We do copies from Prod -> Dev weekly. For the devs, we need a user that exists on the dev DB side to read/write into the dev DBs but not have this user exist on the prod side so we never have to give devs access to the prod databases whenever we want to give devs access to dev dbs. We do just make a brand new user each time as part of the workflow for this but it seems like there may be better solutions.
To simplify, how can we create a user in mongoDB so that it persists despite any restores or copies we do from Prod databases?
I have been looking into the $external
for MongoDB but I don't think we have something like that setup and if we did how would that factor in RBAC? From what I've read, the external DB is not really a DB at all and only stores credentials. Wouldn't the roles for that user also then be erased if, like I mentioned before, we do a copy down from Prod? I feel like I am wrong here though so please feel free to correct me.
CodePudding user response:
All authorisation and authentication profiles are internally stored in the "admin" database even mappings for the virtual $external authentication/authorisation profiles they are also stored in the admin database.
Option 1) You mongodump/mongorestore only the necessary databases from PROD to DEV environments excluding the the admin database. ( Much cleaner option )
Option 2) If you take fs snapshots from PROD you will need to make mongodump for DEV admin database and mongorestore it after you restore the fs snapshot taken from PROD to DEV environment. ( Afcourse if you forget to mongorestore the DEV admin database you will have the PROD users in DEV ).
Option 3) You configure $external authorisation/authentication with same groups, mappings -> LDAP, KERBEROS etc , so you keep the mappings and copy PROD to DEV fs snapshots , but your users in DEV & PROD are auhtorized/authenticated by the external source ( LDAP server for example) so the credentials are not inside the DEV environment. ($external authentication/authorisation requiere mongoDB enterprise version)