Enabling authentication in MongoDB is a must. You would not want anyone to access your databases. By enabling authentication, everyone who wants to access the databases will have to authenticate themselves. This article is a guide on setting up MongoDB authentication.
Setting Up Authentication in MongoDB
Get Started
- First, launch the mongo shell and connect to the server, which will run at
port 27017
by default. - Then switch to the admin database and create a user with the
userAdminAnyDatabase
role. This role will grant the privilege to create new users on any existing database.
db.createUser(
{
user: "admin_name",
pwd: "admin_password",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
- Finally, disconnect from the mongo shell.
Enabling Authorization
- Open the
mongod.conf
file. - Change
security.authorization
fromdisabled
toenabled
.
security:
authorization: enabled
Authenticating User
There are two methods to authenticate a user using mongo.
Method 1: Using the mongo command-line authentication options
You can use the username, password, and database name to authenticate, like this:
mongo <db> -u <username> -p <password>
For example, you can use the user on the admin database that you just created to authenticate like this:
mongo admin -u admin_name -p admin_password
Note:
- A password containing special characters, especially the dollar sign, has to be put in
single quotes
to protect them from the command shell:mongo admin -u <username> -p 'password'
- You have to use the --authenticationDatabase to indicate MongoDB to find the user you have created. For example:
mongo admin -u <username> -p 'password' --authenticationDatabase admin
Method 2: Connect to the mongod instance and then run the db.auth() method against the authentication database
- First, switch to the
admin
database.use admin
- Then authenticate your user using
db.auth()
.db.auth(<username>, <password>)
db.auth()
allows a user to authenticate to the database from within the shell.- It returns
0
when authentication is unsuccessful and1
when the operation is successful.
Creating Users
To create a user to read/write from a non-system database:
- Authenticate your admin.
- Create a new user to read/write from your
app database
, like this:db.createUser( { user: <username>, pwd: <password>, roles: [ { role: "readWrite", db: <app_db> } ] } )
Remember:
- The
userAdminAnyDatabase
role has a lot of power. - It allows read/write access to the admin database.
- It also enables admin operations (like createUser, createRole, etc.) across
ALL
databases that can be dangerous if compromised. - Therefore, it is preferable not to create any user with this role except the
admin
.
Common Mistake
If you forget to create a user before enabling authentication, you can take advantage of the localhost exception
. That has been an issue with a lot of beginners.
- Start MongoDB server
- It will connect to localhost by default. This
localhost exception
grants you full access (that is, without any authentication required) to your instance via the localhost interface. - Now you can create your first system user admin.
Final Thoughts
MongoDB authentication is not hard to set up. But there were many cases where users got confused. The official MongoDB contains a lot of content, and often it is hard for a beginner to find a solution there.
Here, you can read the Official MongoDB Access Control Documentation .
Thanks for reading this article! Do give it a like and share if you find this article helpful. Feel free to share your feedback and ask questions down in the comment section. You may also like,
Have a nice day!