How to Enable MongoDB Access Control (User Authentication)

Tags:

After the initial setup, MongoDB can be accessed without access control. In real operations, unrestricted access is not acceptable, so access control, including user authentication and role control, must be enabled.

This article summarizes the access-control procedure for the simplest single-server setup.

Information about user management

First, let us look at the information related to user management and where it is stored.

User information is stored in the admin database, specifically in the system.users collection of the admin database.

There are two role types that can manage users: userAdmin and userAdminAnyDatabase.

userAdmin is a role that can manage users only for the specified database.
userAdminAnyDatabase allows the user granted this role to manage users for all databases.

Procedure for using user authentication

The rough procedure is as follows. The commands assume that you are working on the MongoDB server.

Add an administrative user
Restart MongoDB
Add a regular user
Connect to the database by specifying the user name and password

Add an administrative user

Start MongoDB without access control.
```
mongod --dbpath "C:\data\db"
```
Connect to MongoDB.
```
mongo
```

Create a user administrator.
Connect to the admin database and run the following command to create a user administrator. The user name being created is admin.

use admin
db.createUser({
    user: 'admin',
    pwd: 'password',
    roles: [{
        role: 'userAdminAnyDatabase',
        db: 'admin'
    }]
})

Restart MongoDB

Restart the MongoDB server with access control.
```
mongod --auth --dbpath "C:\data\db"
```
To start MongoDB with a configuration file, see MongoDB configuration file settings.

Add a regular user

Connect to MongoDB as the user administrator by specifying the user name and password. There are two ways to connect to MongoDB with access control enabled: authenticate while connecting, or authenticate after connecting.
- Authenticate while connecting to MongoDB
  Use the -u <username>, -p <password>, and -authenticationDatabase <databasename> options of the mongo command.
```
mongo -u "admin" -p "password" -authenticationDatabase "admin"
```
- Authenticate after connecting to MongoDB
  First, connect to MongoDB as usual.
```
mongo
```
  Switch to the database that requires authentication, then authenticate with the db.auth(<username>, <password>) method.
```
use admin
db.auth("admin", "password")
```
Create a user who can normally access the database.

Once you create a user administrator and enable access control, databases for which you do not have privileges cannot be accessed. You must create users for each database you use.

The following example connects to the test database and adds the user1 user with the readWrite role. For other roles, see Built-in roles.
```
use test
db.createUser({
    user: "user1",
    pwd: "password",
    roles: [{
        role: "readWrite", db: "test"
    }]
})
```

Connect to the database with a user name and password

Connect as the user added to the database. As with the administrative user, there are two ways to connect: authenticate while connecting to MongoDB, or authenticate after connecting. The details are the same, so they are omitted here.
- Authenticate while connecting to MongoDB
```
mongo -u "user1" -p "password" -authenticationDatabase "test"
```
- Authenticate after connecting to MongoDB
```
mongo
```
```
use test
db.auth("user1", "password")
```

MongoDB configuration file settings

In normal operation, you generally do not start the MongoDB server by manually executing a command. Instead, you specify startup options in the MongoDB configuration file and start MongoDB by reading that configuration file.

The following is an example MongoDB configuration that enables access control, along with the startup command.

mogodb.config

systemLog:
    destination: file
    path: C:\mongodb\server\log\mongod.log
security:
    authorization: enabled
storage:
    dbPath: C:\mongodb\server\data

Start the MongoDB server

mongod --config "C:\data\mongod.config"

For details about MongoDB configuration file options, see MongoDB - Configuration File Options.

Built-in roles

MongoDB provides several built-in roles. This section introduces a few that are likely to be used.

Database user roles

Role	Description
`read`	Read privileges for all non-system collections and for the `system.indexes.system.js` and `system.namespaces` system collections.
`readWrite`	In addition to the `read` role, privileges to modify all non-system collections and the `system.js` system collection.

Database administration roles

Role	Description
`dbAdmin`	Privileges for administrative tasks such as schema-related tasks, indexes, and retrieving statistics. This privilege does not include user management or role management privileges.
`dbOwner`	Database-owner privileges. This privilege includes the `readWrite`, `dbAdmin`, and `userAdmin` privileges.
`userAdmin`	Privileges to manage users and roles for the database. The `userAdmin` role can grant access privileges to any user, including itself. Therefore, the `userAdmin` role on the `admin` database indirectly has the same meaning as a superuser.