Backup and Security

Concept of Backups
Backups are crucial for data protection, disaster recovery, and ensuring data integrity. Here’s an overview of
the concept of backups in MongoDB:
Importance of Backups
1. Data Protection: Backups provide a safety net against accidental data loss due to hardware failures,
human errors, or software bugs.
2. Disaster Recovery: In case of catastrophic events like server crashes or data corruption, backups
allow you to restore your data to a previous state.
3. Compliance and Security: Backups are essential for meeting regulatory requirements and ensuring
data security.
Types of Backups in MongoDB
1. Logical Backups:
o mongodump: This utility exports data from MongoDB databases into BSON files, which can
then be used to restore data using mongorestore. It captures the data in a human-readable
format suitable for smaller datasets or specific collections.
2. Physical Backups:
o Filesystem Snapshots: Taking snapshots at the filesystem level where MongoDB stores its
data files (dbPath). This method is fast but requires careful handling to ensure consistency.
o Oplog Backups: MongoDB's replication mechanism uses the oplog (operations log) to
maintain a history of write operations. You can use the oplog to restore to a specific point in
time
Strategies for Backup
1. Regular Scheduled Backups: Establish a schedule based on your data update frequency and
criticality.
2. Off-site Backups: Store backups in a different location or on a different infrastructure to protect
against physical disasters affecting the primary data center.
3. Testing Backups: Periodically test your backup and restore procedures to ensure they work as
expected.
Backup Tools and Services
1. mongodump and mongorestore: Built-in utilities provided by MongoDB for logical backups.
2. Third-party Backup Solutions: Many cloud providers and third-party vendors offer MongoDB
backup solutions with features like automated backups, point-in-time recovery, and integration with
cloud storage services.

mongoexport/mongoimport & mongodump/mongorestore

mongoexport
Purpose: mongoexport is used to export data from a MongoDB database collection into a JSON or CSV file
format.
Usage:
mongoexport --db <database_name> --collection <collection_name> --out <output_file_path> [--options]
Parameters:
--db <database_name>: Specifies the name of the database from which to export data.
--collection <collection_name>: Specifies the name of the collection within the database to export data from.
--out <output_file_path>: Specifies the path and filename where the exported data will be saved. The output
format (JSON or CSV) is determined by the file extension (.json for JSON, .csv for CSV).
--query <json_query>: Optional. Allows you to specify a query using JSON format to filter which
documents to export.
--fields <field1,field2,...>: Optional. Specifies a comma-separated list of fields to export from each
document.
Example:
mongoexport --db mydatabase --collection mycollection --out /path/to/exported_data.json
mongoimport
Purpose: mongoimport is used to import data from a JSON, CSV, or TSV file format into a MongoDB
database collection.
Usage:
mongoimport --db <database_name> --collection <collection_name> --file <input_file_path> [--options]
Parameters:
--db <database_name>: Specifies the name of the database to import data into.
--collection <collection_name>: Specifies the name of the collection within the database where data will be
imported.
--file <input_file_path>: Specifies the path to the input file containing data to be imported.
--jsonArray: Optional. Specifies that the input file contains an array of JSON documents. Useful when
importing a JSON file that contains an array of documents rather than a single JSON document.
Example:
mongoimport --db mydatabase --collection mycollection --file /path/to/input_data.json

mongodump
Purpose: mongodump is used to create binary export backups of MongoDB databases and collections.
Usage:
mongodump --db <database_name> [--collection <collection_name>] [--out <output_directory>] [--options]
Parameters:
--db <database_name>: Specifies the name of the database to backup.
--collection <collection_name>: Optional. Specifies the name of the collection within the database to
backup. If not specified, all collections in the specified database will be backed up.
--out <output_directory>: Optional. Specifies the directory where the backup files will be stored. Each
database and collection will be saved as BSON files in their respective directories.
--query <json_query>: Optional. Allows you to specify a query using JSON format to filter which
documents to backup.
--gzip: Optional. Enables compression of backup files using gzip.
Example:
mongodump --db mydatabase --out /path/to/backup_directory

mongorestore
Purpose: mongorestore is used to restore data previously backed up with mongodump into a MongoDB
database.
Usage:
mongorestore [--db <database_name>] [--collection <collection_name>] <input_directory_or_file> [--
options]
Parameters:
--db <database_name>: Optional. Specifies the name of the database where data will be restored. If not
specified, the database name from the backup is used.
--collection <collection_name>: Optional. Specifies the name of the collection within the database where
data will be restored. If not specified, collections will be restored with their original names from the backup.
<input_directory_or_file>: Specifies the directory or file from which to restore data. This should be the
directory created by mongodump containing BSON files or a BSON file.
--drop: Optional. Drops the target collection before restoring data into it.
Example:
mongorestore --db mydatabase /path/to/backup_directory/mydatabase
Additional Options and Considerations
Both mongodump and mongorestore support additional options for authentication (--username, --password,
--authenticationDatabase), connection parameters (--host, --port), and other backup/restore configurations.
mongodump creates a directory structure with BSON files for each database and collection, while
mongorestore reads these BSON files to recreate the databases and collections.
These tools are suitable for regular backups, disaster recovery, migrating data between MongoDB instances,
or seeding databases with initial data.

