UNPKG

mongodb-security

Version:

Portable business logic of MongoDB security model

github.com/mongodb-js/compass

mongodb-js/compass

107 lines (77 loc) 3.19 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# mongodb-security [![npm][npm_img]][npm_url] > Portable business logic of MongoDB security model, mostly string formatting. ## Usage ``` js var security = require('mongodb-security'); security.humanize({cluster: true}) .should.equal('For the deployment'); security.humanize({collection: 'users', db: 'mscope'}) .should.equal('On mscope.users'); security.humanize({collection: '', db: 'mscope'}) .should.equal('On any any collection in the mscope database'); security.humanize({collection: 'users', db: ''}) .should.equal('On the users collection in any database'); ``` ## Example ``` js var MongoClient = require('mongodb').MongoClient; var security = require('../'); var format = require('util').format; var username = 'reportsUser'; var password = 'foo'; var authDB = 'reporting'; var url = 'mongodb://localhost:30000/%s'; MongoClient.connect(format(url, authDB), function(err, db) { if (err) { throw err; } // log in as that user db.authenticate(username, password, function(err, res) { // get the user info with privileges db.command({ usersInfo: { user: username, db: authDB }, showPrivileges: true }, function(err, res) { if (err) { throw err; } var user = res.users[0]; console.log(JSON.stringify(user, null, 2)); // check if user has listDatabases privilege with cluster resource var listDatabasesAllowed = security.getResourcesWithActions( user, ['listDatabases']).length === 1; // if allowed, run listDatabases command, if not, set to []. // merge with databases from user info on which the user is allowed to // call listCollections var databases = security.getResourcesWithActions( user, ['listCollections'], 'database').map(function(resource) { return resource.db; }); console.log('user can run listCollections on:', databases); // run listCollections on all databases, gather all namespaces // add required privilege actions here // @see https://docs.mongodb.org/manual/reference/privilege-actions/ var compassActions = ['find', 'collStats']; // combine namespaces with ones that user has find+collStats privilege var namespaces = security.getResourcesWithActions( user, compassActions, 'collection').map(function(resource) { return resource.db + '.' + resource.collection; }); console.log('user can run find + collStats on:', namespaces); db.close(); }); }); }); ``` ## api ### `security.humanize(:resource)` Take the `:resource` of a MongoDB grant and hand back a literate sentence prefix. ## todo - [ ] tests - [ ] move jade mixins currently in scope over hear - [ ] use [@imlucas/mongodb-ns](http://github.com/imlucas/mongodb-ns) [npm_img]: https://img.shields.io/npm/v/mongodb-security.svg?style=flat-square [npm_url]: https://www.npmjs.org/package/mongodb-security