MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Adding authentication to MongoDB
0:00 So we've encrypted our MongoDB,
0:03 we've got it hidden behind a firewall and
0:05 listening on a non standard port, let's get into it.
0:08 Here we are connected to our Mongo,
0:10 there is really nothing going on yet, it's just empty,
0:12 we haven't added our data or anything like that, but nonetheless here it is,
0:16 notice there was no user name or password required to get in,
0:19 that's what we're going to fix next.
0:21 So the first thing to do is we're going to run this db.create user command.
0:25 We want to create a user to admin entire database server
0:30 like all of MongoDB not just wherever we happen to be,
0:34 which is called test, not an amazing name.
0:38 So we're going to say use admin and now you can see db is admin
0:44 so we can show collections, see what's here
0:46 and it's basically empty, but now we can run these db commands
0:50 focused on creating users against admin which means kind of global.
0:54 So we're going to run this command here, paste it so I don't get it wrong
0:59 because these roles have to be just so, it's very touchy,
1:02 go with this for the db admin, that's probably fine,
1:07 or mongodb admin, you can take your pick
1:10 and the password is probably little wimpy, let's try to fix that.
1:18 Let's go over here and run pt python and import uuid, okay,
1:24 and then let's do something like this, print
1:37 we'll call uuid that uuid4, call that, there we go,
1:43 what do you think is that a decent password?
1:47 I would say so, that's going to definitely slow down some dictionary attacks.
1:51 Now over here, we got to delete this,
1:55 sadly you can't paste over a selection in MacOS,
1:58 alright, so we're going to run this user, this password
2:01 and now we have to specify the roles
2:04 we could create like multiple users
2:06 that have certain restricted access to different databases
2:10 and that's probably not a bad idea, but for this example
2:12 we're just going to say this thing can admin read databases,
2:17 admin any databases or clusters
2:19 by the way just because you are an admin for a database
2:22 does not mean you can read and write to it
2:25 you could just create users and things like that, so you need them all.
2:28 Let's try this, boom, successfully created.
2:32 Now, did magic happen when we did this?
2:34 Let me copy this real quick, if I exit and I go over here
2:42 and I try to connect without any authentication,
2:44 no, nothing happened; why, if we come over here and we check out our config,
2:52 down here at the security, this puupy is wide open
2:57 so we need to go down and say authorization is enabled;
3:05 now, if we do that and we restart MongoDB,
3:07 so service mongo d restart, probably a good idea to ask for status,
3:12 also not happy, again, what have we done, let's have a look.
3:18 I think it might help if I spelled this right,
3:20 not very forgiving these computers are they,
3:23 all right, everything is running that's all good,
3:26 and if we try to connect to it again, now it's going to come over here and say
3:31 hello you are connected right, db.version for example, like this,
3:37 right so we're connected to it, we can sort of interact with it
3:42 but watch this, show dbs, failure you cannot show dbs,
3:47 in fact, you can't do anything other than basically log in.
3:51 So I can come over and say db, I say this use admin db.auth
3:58 and I could set the username and password, so I could say
4:04 user is this, password is whatever we want to put here,
4:10 you have to forgive me if I don't want to type that again, copy and paste that,
4:14 pwd rather not password, so we could log in this way, as you'll see
4:22 now I can say show dbs, use test and so on, show collection,
4:30 so I am basically authenticated at this point, right,
4:34 so I can log in this way and do this, but you probably don't want to do this,
4:38 you probably don't want to do it that way,
4:40 instead you probably want to say user is this,
4:44 it says pwd, I think it might be, is this
4:52 oh one more thing, I forgot, so we have the username and the password
4:56 but we also have to add the authentication database being admin
4:59 there we go, okay, notice our warning about running without authentication is gone
5:08 and I can now show dbs straight away, I don't have to go do this like
5:12 switch to admin, do the auth and so on.
5:15 So this is really handy for our scripts here that we're going to use later.