MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Adding authentication to MongoDB
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
So we've encrypted our MongoDB, we've got it hidden behind a firewall and listening on a non standard port, let's get into it.
0:09
Here we are connected to our Mongo, there is really nothing going on yet, it's just empty,
0:13
we haven't added our data or anything like that, but nonetheless here it is, notice there was no user name or password required to get in,
0:20
that's what we're going to fix next. So the first thing to do is we're going to run this db.create user command.
0:26
We want to create a user to admin entire database server like all of MongoDB not just wherever we happen to be,
0:35
which is called test, not an amazing name. So we're going to say use admin and now you can see db is admin so we can show collections, see what's here
0:47
and it's basically empty, but now we can run these db commands focused on creating users against admin which means kind of global.
0:55
So we're going to run this command here, paste it so I don't get it wrong because these roles have to be just so, it's very touchy,
1:03
go with this for the db admin, that's probably fine, or mongodb admin, you can take your pick
1:11
and the password is probably little wimpy, let's try to fix that. Let's go over here and run pt Python and import uuid, okay,
1:25
and then let's do something like this, print we'll call uuid that uuid4, call that, there we go,
1:44
what do you think is that a decent password? I would say so, that's going to definitely slow down some dictionary attacks.
1:52
Now over here, we got to delete this, sadly you can't paste over a selection in MacOS, alright, so we're going to run this user, this password
2:02
and now we have to specify the roles we could create like multiple users that have certain restricted access to different databases
2:11
and that's probably not a bad idea, but for this example we're just going to say this thing can admin read databases, admin any databases or clusters
2:20
by the way just because you are an admin for a database does not mean you can read and write to it
2:26
you could just create users and things like that, so you need them all. Let's try this, boom, successfully created.
2:33
Now, did magic happen when we did this? Let me copy this real quick, if I exit and I go over here and I try to connect without any authentication,
2:45
no, nothing happened; why, if we come over here and we check out our config, down here at the security, this puupy is wide open
2:58
so we need to go down and say authorization is enabled; now, if we do that and we restart MongoDB,
3:08
so service mongo d restart, probably a good idea to ask for status, also not happy, again, what have we done, let's have a look.
3:19
I think it might help if I spelled this right, not very forgiving these computers are they, all right, everything is running that's all good,
3:27
and if we try to connect to it again, now it's going to come over here and say hello you are connected right, db.version for example, like this,
3:38
right so we're connected to it, we can sort of interact with it but watch this, show dbs, failure you cannot show dbs,
3:48
in fact, you can't do anything other than basically log in. So I can come over and say db, I say this use admin db.auth
3:59
and I could set the username and password, so I could say user is this, password is whatever we want to put here,
4:11
you have to forgive me if I don't want to type that again, copy and paste that, pwd rather not password, so we could log in this way, as you'll see
4:23
now I can say show dbs, use test and so on, show collection, so I am basically authenticated at this point, right,
4:35
so I can log in this way and do this, but you probably don't want to do this, you probably don't want to do it that way,
4:41
instead you probably want to say user is this, it says pwd, I think it might be, is this
4:53
oh one more thing, I forgot, so we have the username and the password but we also have to add the authentication database being admin
5:00
there we go, okay, notice our warning about running without authentication is gone
5:09
and I can now show dbs straight away, I don't have to go do this like switch to admin, do the auth and so on.
5:16
So this is really handy for our scripts here that we're going to use later.