1
00:00:02,390 --> 00:00:05,660
So what is authentication and authorization?

2
00:00:05,900 --> 00:00:08,930
These are actually two concepts which are closely related.

3
00:00:09,840 --> 00:00:17,670
Authentication is all about identifying users in your database, authorization on the other hand is all

4
00:00:17,670 --> 00:00:22,010
about identifying what these users may then actually do in the database,

5
00:00:22,020 --> 00:00:28,470
so if we want to use a real world analogy, you could kind of say that you might be employed and therefore

6
00:00:28,470 --> 00:00:33,450
you are able to access the office because you got a key card to the office building let's say, so you

7
00:00:33,450 --> 00:00:37,190
are an employee, you are authenticated to access the office

8
00:00:37,530 --> 00:00:41,120
but the things you may do in the office depend on your role.

9
00:00:41,130 --> 00:00:47,160
So let's say you are an accountant and then therefore you might be allowed to access the internal systems,

10
00:00:47,430 --> 00:00:51,600
to process orders or buildings or anything like that.

11
00:00:51,600 --> 00:00:57,300
So you describe that you are allowed to access and then you describe what you are allowed to do, that

12
00:00:57,290 --> 00:01:03,810
is authentication and authorization and mongodb uses these two concepts to control who is able

13
00:01:03,810 --> 00:01:06,010
to connect to the database server

14
00:01:06,030 --> 00:01:09,050
and then what these people who are able to connect can do.

15
00:01:09,300 --> 00:01:11,850
And when I say people here, that's important,

16
00:01:11,970 --> 00:01:13,720
I don't just mean people,

17
00:01:13,740 --> 00:01:19,440
I also absolutely mean things like the app you're writing, you as a developer will then write code so

18
00:01:19,440 --> 00:01:23,090
that your app can connect automatically to the database server.

19
00:01:23,100 --> 00:01:29,460
It's also important to understand that when I talk about users here, I don't mean users of your app,

20
00:01:29,460 --> 00:01:35,400
so if you're building a shop, I don't mean the users who can sign up to buy things in your shop.

21
00:01:35,400 --> 00:01:39,670
You might manage these users in your database but with your own logic

22
00:01:39,870 --> 00:01:44,400
but with users here, I mean the users of the mongodb server,

23
00:01:44,430 --> 00:01:50,040
so the people who are allowed to directly interact with it in some way and that of course are not the

24
00:01:50,040 --> 00:01:51,400
users of your shop,

25
00:01:51,540 --> 00:01:56,810
they may not directly insert documents or read documents or delete a database,

26
00:01:56,820 --> 00:01:59,050
this is very important to understand.

27
00:01:59,110 --> 00:02:04,130
I'm talking about users who are allowed to connect to the database not users

28
00:02:04,140 --> 00:02:06,960
you might know in your application.

29
00:02:07,110 --> 00:02:13,110
Now before we actually write some commands to actually create users and authenticate, it's important

30
00:02:13,110 --> 00:02:20,640
to fully understand the authentication system mongodb uses. Mongodb employs a role based access control

31
00:02:20,640 --> 00:02:21,320
system

32
00:02:21,540 --> 00:02:23,470
and this works like this.

33
00:02:23,490 --> 00:02:28,760
Let's say we have a mongodb server with three databases and the admin database is one

34
00:02:28,770 --> 00:02:34,390
you already saw in previous modules, it's a special database which exists out of the box

35
00:02:34,710 --> 00:02:37,630
and I'll come back to why it's special throughout this module.

36
00:02:37,770 --> 00:02:39,880
So let's say we have that admin database,

37
00:02:39,990 --> 00:02:45,270
obviously we would also have that config and local database we started with but we also have our

38
00:02:45,270 --> 00:02:47,990
own databases here let's say, shop and blog.

39
00:02:48,160 --> 00:02:55,180
Now in the shop database we have two collections and in the blog database too. Now we enable authentication

40
00:02:55,260 --> 00:03:00,120
and that is something we'll do in the next lectures, authentication can be enabled in a very easy way

41
00:03:00,510 --> 00:03:07,200
and suddenly our mongodb server only allows authenticated users to interact with it, with the

42
00:03:07,200 --> 00:03:10,080
collections and the documents and with the overall server.

43
00:03:10,610 --> 00:03:16,920
So let's say we have a user and now here important again, user here means either a real person like a

44
00:03:16,920 --> 00:03:20,830
data analyst who directly connects to the database through the shell,

45
00:03:20,940 --> 00:03:26,270
so like we are doing it in this course or you could also talk about an application here,

46
00:03:26,310 --> 00:03:32,700
so the user would then kind of be the mongodb driver or your overall application code using

47
00:03:32,700 --> 00:03:34,940
the driver to connect to your database.

