Mongo DB Authorization Model

Mongo DB Authorization Model

The authorization verifies user privileges. MongoDB supports different kinds of authorization models. Role-based access control
Role is a group of privileges and actions over resources gained by users over a given namespace (Database). Actions are performed on resources, and resources are any object that holds a state in the database.

Built-in database user roles and database administration roles exist in each database.

Database User Roles

  1. read
  2. readwrite

LDAP Authorization

LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication. LDAP provides the communication language applications use to communicate with other directory services servers.

MongoDB Enterprise supports querying an LDAP server for the LDAP groups to which the authenticated user belongs. MongoDB maps each returned group's distinguished names (DN) to roles on the admin database. MongoDB authorizes the user based on the mapped roles and their associated privileges. See LDAP Authorization for more information.

MongoDB Enterprise supports querying an LDAP server for the LDAP groups to which the authenticated user belongs. MongoDB maps each returned group's distinguished names (DN) to roles on the admin database. MongoDB authorizes the user based on the mapped roles and their associated privileges. See LDAP Authorization for more information.

  • A client connects to MongoDB and performs authentication with any authentication mechanism that supports external authentication.
  • To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), the usernames cannot be greater than 10k bytes.
  • MongoDB binds to the LDAP server specified with security.LDAP.servers using the credentials specified with security.LDAP.bind.queryUser and security.LDAP.bind.queryPassword.

MongoDB uses simple binding by default but can use sasl binding instead if configured in security.LDAP.bind.method and security.LDAP.bind.saslMechanisms.

MongoDB can use security.LDAP.userToDNMapping option to transform the username for supporting the query template.

  1. The LDAP server evaluates the query and returns the list of groups to which the authenticated user belongs.
  2. MongoDB authorizes the user to perform actions on the server by mapping each returned group's Distinguished Name (DN) into a role on the admin database. If a returned group DN exactly matches the name of an existing role on the admin database, MongoDB grants the user the roles and privileges assigned to that role. See MongoDB Roles for LDAP Authorization for more information.
  3. The client can perform actions on the MongoDB server which require the roles or privileges granted to the authenticated user.
  4. At an interval defined by ldapUserCacheInvalidationInterval, MongoDB flushes the $external cache. Before executing subsequent operations performed by externally authorized users, MongoDB re-acquires their group membership from the LDAP server.