maas-devel team mailing list archive

Thread
Date

MongoDB Security

To: "Mass Devel" <maas-devel@xxxxxxxxxxxxxxxxxxx>
From: John Arbash Meinel <john.meinel@xxxxxxxxxxxxx>
Date: Tue, 11 Sep 2012 14:29:43 +0400
Sender: John Meinel <john@xxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20120824 Thunderbird/15.0

The security model of MongoDB is pretty easy to sort out.
http://www.mongodb.org/display/DOCS/Security+and+Authentication

1) By default, there is no security. [like in Memcache]. So anyone can
   connect to your port, and do whatever they want with any database.
   You are expected that you only run the daemon in a trusted
   environment.
   At least 'apt-get install mongodb' only listens on 127.0.0.1

2) You can teach mongodb to start as 'mongodb --auth'. Which sets up
   user/password or keyfile authentication. You then get:

  a) For each named db, a user has either None, readonly, full access
  b) The 'admin' superuser has full access to everything.


There are a lot of details on the above page when you get into sharding,
replication and all that. But I think the above is pretty much it.

Also, I think to *set up* users, you have to start in no-auth mode, set
it up, and then restart with auth mode.

John
=:->