Is there any way to use Linux integrated security for MongoDb? - security

We have c# web app connecting MongoDb deployed on Linux server. The idea is to use single designated Linux account for our web application to login and connect into MongoDb. As I understand from what I read, MongoDb does not support integrated security at all by default, it supposed to have its own user database with passwords, and no roles too, right? If so, I wonder if there is any separate third-party framework/tool or something that helps me use desired approach?
Other than that, if you know good online article regarding best practices to implement Security for Mongo in web applications, like where and how to store users and encrypted passwords etc., please give me a link.

please give me a link.
I did some security documentation a few months ago for MongoDB and it can be found here, this should be your starting point.
As I understand from what I read, MongoDb does not support integrated security at all by default, it supposed to have its own user database with passwords, and no roles too, right?
Up until MongoDB 2.2, authentication and authorisation is all local.In 2.2, there is limited RBAC (Role Based Access), i.e. two roles "read" and "write", with "write" being able to do everything on that database, i.e. admin.
Things will change in 2.4 with new roles:
name description of privilege
read ability to query data in any collection in the database, other than 'system.users', and also ability to run any command without an A or W attribute
readWrite everything permitted by 'read' privilege, and also the ability to insert, update,
or remove documents or indexes in any collection other than 'system.users', and also the ability to run any command without an A attribute
userAdmin ability to read and write the 'system.users' collection
dbAdmin ability to run admin commands affecting a single database; see list below
serverAdmin ability to run admin commands affecting the entire database server; Can only be set on admin database; see discussion
clusterAdmin admin commands for a cluster of shards or a replica set; Can only be set on admin database
as documented here. This enhanced RBAC will be available in all versions of MongoDB from 2.3.2 (development build) and the next production release, 2.4.0.
With MongoDB 2.4, there will also be the ability to use Kerberos for authentication, however, this delegated authentication will only be available in the Enterprise builds, which require a Commercial Support contract for us.
There is currently nothing within MongoDB that enforces password complexity but obviously in 2.4 with Kerberos, the KDC can do this. You will manually have to ensure (through your internal password policy etc) that users realise the issues of using non-complex passwords and re-using the same passwords on multiple devices. Assuming you are running 2.2, all logins, passwords and permissions for MongoDB access are stored in the system.users collection under each database. Here is the exact link to the documentation that you should read.

Related

When it comes to privileges management, is Active Directory still a match against Node.js modules?

I am currently working on a web app that will have to handle users and user privileges (like in most web projects). I intend to develop it around Node.js which seems to solve most of my constraints. But I have been advised to use an "Active Directory"-like structure for privileges management and query it using LDAP.
So I'm wondering, is it still relevant nowadays to use an "Active Directory"-like structure to authenticate users/handle privileges ? Node seems to have enough to offer regarding that aspect (I'm thinking of Passport) with a storage of the Users and their privileges in a database.
In my data model, I know that I will have to deal with Users, that belong to Departments. These departments have Projects, that Users can belong to (multiple or none). I thought a relational or a non-relational database was going to be the perfect match, but now I hesitate.
Thank you
The biggest benefit of using Windows Authentication in a website is if an organization is already using Active Directory, because it can enable seamless login. Your users wouldn't have to put in their credentials at all, and you already know who they are.
Setting up an Active Directory domain just for user management of one app is way overkill, for sure. For example, Lynda.com has a 2-hour course just about installing Active Directory.
Using something like OpenLDAP would be simpler, but still overkill in this scenario.
They're designed to manage, not just users, but computers, groups, policies, relationships to the external world...
If all you need is user and permission management for one application, then you're better off using something else.

What is the standard way to represent "business-logic users" in CouchDB?

I'm new to couchDB and still reading tutorials. My question is if it is the normal way to represent every user of my application as a new database user, as it seems to be explained that way everywhere I look?
Let's say I have an online game with many different players - would I create a new "database user" for every player who registers? Or would I make my own database "players" and create a sign-in logic in the app? Not being used to document-driven DB's it seems strange to me not to distinguish between db-users and users of my application...
You could do it either way. First about couchdb users
Users in couchdb are stored in a special _users database
Database permissions are handled by a special _security document. This is specific to every database.
In security documents you add users that you have already stored in the _users database previously.
So you can certainly create a database per user. Before doing that ask yourself if the data that you store in each database is truly independent. Because you can't run map reduce queries across databases. So if you are planning to do aggregation across data for different users then this approach will not work.
Couchdb can also help you with app level authentication. Since couchdb uses a cookie based authentication:
Store your "business logic users" in the special _users database.
Authenticate it with the _session endpoint.
Extract the cookie header and sent it with your application headers.
All the logic for authentication is implemented for you by couchdb. All you have got to do is manipulate headers. Send the cookie from your application and when authenticating with couchdb send it with couchdb's headers.
If you prefer to write entire session management in your application that is fine too. In this case simply store the users in your database and verify that they exist before authenticating them. Like you would do with another database.
The benefit of using couchdb is that it is secure by default --using pbkdf2 encryption scheme to encrypt passwords.
If you instead want to manage all docs using a single database, but still implementing read/write ACLs, you can check the Chatty Couchapp Tutorial app from Smileupps App Store
It's a pure couchapp, relying on CouchDB only as its backend. The tutorial is still work in progress but the couchapp is fully working and you can download its source code.
It implements role/user based read/write ACLs using a single CouchDB database. This way you don't have to setup N replications where N depends on the number of your users. You only have one database containing all your data, easy to be queried on the fly(with temporary views) and for maintenance operations. Of course you can decide to increase the number of database, depending on type of your data and use cases.
A single couchapp contains all the necessary code for frontend, admin dashboard and server side API implementing business rules
The user, depending on his roles have different access to different sections. i.e. he can access the frontend website, but not the admin dashboard.
You can install the free trial, then download the source code with Smileupps deployment tools, change it, upload it back and check your changes.

