Closed O1O1O1O closed 9 years ago
I confirm you that RESTHeart requires listDatabases permission.
However a strong security isolation can be achieved via mongo-mounts configuration option.
For instance, the following configuration only exposes the two databases db1 and db2 and the collection db3.coll (note that you can also bind the resources to a custom URL, in this case under the /api prefix)
# Use mongo-mounts to bind URls to mongodb resources using the out-of-the-box URL rewrite feature.
mongo-mounts:
- what: "/db1"
where: /api/db1
- what: "/db2"
where: /api/db2
- what: "/db3/coll"
where: /api/db3/coll
The suggested mongodb user roles are readWrite and dbAdmin on the databases and bakcup on admin, as follows:
db.createUser({user: "mongousr",
pwd: "secret",
roles: [ {role: "readWrite", db: "db1"},
{role: "dbAdmin", db: "db1"},
{role: "readWrite", db: "db2"},
{role: "dbAdmin", db: "db2"},
{role: "readWrite", db: "db3"},
{role: "dbAdmin", db: "db3"},
{role: "backup", db: "admin"}]})
Note that the backup roles includes the listDatabases permission (that provides minimal privileges needed for backing up data; reference: http://docs.mongodb.org/manual/reference/built-in-roles/#backup-and-restoration-roles).
Regarding the write permission on the _properties collection: when RESTHeart accesses a dababase (that might not be created by it), it creates it eventually (this also occurs on server startup). If you isolate the exposes resources, there is no need to have write permission on other databases.
@O1O1O1O for your information the latest release 1.1.0 allows to connect with mongodb using just read or readWrite roles.
the dbAdmin role and listDatabases permission are no longer needed!
more info at http://www.softinstigate.com/blog/2015/12/08/what-is-new-in-RESTHeart-1.1.0/
I'm trying to use Restheart against a database for which my user does not have listDatabases permission (as a security precaution). Even if I access GET /dbname/collection Restheart still tries to get database properties which in turn asks if the database exists.
Maybe there could be an option to lock Restheart into a specific database and have it skip the existence check?
Then again looking at the code it looks like Restheart also needs write access to add a _properties collection to each database so perhaps this is a moot point if you also have read only access only such as a read only replica.