Skip to main content

Generate and grant credentials for MongoDB databases

Project description

Quickstart for users

So, your friendly neighborhood mongogranter says you know have access to a database through your email address. What now? First, install mongogrant:

pip install mongogrant

Next, request a token link to be sent to your email:

mgrant init mcurie@espci.fr \
  --endpoint https://grantmedb.materialsproject.org

Click the link in your email to prove you're you, copy the fetch token from the loaded page, and then run:

mgrant settoken wh054900d70k3ny35y0u423

Finally, get credentials for your database. Here, Marie is asking mongogrant to print out db.json and my_launchpad.yaml starter files for FireWorks and atomate:

mgrant db mongodb03.nersc.gov fw_mc_polonium \
  --role readWrite \
  --atomate-starters

About mongogrant

Mongogrant is a utility to grant username and password credentials for read and readWrite roles on various databases on various hosts to owners of email addresses.

A server administrator has fine-grained control via allow/deny rules for granting tokens and credentials. People request an email that contains a one-time link. That link gives a user a fetch token. All tokens expire and expiration time is customizable. People then use the mongogrant client to make requests like

from mongogrant.client import Client

# config file on disk has tokens and host/db aliases
# `Client()` with no args looks to
# ~/.mongogrant.json for config
client = Client()

# No config yet? Set one up with at least one remote for fetching credentials
# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>.
client.set_remote("https://grantmedb.materialsproject.org", "<FETCH_TOKEN>")

# Set some aliases if you'd like:
client.set_alias("dev", "mongodb03.nersc.gov", "host")
client.set_alias("prod", "mongodb04.nersc.gov", "host")
client.set_alias("fireworks", "fw_dw_phonons", "db")

# pymongo.database.Database with read role
source_db = client.db("ro:dev/fireworks")
# readWrite role: config stores "prod" host alias and "fireworks" db alias
target_db = client.db("rw:prod/fireworks")

# ...Do database stuff!

One can also go entirely through a running app's API:

> # Using the HTTPie command line HTTP client (https://httpie.org/)
> # Install via `{brew,apt-get,pip,...} install httpie`
> http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL>
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 59
Content-Type: application/json
Date: Thu, 17 May 2018 18:05:30 GMT
Server: nginx/1.10.3

{
    "msg": "Sent link to <YOUR_EMAIL> to retrieve token."
}

> http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN>
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Thu, 17 May 2018 18:06:17 GMT
Server: nginx/1.10.3
Transfer-Encoding: chunked

Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC)

> # end-of-line "\" below only necessary if command spans two lines.
> http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \
>   role=readWrite host=mongodb03.nersc.gov db=dw_phonons
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 108
Content-Type: application/json
Date: Thu, 17 May 2018 18:11:22 GMT
Server: nginx/1.10.3

{
    "password": "<PASSWORD>",
    "username": "dwinston_lbl.gov_readWrite"
}

>

You can run a "server" on your laptop in a Jupyer notebook and manage allow/deny rules, grant / revoke grants of credentials, etc. A small Flask app is included as an example for deploying a server to which clients can connect to obtain tokens and credentials.

Set up a server

from mongogrant.config import Config
from mongogrant.server import Server, check, path, seed, Mailgun

server = Server(Config(check=check, path=path, seed=seed()))
server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant")
server.set_mailer(Mailgun, dict(
    api_key="YOUR_KEY",
    base_url="https://api.mailgun.net/v3/YOUR_DOMAIN",
    from_addr="mongogrant@YOUR_DOMAIN"))
server.set_admin_client(
    host="other1.host.com",
    username="mongoadmin",
    password="mongoadminpass")
server.set_admin_client(
    host="other2.host.com",
    username="mongoadmin",
    password="mongoadminpass")

Appointing others to set allow/deny rules

A mongogrant server admin can add "ruler" users who can set allow/deny rules for users via the mgrant CLI. An admin sets a ruler document in the server.mgdb collection, e.g.

server.mgdb.rulers.replace_one(
    {"email": "starlord@lbl.gov"},
    {
        "email": "starlord@lbl.gov",
        "hosts": ["mongodb03.nersc.gov"],
        "dbs": ["mp_", "fw_"],
        "emails": ["@lbl.gov"],
        "which": ["allow"]
    },
    upsert=True)

Allows user starlord@lbl.gov to set allow rules for any user with an "@lbl.gov" email address on the Mongo host "mongodb03.nersc.gov" for any database name prefixed with "mp_" or "fw_". Any field in a ruler document can be set to "all" rather than an array.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mongogrant-0.3.3.tar.gz (23.2 kB view details)

Uploaded Source

Built Distribution

mongogrant-0.3.3-py3-none-any.whl (25.0 kB view details)

Uploaded Python 3

File details

Details for the file mongogrant-0.3.3.tar.gz.

File metadata

  • Download URL: mongogrant-0.3.3.tar.gz
  • Upload date:
  • Size: 23.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.5.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.1

File hashes

Hashes for mongogrant-0.3.3.tar.gz
Algorithm Hash digest
SHA256 ad494b8638adfa840cdd5568af44448dd43771b58102550cf7c61402b1620ab4
MD5 c0fa7c60b5aef06465440da93b096c9e
BLAKE2b-256 86ea236c569243a19bfb7097fd6b2fd09aa68af57e3d76e3ff65ea69333c0760

See more details on using hashes here.

Provenance

File details

Details for the file mongogrant-0.3.3-py3-none-any.whl.

File metadata

  • Download URL: mongogrant-0.3.3-py3-none-any.whl
  • Upload date:
  • Size: 25.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.5.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.1

File hashes

Hashes for mongogrant-0.3.3-py3-none-any.whl
Algorithm Hash digest
SHA256 e32ea6f07d72c7d08ab78d17c79ab7ee56373458ae79d2995c3cc6c2eb3ecbdb
MD5 a4c2fb61f652525816c6bdd9425310f2
BLAKE2b-256 43c2711d4a1c01205e206bc7f270522254ac374a86b5e99798e2cfd3cd426d08

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page