Restrict user access to some docs in CouchDB

I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).

CouchDB Authorization Logic?

I did read http://guide.couchdb.org/draft/security.html and
and the previous question
CouchDB Authorization on a Per-Database Basis
and
http://wiki.apache.org/couchdb/Security_Features_Overview
I am currently using Apache CouchDB 1.2.0 and via futon the adding an admin result in
adding a user at _users for example
_id
org.couchdb.user:stackoverflow
_rev
1-b9f223532b662d4ac52d14082d81e6a5
name
stackoverflow
password
null
roles
[ ]
type
user
So the first question is why the admin is added as type user and not admin is puzzling. This users are admin as they can do anything in any database and the role is empty BUT I did protect the _users document with
["admin"]
roles as the only members and only admins can access this (even if their role in the _users document is empty).
This protection does not allow new "normal" users to be created so the futon "signup" command will return Signup error: You are not authorized to access this db.
I think this setup is the only logical one. Why would you want anyone to be able to create a user on your database ??
Even if you specify read access in a db to be only for one admin every admin can access it
(
" admins" : {
"names" : ["guru"],
"roles" : ["boss"]
},
"readers" : {
"names" : ["guru"],
"roles" : ["boss"]
}
}
the above case has no impact on the newly created stackoverflow admin as per above example.
So my assumption is that admins created via futon can do everything and anything regardless. The only confusing logical part is the _users documents where they have no special type (they are users) nor a special role.
So back to the concrete question:
- when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
- if you want to create a normal user WITHOUT allowing them to signup (via futon or direct HTTP Request) you have to protect the _users document. Yet how would you go to create yourself a user to read/write on his own database ?
- As the user (per CouchDB Docs) will have the read/write rights on a DB but not the possibility to create design documents how can he really use it efficiently as views will be needed for anyone developing using the DB?
It should be possible to have a normal, simply multi hosting without jeopardizing security as there is a shared CouchDB offering at http://www.iriscouch.com/ so I just don't understand how logically you would structure a simple service where a user has his own database and can do anything but just on this database. As the admin role is anyway "user" how would you distinguish them from a non admin in the _users table ?
Why is the admin added as a normal user and not an admin?
CouchDB is similar to Windows's Active Directory, or Unix NIS and LDAP: most users have "normal" accounts, however the admin account (e.g. Windows "Administrator", or Unix "root") does not use the normal accounting system, but rather a much simpler system (the local.ini config file).
If the account and authentication system ever has a problem, you can still log in as the admin and fix it.
Do I need to add the "_admin" role to a user?
No, the admin role (the role "_admin") does not come from the user's document, but only from the configuration, in the "admins" section.
How come all admins can read the database?
By creating an admin in the global configuration (either editing the local.ini file, or using Futon's "Configuration" tab, or clicking the "Fix this" link in Admin Party), you created a system admin. System admins have access to all data, always (similar to Windows Administrator and Unix root).
CouchDB supports database admins which are normal users. Those users have admin access only to a database, not to anything else, such as other databases, or the server config. Database admins are set in the "Security" section, by adding a user's name or role to the "Admins" lists.
The concrete question: - when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
When adding an admin via Futon, two things happen
A normal user is created (with no valid password in fact)
The same user name is added to the system configuration "admins" section. GET /_config/admins/the_username to see it. (That's what Futon's configuration tab does.)
In other words, CouchDB does not know it is a wide system admin from the document but rather from the config. If you delete that config entry, the user is "demoted" back to a normal user.
Side note about Iris Couch
It can be a little confusing at first, but the CouchDB user and security system is pretty simple and powerful once you learn it. But each Iris Couch users have entire CouchDB servers. If you sign up, you have an account at Iris Couch, but you have an entire CouchDB server to use. Inside that server, you can create multiple users for your own applications.

Connecting to a Database with WinAuth

In response to a question I asked about a week ago I changed our database engine to only accept Windows Authentication instead of SQL Authentication. Because our code runs in a different user context then that of the database connection we need to specify the username and password information in order for us to connect to the database. How do we do this using a ConnectionString? Remember, we are not using SQL Authentication anymore.
Thanks,
On your SQL Server instance, you need to add the domain group under the Security node (the one in the main server group, not in the individual databases). Under that node, the end result would be an item that resembles
<Your Domain>\Domain Users
Then in your application (Windows or Web) connection strings you want to set integrated security to be TRUE, and elsewhere, you need to set Impersonation to also be True. I am being vague here because the methods vary by application type.
Hopefully that sets you on the correct path.
Since you are using only Windows authentication, you can't in the connection string. The calling process will need to impersonate a windows principle (user) with the relevant access permissions.

Resources