48
00:03:34,950 --> 00:03:40,920
So this is not the user of your application, not the user of the online shop you're building, it's really

49
00:03:41,010 --> 00:03:46,560
your application or if it's a real person that we're talking about a person who directly connects like

50
00:03:46,560 --> 00:03:48,600
we are doing it in this course.

51
00:03:48,690 --> 00:03:55,350
So we got a user who wants to interact with the mongo database and we now need to log in with a username

52
00:03:55,350 --> 00:03:57,910
and password because authentication was enabled

53
00:03:58,170 --> 00:04:03,420
and mongodb automatically has a process in place where we then have to enter a username and

54
00:04:03,420 --> 00:04:04,480
password.

55
00:04:04,500 --> 00:04:09,030
Now that of course means that the user needs to exist on the mongodb server, otherwise logging

56
00:04:09,030 --> 00:04:10,300
in will be impossible

57
00:04:10,380 --> 00:04:12,810
and that is exactly what we will do in the next lectures,

58
00:04:12,930 --> 00:04:14,840
we will create such users.

59
00:04:14,910 --> 00:04:17,650
So let's say the user exists and we log in,

60
00:04:17,670 --> 00:04:19,880
so now suddenly we are logged in as a user,

61
00:04:20,040 --> 00:04:24,090
let's say our app is logged in or we as a data analyst are logged in.

62
00:04:24,150 --> 00:04:28,830
But with that information only, so only with the information that we are logged in, we're not allowed

63
00:04:28,830 --> 00:04:29,840
to do anything

64
00:04:30,120 --> 00:04:37,230
instead users in mongodb are not just entities that are made up of a username and a password but

65
00:04:37,230 --> 00:04:43,470
they also are assigned some roles and these roles are essentially groups of privileges.

66
00:04:43,500 --> 00:04:48,330
Now what's a privilege? A privilege is a combination of a resource and an action 

67
00:04:48,360 --> 00:04:53,670
and that sounds very cryptic but it becomes clear with a concrete example. A resource would be something

68
00:04:53,670 --> 00:04:59,220
like the products collection in our shop database and an action would be an insert command.

69
00:04:59,250 --> 00:05:03,500
So actions are essentially the kinds of tasks, the commands we can execute,

70
00:05:03,500 --> 00:05:12,280
we can do in our mongo database and the resource is on well which resource can we execute this command.

71
00:05:12,420 --> 00:05:18,600
So for example, this little example here would mean that we can insert documents into the products collection

72
00:05:18,660 --> 00:05:20,490
in the shop database

73
00:05:20,490 --> 00:05:25,490
and this now allows us to do something as a logged in user.

74
00:05:25,590 --> 00:05:27,970
And as I mentioned, this is a privilege,

75
00:05:27,990 --> 00:05:34,320
typically you don't just have one privilege but instead multiple privileges are grouped into so-called

76
00:05:34,380 --> 00:05:40,230
roles and therefore a user has a role and that role includes all the privileges,

77
00:05:40,230 --> 00:05:48,130
so actions and resources that make sense for this user. And this is the model mongodb uses and

78
00:05:48,140 --> 00:05:50,680
we'll see that in action in the next lectures.

79
00:05:50,700 --> 00:05:57,360
This is a very flexible model because it allows us to create multiple users where we as a database owner

80
00:05:57,450 --> 00:06:02,640
or administrator can give every user exactly the rights the user needs

81
00:06:02,790 --> 00:06:03,630
and that's important,

82
00:06:03,630 --> 00:06:09,450
we don't want to give every user all the rights because if someone, let's say the data analyst has all

83
00:06:09,450 --> 00:06:17,040
the rights, this person or this app it could be an app too, is suddenly able to start deleting databases or

84
00:06:17,070 --> 00:06:21,870
insert documents even though in the case of the data analyst, we only want this person to be able to

85
00:06:21,870 --> 00:06:27,930
read data and it's not necessarily required that the person wants to do anything bad, this could even

86
00:06:27,930 --> 00:06:29,250
happen on accident.

87
00:06:29,490 --> 00:06:37,170
So only granting what a person really needs or what an app, a user in general really needs is a common

88
00:06:37,170 --> 00:06:41,850
approach not just in mongodb but it exists here too, it makes a lot of sense

89
00:06:41,940 --> 00:06:45,330
and it's therefore the approach we will use in this module too.