Day 7 - Authentication and Authorization in MongoDB

Authentication verifies the identity of a user while Authorization determines the user's access to resources and operation
To create a new user in the database, we use db.createUser() command.
It takes in one parameter i.e. the document that contains all the information that mongodb saves about each user.

db.createUser({
	// Authentication
	username: "[email protected]",
	pwd: "hello123",
	
	// Authorization
	roles: [
		{role: "read", db: "accounts"},
		{role: "readWrite", db: "analytics"}
	]
})

Lab

Task Provide QA that a database is secure by running the following commands

db.accounts.find( {}, { name: 1, ssn: 1 } )
db.employees.dropIndexes()
db.dropDatabase()

Feedback This database allows the users to perform commands without authenticating first, which is a security vulnerability.
Solution
- Update the mongoDB configuration file to enforce authentication. We can fo this by adding the following section to the mongod.conf
```
security:
	authorization: enabled
```
- Shut down the current mongo db server with the old configuration
- Restart the mongodb server with the new configuration