MongoDB Authentication: A Detailed Guide

MongoDB Authentication: A Detailed Guide

Enabling authentication in MongoDB is a must. You would not want anyone to access your databases. By enabling authentication, everyone who wants to access the databases will have to authenticate themselves. This article is a guide on setting up MongoDB authentication.

Setting Up Authentication in MongoDB

Get Started

  • First, launch the mongo shell and connect to the server, which will run at port 27017 by default.
  • Then switch to the admin database and create a user with the userAdminAnyDatabase role. This role will grant the privilege to create new users on any existing database.
db.createUser(
  {
    user: "admin_name",
    pwd: "admin_password",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)
  • Finally, disconnect from the mongo shell.

Enabling Authorization

  • Open the mongod.conf file.
  • Change security.authorization from disabled to enabled.
security:
    authorization: enabled

Authenticating User

There are two methods to authenticate a user using mongo.

Method 1: Using the mongo command-line authentication options

  • You can use the username, password, and database name to authenticate, like this:

    mongo <db> -u <username> -p <password>
    
  • For example, you can use the user on the admin database that you just created to authenticate like this:

    mongo admin -u admin_name -p admin_password
    

Note:

  1. A password containing special characters, especially the dollar sign, has to be put in single quotes to protect them from the command shell:
    mongo admin -u <username> -p 'password'
    
  2. You have to use the --authenticationDatabase to indicate MongoDB to find the user you have created. For example:
    mongo admin -u <username> -p 'password' --authenticationDatabase admin
    

Method 2: Connect to the mongod instance and then run the db.auth() method against the authentication database

  • First, switch to the admin database.
    use admin
    
  • Then authenticate your user using db.auth().
    db.auth(<username>, <password>)
    
  • db.auth() allows a user to authenticate to the database from within the shell.
  • It returns 0 when authentication is unsuccessful and 1 when the operation is successful.

Creating Users

To create a user to read/write from a non-system database:

  • Authenticate your admin.
  • Create a new user to read/write from your app database, like this:
    db.createUser(
     {
      user: <username>,
      pwd: <password>,
      roles: [ { role: "readWrite", db: <app_db> } ]
     }
    )
    

Remember:

  1. The userAdminAnyDatabase role has a lot of power.
  2. It allows read/write access to the admin database.
  3. It also enables admin operations (like createUser, createRole, etc.) across ALL databases that can be dangerous if compromised.
  4. Therefore, it is preferable not to create any user with this role except the admin.

Common Mistake

If you forget to create a user before enabling authentication, you can take advantage of the localhost exception. That has been an issue with a lot of beginners.

  1. Start MongoDB server
  2. It will connect to localhost by default. This localhost exception grants you full access (that is, without any authentication required) to your instance via the localhost interface.
  3. Now you can create your first system user admin.

Final Thoughts

MongoDB authentication is not hard to set up. But there were many cases where users got confused. The official MongoDB contains a lot of content, and often it is hard for a beginner to find a solution there.

Here, you can read the Official MongoDB Access Control Documentation .

Thanks for reading this article! Do give it a like and share if you find this article helpful. Feel free to share your feedback and ask questions down in the comment section. You may also like,

Have a nice day!