Oplog Backups
What are Oplog Backups?
Oplog backups involve capturing and storing the contents of the oplog for purposes other than routine
replication. These backups are typically used for:
1. Point-in-Time Recovery: Oplog backups enable you to restore a MongoDB database to a specific
point in time by replaying the recorded operations.
2. Delayed Secondary Replication: By restoring from an oplog backup, you can create a secondary
node that lags behind the primary by a specified amount of time. This can be useful for scenarios
where you want to recover from accidental data deletion or corruption that occurred some time ago.
How to Perform Oplog Backups
Oplog backups are typically handled using MongoDB's built-in replication mechanisms and backup tools.
Here’s how you can approach it:
1. Use Secondary Nodes: In MongoDB's replica set, secondary nodes automatically maintain a copy of
the oplog from the primary node. You can configure secondary nodes to retain oplog entries for a
certain duration or until they are overwritten by newer entries.
2. Oplog Collection: Access the oplog collection directly using MongoDB commands or tools. The
oplog is accessible as a capped collection named oplog.rs in the local database of each MongoDB node
in a replica set.
3. mongodump for Oplog: You can use mongodump with the --oplog option to capture the oplog entries
along with regular data backups. This is useful for creating a comprehensive backup that includes
both the database contents and the oplog.
Considerations
 Storage and Retention: Oplog backups can consume significant storage space, especially if you're
retaining a large amount of historical oplog data.
 Recovery Time Objective (RTO): Oplog backups provide a more granular recovery point than
regular snapshots but require careful management and planning to ensure they are available when
needed.
 Security and Access: Access to oplog data should be secured and restricted to authorized personnel
to prevent unauthorized modifications or deletions.
Use Cases
 Disaster Recovery: Oplog backups allow for precise recovery to any point in time, minimizing data
loss in case of a catastrophic failure.
 Data Auditing and Forensics: Oplog backups can be used for forensic analysis or auditing purposes
to trace changes made to the database.

LVM Backups
LVM (Logical Volume Manager) involves a few key steps to ensure data consistency and integrity.
For the purpose of volume-level backup of MongoDB instances using WiredTiger, the data files and the
journal are no longer required to reside on a single volume.
To create a snapshot with LVM, issue a command as root in the following format:
lvcreate --size 100M --snapshot --name mdb-snap01 /dev/vg0/mongodb
This command creates an LVM snapshot (with the --snapshot option) named mdb-snap01 of the mongodb
volume in the vg0 volume group.
Backups using mms/ops manager
Backups using MMS (MongoDB Management Service) or Ops Manager are essential for ensuring data
resilience and disaster recovery. Here’s how you typically set up and manage backups using these tools:
Backup Methods
1. Continuous Backups:
o Oplog: MongoDB captures all write operations to the oplog (operations log). Ops Manager or
MMS continually tails this oplog, allowing for point-in-time recovery.
2. Scheduled Snapshots:
o File System Snapshots: Ops Manager can take snapshots of the underlying filesystem where
MongoDB data resides. This method is efficient for large datasets but requires adequate disk
space.
3. Cloud Backups:
o Backup to AWS S3 or Azure Blob Storage: Ops Manager can directly backup data to cloud
storage services. This approach provides off-site storage and facilitates disaster recovery.
Setting Up Backups Using MMS / Ops Manager
1. Install and Configure Ops Manager:
o Deploy Ops Manager in your infrastructure or use MongoDB Atlas (MongoDB’s managed
service).
o Connect Ops Manager to your MongoDB instances.
2. Configure Backup Policies:
o Define backup schedules and retention policies based on your requirements (e.g., hourly
snapshots, daily backups).
o Specify storage destinations (local, cloud).
3. Monitor Backup Operations:
o Use the Ops Manager interface to monitor backup jobs, their status, and health.
o Receive alerts for any backup failures or issues.
4. Perform Restores:
o Ops Manager facilitates easy restoration of backups:
 Point-in-Time Recovery: Restore to any specific moment using the oplog.
 Snapshot Restore: Restore from a specific snapshot or backup.

By leveraging MMS or Ops Manager, MongoDB provides robust tools to manage and automate backups
effectively, ensuring your data remains secure and accessible in case of failures or disasters.

Purpose of security
MongoDB offers built-in security controls for all your data – with databases managed in a customer
environment or MongoDB Atlas, a fully managed cloud service. MongoDB enables enterprise-grade
security features and simplifies deploying and managing your databases.

Type of Security
 Authentication
 Authorization
 Auditing
 Data Encryption
 Network Security
 Data Sovereignty

Authentication and Authorization

Authentication and authorization are crucial aspects of securing MongoDB databases, ensuring that only
authorized users can access data and perform operations based on their roles and permissions. Here’s a
breakdown of how authentication and authorization work in MongoDB:
Authentication: Ensures users are who they claim to be using methods like username/password, X.509
certificates, or LDAP.
Authorization: Controls what authenticated users can do based on assigned roles with specific privileges
(e.g., read, write) on databases and collections.

Role based access control

Role-Based Access Control (RBAC)
allows administrators to manage access to database resources by defining roles that specify sets of
privileges. Users are assigned roles, granting them access to perform specific actions on databases and
collections based on their role assignments. Built-in and custom roles can be created and managed, ensuring
secure and controlled access to databases.