How to use MongoDB built-in access control in Flask?

Question

I have a Flask application that uses pymongo to access a mongo database and satisfy users' requests. I have enabled access control in Mongo and now there are several users associated with different roles. More specifically, each user has read-write privileges only in a specific subset of collections in the db.

I would like to have users logging into the application and having access only to their specific subset of collections. This means that each user request that needs to fetch some data from the db is binded to a (specific) db-authenticated connection.

The main extensions of flask like flask-login and flask-security do not seem to use MongoDB own authentication mechanism.

Have been looking for a while now but I was not able to solve this.

Tech at The Sparks Foundation · Answer 1 · 2019-05-15T16:51:02.437

1

As per MongoDB documentation for making connection string.

mongodb://[username:password@]host1[:port1][,...hostN[:portN]]][/[database][?options]]

or

mongodb://myDBReader:D1fficultP%40ssw0rd@mongodb0.example.com:27017/admin

you can connect to MongoDB using PyMongo library.

from pymongo import MongoClient
from flask import Flask, request

app = Flask(__name__)

@app.route('/login')
def login():
    data = request.get_json()
    username = data['username']
    password = data['password']
    database = data['database']
    uri = 'mongodb://'+username+':'+password+'@localhost:27017/'+database
    print(uri) 
    app.config['uri'] = uri


@app.route('/some_endpoint')
def do_some_work():
    uri = app.config['uri']
    client = MongoClient(uri)
    # now use this as per your requirement.       

    client.close() 

if __name__ == '__main__':
    app.run()

this is just an example. you can store it in app.config and use it as you want.

Another reference that you might want to see.

edited May 15 '19 at 16:51

answered May 15 '19 at 16:35

Tech at The Sparks Foundation

1,123
2
7
15

Does this approach takes care of multiple requests (Flask is run in threaded mode)? Isn't app.config['uri'] overwritten each time? – user9342787 May 16 '19 at 08:01
What if I keep a map between the user id and the (authenticated) connection to the db? This way each user request that has to fetch data from the db do it through the right connection. Is this a bad idea? – user9342787 May 16 '19 at 10:33
Yes I think that should work.. Just store connection string in the map and make connections using that string. – Tech at The Sparks Foundation May 17 '19 at 06:14
You can accept the answer if it is working for you so it helps others who come n visit your question. – Tech at The Sparks Foundation May 17 '19 at 08:12

score 0 · Answer 2 · answered Jun 01 '19 at 11:54

0

You might want to reconsider that approach as opening a new db connection with each user that logs into your app might not scale very well, since Mongo creates a new thread for each new connection.

See: mongodb-max-connections

I would consider some RBAC for flask like flask-security.

answered Jun 01 '19 at 11:54

grafuls

311
5
8

Thanks for your comment. I do agree with you that the solution does not scale well. I also understand that typically you only create one MongoClient and use it throughout your application. My concern is that I do not see how these design principle can coexist with MongoDB's own RBAC. – user9342787 Jun 03 '19 at 07:33

How to use MongoDB built-in access control in Flask?

2 Answers2