From 3831d594800dace6ae30673f078ff9fe8da3e4c8 Mon Sep 17 00:00:00 2001 From: John Wyles Date: Thu, 7 Feb 2019 02:23:42 -0800 Subject: [PATCH 1/2] Issue #329: Adding documentaiton for MONGO_NON_ROOT_USERNAME, MONGO_NON_ROOT_PASSWORD, and MONGO_NON_ROOT_ROLE feature for initializing a database with a non-root user with a specified role --- mongo/content.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mongo/content.md b/mongo/content.md index 7e0516149beb..61e08b3c21e8 100644 --- a/mongo/content.md +++ b/mongo/content.md @@ -124,11 +124,15 @@ some-db Both variables are required for a user to be created. If both are present then MongoDB will start with authentication enabled (`mongod --auth`). -Authentication in MongoDB is fairly complex, so more complex user setup is explicitly left to the user via `/docker-entrypoint-initdb.d/` (see the *Initializing a fresh instance* and *Authentication* sections below for more details). +Authentication and other areas in MongoDB operations can be fairly complex, so more complex setups can be explicitly left to the user via `/docker-entrypoint-initdb.d/` (see the *Initializing a fresh instance* and *Authentication* sections below for more details). For a very straight-forward setting for creating a non-root user role with a password it can be found in the *`MONGO_NON_ROOT_USERNAME`, `MONGO_NON_ROOT_PASSWORD`, and `MONGO_NON_ROOT_ROLE`* section below. ### `MONGO_INITDB_DATABASE` -This variable allows you to specify the name of a database to be used for creation scripts in `/docker-entrypoint-initdb.d/*.js` (see *Initializing a fresh instance* below). MongoDB is fundamentally designed for "create on first use", so if you do not insert data with your JavaScript files, then no database is created. +This variable allows you to specify the name of a database to be used for creation scripts in `/docker-entrypoint-initdb.d/*.js` (see *Initializing a fresh instance* below). If the value of `MONGO_INITDB_DATABASE` is not set then these custom scripts will not run because MongoDB is fundamentally designed for "create on first use". If you do not insert data with your JavaScript or shell script files, then no database is created. + +### `MONGO_NON_ROOT_USERNAME`, `MONGO_NON_ROOT_PASSWORD`, and `MONGO_NON_ROOT_ROLE` + +Additionally, if you have set `MONGO_NON_ROOT_USERNAME` and `MONGO_NON_ROOT_PASSWORD` then a username with password will be created with the the `MONGO_NON_ROOT_ROLE` role. The `MONGO_NON_ROOT_ROLE` variable is optional and if not specified will default to `readWrite`. This user will be created with this role on the `MONGO_INITDB_DATABASE` only if they are specified. ## Docker Secrets @@ -154,7 +158,7 @@ As noted above, authentication in MongoDB is fairly complex (although disabled b - [Security > Role-Based Access Control > Built-In Roles](https://docs.mongodb.com/manual/core/security-built-in-roles/) - [Security > Enable Auth (tutorial)](https://docs.mongodb.com/manual/tutorial/enable-authentication/) -In addition to the `/docker-entrypoint-initdb.d` behavior documented above (which is a simple way to configure users for authentication for less complicated deployments), this image also supports `MONGO_INITDB_ROOT_USERNAME` and `MONGO_INITDB_ROOT_PASSWORD` for creating a simple user with [the role `root`](https://docs.mongodb.com/manual/reference/built-in-roles/#root) in the `admin` [authentication database](https://docs.mongodb.com/manual/core/security-users/#user-authentication-database), as described in the *Environment Variables* section above. +In addition to the `/docker-entrypoint-initdb.d` behavior documented above (which is a way to tailor more custom configuration setup for more complex deployments), this image also supports `MONGO_INITDB_ROOT_USERNAME` and `MONGO_INITDB_ROOT_PASSWORD` for creating a user with [the role `root`](https://docs.mongodb.com/manual/reference/built-in-roles/#root) in the `admin` [authentication database](https://docs.mongodb.com/manual/core/security-users/#user-authentication-database), as described in the *Environment Variables* section above. To simplify an initial non-root user creation the environment variables `MONGO_NON_ROOT_USERNAME` and `MONGO_NON_ROOT_PASSWORD` can be used and will give this user the role of `MONGO_NON_ROOT_ROLE` (default if not set: `readWrite`). # Caveats From 0fc1dc80eeaadab9e8e64e842689286b3f790f23 Mon Sep 17 00:00:00 2001 From: John Wyles Date: Mon, 4 Mar 2019 14:14:11 -0800 Subject: [PATCH 2/2] Updating documentaiton about NON-ROOT username being gated on the presence of a ROOT username and password (see: https://github.com/docker-library/mongo/pull/331\#issuecomment-467245456) --- mongo/content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mongo/content.md b/mongo/content.md index 61e08b3c21e8..588597608f97 100644 --- a/mongo/content.md +++ b/mongo/content.md @@ -132,7 +132,7 @@ This variable allows you to specify the name of a database to be used for creati ### `MONGO_NON_ROOT_USERNAME`, `MONGO_NON_ROOT_PASSWORD`, and `MONGO_NON_ROOT_ROLE` -Additionally, if you have set `MONGO_NON_ROOT_USERNAME` and `MONGO_NON_ROOT_PASSWORD` then a username with password will be created with the the `MONGO_NON_ROOT_ROLE` role. The `MONGO_NON_ROOT_ROLE` variable is optional and if not specified will default to `readWrite`. This user will be created with this role on the `MONGO_INITDB_DATABASE` only if they are specified. +Additionally, if you have set `MONGO_NON_ROOT_USERNAME` and `MONGO_NON_ROOT_PASSWORD` then a username with password will be created with the the `MONGO_NON_ROOT_ROLE` role. The `MONGO_NON_ROOT_ROLE` variable is optional and if not specified will default to `readWrite`. This user will be created with this role on the `MONGO_INITDB_DATABASE` only if they are specified. (Note: this will only work if you have set both `MONGO_INITDB_ROOT_USERNAME` and `MONGO_INITDB_ROOT_PASSWORD`) ## Docker Secrets