db.createUser()
command.db.createUser({
// Authentication
username: "[email protected]",
pwd: "hello123",
// Authorization
roles: [
{role: "read", db: "accounts"},
{role: "readWrite", db: "analytics"}
]
})
Task Provide QA that a database is secure by running the following commands
db.accounts.find( {}, { name: 1, ssn: 1 } )
db.employees.dropIndexes()
db.dropDatabase()
Feedback This database allows the users to perform commands without authenticating first, which is a security vulnerability.
Solution
mongod.conf
security:
authorization: enabled