Authorization file for MongoDB (deprecated)

Deprecated: The authorization file for MongoDB is deprecated as of PUT 13.

The z/TPF support for MongoDB authorization definitions are defined in the security.mongo.xml authorization file.

You can find the security.mongo.xml file template that is provided with the z/TPF product code in the base/tpf-fdes/templates directory.

The authorization file for MongoDB contains the following sections, elements, and attributes:

Header

The authorization file starts with a header section.

The header section defines the Metadata element, which contains the version, encoding, XML schema file, and namespace. You cannot modify the header section.

User

Following the header section, you can specify one or more User elements that define the privileges that are granted for a particular user. You can define any number of users in the authorization file.

The User element contains the name of the user that authenticates against z/TPF support for MongoDB and an optional description of that user as shown in the following example.

<tns:User userName="user1" description="Authorizations for user1">

Authorization

Following the User element, there is the Authorization element that is followed by one or more privileges for the user. The maximum number of privileges that can be defined for a user is 20. The Privilege element contains the following attributes:

collectionName

The name of the collection that the privileges are defined for. The collection name is the name that is specified in the z/TPFDF collection descriptor. You can specify an asterisk (*) to indicate that the privilege is defined for all collections.

tenantName

The name of the tenant or subsystem user that the privilege is defined for. You can specify an asterisk (*) to indicate that the privilege is defined for all tenants.

authorizedAction

An attribute on the Action element, which is part of the Privilege element that describes the access level. You can specify one of the following values:

noAccess: No access to this resource.
read: Read only access to this resource.
readWrite: Read and write access to this resource.

An example of the full privileges for a user is shown as follows. There is no limit to the number of users that can be defined in the authorization file for MongoDB.

<!--  The authorizations for userid - user1 --> 
<tns:User userName="user1" description="Authorizations for user1">
   <tns:Authorization>
    <!--  For PNR collection allow readWrite access against AIRA tenant -->
    <tns:Privilege collectionName="PNR" tenantName="AIRA">
       <tns:Action authorizedAction="readWrite" />
    </tns:Privilege>
    <!--  For all other collections allow read access against AIRA tenant -->
    <tns:Privilege collectionName="*" tenantName="AIRA">
       <tns:Action authorizedAction="read" />
    </tns:Privilege>
    <!--  For all other collections in all other tenants - no access -->  
    <tns:Privilege collectionName="*" tenantName="*">
       <tns:Action authorizedAction="noAccess" />
    </tns:Privilege>
   </tns:Authorization>
</tns:User>

The following rules apply when you use the authorization file for MongoDB:

You can define a default authorization for users who are not defined in the authorization file. To define a default authorization, specify * for the userName attribute of the User element and add the entry at the end of the file. This entry defines the default privileges for the user name that is not in the current authorization file. The following example defines the default privileges for user names that are not found in the authorization file.
```
<tns:User userName="*" description="default entry, no access for all other users ">
   <tns:Authorization>
    <tns:Privilege collectionName="*" tenantName="*">
       <tns:Action authorizedAction="noAccess" /> 
    </tns:Privilege>
    </tns:Authorization>
</tns:User>
```
The order of the definitions of privileges and users matters. The elements in the authorization file are searched sequentially from the beginning for the first match. For example, if you specify * for the userName attribute of a User element and place the entry at the beginning of the authorization file, every user gets the default privileges because every user matches the first entry that is found. Similarly, the privileges for a user are searched sequentially in the user's entry, so the first matching entry that is found for the resource that is being accessed is the authorization action that is applied.