on disk from unauthorized access.
  • Options:
    • Encrypted Storage Engine: Use MongoDB’s Encrypted Storage Engine for automatic encryption of data files.
    • Filesystem-Level Encryption: Use OS-level encryption tools (e.g., LUKS on Linux) to encrypt data files.
  • Example:
  storage:
  dbPath: /data/db
  engine: wiredTiger
  wiredTiger:
    engineConfig:
      configString: "config_string_for_encryption"

Configuring Security Settings

Enable Authentication

  • Description: Ensure that MongoDB requires authentication for all database operations.
  • Example:
  security:
  authorization: "enabled"

Configure IP Binding

  • Description: Restrict MongoDB access to specific IP addresses or network interfaces.
  • Example:
  net:
  bindIp: 127.0.0.1,192.168.1.100

Enable Auditing

  • Description: Track and log database operations for security and compliance purposes.
  • Example:
  systemLog:
  destination: file
  path: /var/log/mongodb/audit.log
auditLog:
  destination: file
  format: JSON
  path: /var/log/mongodb/audit.log