Hiding Fields in MongoDB: Views and Custom Roles
Let's see how a custom role, combined with a MongoDB View, can hide sensitive information from the client.
Join the DZone community and get the full member experience.
Join For FreeSome time ago, we wrote about how personalized roles may help you give specific permissions when it is needed. This time, we want to discuss how a custom role, combined with a MongoDB View, can hide sensitive information from the client.
Hiding Fields in MongoDB
Suppose you have a collection that needs to be shared with a different team, but this team should not be able to see some fields — in our case, to make it easy: the salary field.
Views in MongoDB can hide sensitive information and change the data visualization as needed. It was discussed here. For this example, we will use the collection employee with some data with a user that has permission. Let's insert some objects in the Percona database:
use percona
db.employees.insert({ "_id" : ObjectId("5ce5e609444cde8078f337f2"), "name" : "Adamo Tonete",
"salary" : { "year" : 1, "bonus" : 1 } })
db.employees.insert({ "_id" : ObjectId("5ce5e616444cde8078f337f3"), "name" : "Vinicius Grippa",
"salary" : { "year" : 1, "bonus" : 1 } })
db.employees.insert({ "_id" : ObjectId("5ce5e627444cde8078f337f4"), "name" : "Marcos Albe",
"salary" : { "year" : 1, "bonus" : 1 } })
db.employees.insert({ "_id" : ObjectId("5ce5e63f444cde8078f337f5"), "name" : "Vinodh Krishnaswamy",
"salary" : { "year" : 1, "bonus" : 1 } })
db.employees.insert({ "_id" : ObjectId("5ce5e655444cde8078f337f6"), "name" : "Aayushi Mangal",
"salary" : { "year" : 1, "bonus" : 1 } })Then let's create a view for this collection:
db.createView('employees_name', 'employees',
[{ $project: { _id: 1, name : 1 } } ]
)If we type show dbs; we will be able to see both collections, so, a read-only user is still able to read the employees collection.
In order to secure the employees' collection, we are creating a custom role that one has permission to see the employees_names collection and nothing else. In that way, the fields salary will never exist to the user:
use admin
db.createRole(
{
role: "view_views",
privileges: [
{ resource: { db: "percona", collection: "system.views" }, actions: [ "find" ] },
{ resource: { db: "percona", collection: "employees_name" }, actions: [ "find","collStats"]}
],
roles: [
{ role: "read", db: "admin" }
]
}
)Then we will create a user that only has permission to read data from the view (belongs to the role "view_views");
db.createUser({user : 'intern', pwd : '123', roles : ["view_views"]})Now the user can only see the collection employees_name in the Percona database and nothing else.
Running the query as the user intern:
> show dbs
admin 0.000GB
percona 0.000GB
> use percona
switched to db percona
> db.employees_name.find()
{ "_id" : ObjectId("5ce5e609444cde8078f337f2"), "name" : "Adamo Tonete" }
{ "_id" : ObjectId("5ce5e616444cde8078f337f3"), "name" : "Vinicius Grippa" }
{ "_id" : ObjectId("5ce5e627444cde8078f337f4"), "name" : "Marcos Albe" }
{ "_id" : ObjectId("5ce5e63f444cde8078f337f5"), "name" : "Vinodh Krishnaswamy" }
{ "_id" : ObjectId("5ce5e655444cde8078f337f6"), "name" : "Aayushi Mangal" }There are several ways to do that. For instance, if you were using an application, it would do the same thing, but the purpose of this article is to demonstrate how a combination of two technologies can help in hiding fields in MongoDB.
Thanks for reading! Feel free to leave your thoughts/questions in the comments section.
Published at DZone with permission of Adamo Tonete, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments