How to secure MongoDB with username and password
You need to start mongod
with the --auth
option after setting up the user.
From the MongoDB Site:
Run the database (mongod process) with the
--auth
option to enable security. You must either have added a user to the admin db before starting the server with--auth
, or add the first user from the localhost interface.
Wow so many complicated/confusing answers here.
This is as of v3.4.
Short answer.
1) Start MongoDB without access control.
mongod --dbpath /data/db
2) Connect to the instance.
mongo
3) Create the user.
use some_dbdb.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] })
4) Stop the MongoDB instance and start it again with access control.
mongod --auth --dbpath /data/db
5) Connect and authenticate as the user.
use some_dbdb.auth("myNormalUser", "xyz123")db.foo.insert({x:1})use some_other_dbdb.foo.find({})
Long answer: Read this if you want to properly understand.
It's really simple. I'll dumb the following down https://docs.mongodb.com/manual/tutorial/enable-authentication/
If you want to learn more about what the roles actually do read more here: https://docs.mongodb.com/manual/reference/built-in-roles/
1) Start MongoDB without access control.
mongod --dbpath /data/db
2) Connect to the instance.
mongo
3) Create the user administrator. The following creates a user administrator in the admin
authentication database. The user is a dbOwner
over the some_db
database and NOT over the admin
database, this is important to remember.
use admindb.createUser( { user: "myDbOwner", pwd: "abc123", roles: [ { role: "dbOwner", db: "some_db" } ] })
Or if you want to create an admin which is admin over any database:
use admindb.createUser( { user: "myUserAdmin", pwd: "abc123", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] })
4) Stop the MongoDB instance and start it again with access control.
mongod --auth --dbpath /data/db
5) Connect and authenticate as the user administrator towards the admin
authentication database, NOT towards the some_db
authentication database. The user administrator was created in the admin
authentication database, the user does not exist in the some_db
authentication database.
use admindb.auth("myDbOwner", "abc123")
You are now authenticated as a dbOwner
over the some_db
database. So now if you wish to read/write/do stuff directly towards the some_db
database you can change to it.
use some_db//...do stuff like db.foo.insert({x:1})// remember that the user administrator had dbOwner rights so the user may write/read, if you create a user with userAdmin they will not be able to read/write for example.
More on roles: https://docs.mongodb.com/manual/reference/built-in-roles/
If you wish to make additional users which aren't user administrators and which are just normal users continue reading below.
6) Create a normal user. This user will be created in the some_db
authentication database down below.
use some_dbdb.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] })
7) Exit the mongo shell, re-connect, authenticate as the user.
use some_dbdb.auth("myNormalUser", "xyz123")db.foo.insert({x:1})use some_other_dbdb.foo.find({})
First, un-comment the line that starts with #auth=true
in your mongod configuration file (default path /etc/mongod.conf
). This will enable authentication for mongodb.
Then, restart mongodb : sudo service mongod restart