Content Store authentication
The Content Store can be configured to use authentication on the database level. Authentication is the process of verifying the identity of a client. When access control (authorization) is enabled, MongoDB requires all clients (for example the Xill4 application) to authenticate themselves to determine their access.
Although authentication and authorization are closely connected, authentication is distinct from authorization:
Authentication verifies the identity of a user.
Authorization determines the verified user's access to resources and operations.
Enable Role-Based Access Control (RBAC) to govern each user's access to database resources and operations.
Configuration
To enable Role-Based Access Control, you need to add the following to your config file: Program Files/mongodb/server/x.x/bin/mongod.cfg:
security:
authorization: enabled
Configuring Role-Based Access Control
1. Start MongoDB without access control:
Start a standalone MongoDB instance without access control.
2. Create the user administrator using mongosh (MongoDB Shell)
Localhost Exception: You can create the user administrator either before or after enabling access control. If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in the admin database. Once created, you must authenticate as the user administrator to create additional users.
-
switch to the admin database
-
add the myUserAdmin user with the userAdminAnyDatabase and readWriteAnyDatabase roles:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(),
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
]
}
)
userAdminAnyDatabase: Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.
dbAdminAnyDatabase: Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.
readWriteAnyDatabase: Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.
You can assign your user additional built-in roles or user-defined roles if needed. The database where you create the user, in this example admin, is the user's authentication database. Although the user needs to authenticate to this database, the user can have roles in other databases. The user's authentication database doesn't limit the user's privileges.
3. Re-start the MongoDB instance with access control
After configuring the user administrator, restart the MongoDB instance with access control enabled.
Clients that connect to this instance must now authenticate themselves and can only perform actions as determined by their assigned roles.
4. Connect and authenticate as the user administrator using mongosh
Authenticate during Connection:
Start mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:
mongosh --port 27017 --authenticationDatabase \ "admin" -u "myUserAdmin" -p
Enter your password when prompted.
Authenticate after Connection:
Start mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:
Using mongosh, connect to your database deployment:
mongosh --port 27017
In mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:
use admin
db.auth("myUserAdmin", passwordPrompt()) -- or cleartext password
Enter your password when prompted.
5. Setup Xill4 to use authorization
To use Xill4 with authentication enabled, use the following format for the connection string:
mongodb://<username>:<password>@localhost:27017/<databaseName>
Note searchParam authSource will be automatically set to admin if both:
- connection string contains authentication
- searchParam
authSourcehas not been set
Note make sure to change the XILL4_SYSTEM_MONGO_CONNECTION & XILL4_MONGO_CONNECTION environment variables and configuration in components that use mongo connection to the new connection string format.