MongoDB Object Ownership
Lesley Kimmel
I am a Systems Admin/Engineer working a project wherein I have to secure a MongoDB to DoD standards. One of the requirements is to restrict object ownership within the database to only authorized users.
I am new to MongoDB and NoSQL. However, I've seen parallels drawn between Mongo collections and RDBMS tables. It would seem logical that the next level up would be somewhat analogous though this next level in Mongo is 'database' and in an RDBMS it is 'schema'. In an RDBMS permissions are granted down to the schema and table level and ownership of the schemas and tables is tracked as being owned by the user that created it. Is there a similar tracking within Mongo? From what I can see it appears that permissions are only added at the database level and there is no tracking as to who (user) created any collections or documents therein.
Can anyone expound upon any ownership mechanisms more deeply or point me to authoritative documentation?
Thanks,
-LK
Stephen Steneker
I am new to MongoDB and NoSQL. However, I’ve seen parallels drawn between Mongo collections and RDBMS tables. It would seem logical that the next level up would be somewhat analogous though this next level in Mongo is ‘database’ and in an RDBMS it is ‘schema’.
Hi Lesley,
MongoDB (as at 3.2) does not have a similar concept of database ownership. Role-based access control can be used to restrict access to commands or data.
In MongoDB 2.6+ permissions can be granted at a collection level of granularity using custom roles; see Collection-Level Access Control. Further granularity can be achieved with field-level redaction via trusted middleware.
In an RDBMS permissions are granted down to the schema and table level and ownership of the schemas and tables is tracked as being owned by the user that created it. Is there a similar tracking within Mongo? From what I can see it appears that permissions are only added at the database level and there is no tracking as to who (user) created any collections or documents therein.
There is currently no tracking of ownership or change history within the database metadata. However, MongoDB Enterprise does include support for flexible Auditing to an external source (file, syslog, console) as well as additional security and management features that are likely of interest for your use case.
Can anyone expound upon any ownership mechanisms more deeply or point me to authoritative documentation?
For more information, see:
Regards,
Stephen