Database Reference
In-Depth Information
Notable options from the
mongoexport
utility include the following:
-q
: Specifies the query used to locate the records tooutput. This query can be any JSON query
string (but not a JavaScript query string, as this often doesn't work as expected) that you might
use with the
db.collection.find()
function to select a subset of records. If you don't specify
this option or you set it to
{}
, the
mongoexport
utility will output all records.
•
-
f
: Lists the database element names to be exported.
The following example illustrates how to use the options for the
mongoexport
utility:
•
$mongoexport -d blog -c posts -q {} -f _id,Title,Message,Author --csv >blogposts.csv
connected to: 127.0.0.1
exported 1 records
Securing Your Data by Restricting Access to a MongoDB Server
In some cases, your applications may be dealing with sensitive data, such as user records in social networks or
payment details in ecommerce applications. In many cases, there are rules mandating that you have to ensure
restricted access to sensitive data in your database systems.
MongoDB supports a simple role-based authentication system that allows you to control who has access to each
database, and the level of access they are granted.
Most of the commands that change the configuration of data or make major alterations to its structure on a
MongoDB server are restricted to running only inside the special
admin
database that is created automatically during
each new MongoDB installation.
Before you can issue these commands, you have to switch to the
admin
database with the
use admin
command.
Upcoming sections will note any command that is admin-only, so you will always know when you need to be in the
admin
database before you can use it. This chapter assumes that you can select the database and authenticate against
it, if necessary.
By default, MongoDB does not use any authentication methods. Anybody with access to the network connection
can connect and issue commands to the server. However, you can add
users
to any database, and MongoDB can
be configured to require both connection and console authentication to access the relevant database. This is the
recommended mechanism for restricting access to admin functions.
Protecting Your Server with Authentication
MongoDB supports a simple authentication model that allows the administrator to restrict access to databases on
a per user basis.
MongoDB supports individual access control records on each database; these records are stored in a special
system.users
collection. For normal users to have access to two databases (for example,
db1
and
db2
), their
credentials and rights must be added to both databases.
If you create individual logins and access rights for the same user on different databases, there is no
synchronization between those records. In other words, changing a user password on one database does not change
the password on any other database. However, the MongoDB team introduced a new mechanism in the 2.4 release to
allow delegated credentials. Using these credentials in this manner, you can create one master user with a password.
Then create users on other databases and specify that this user already exists on the master database and its
credentials should be used for authentication.
There is also one final (and critical) exception to this rule: any users added to the special
admin
database will have
the same access rights on all databases; you do not need to assign rights to such users individually.
