How to secure MongoDB with username and password
I want to set up user name & password authentication for my MongoDB instance, so that any remote access will ask for the user name & password. I tried the tutorial from the MongoDB site and did following:
use admin
db.addUser('theadmin', '12345');
db.auth('theadmin','12345');
After that, I exited and ran mongo again. And I don't need password to access it. Even if I connect to the database remotely, I am not prompted for user name & password.
UPDATE Here is the solution I ended up using
1) At the mongo command line, set the administrator:
use admin;
db.addUser('admin','123456');
2) Shutdown the server and exit
db.shutdownServer();
exit
3) Restart mongod with --auth
$ sudo ./mongodb/bin/mongod --auth --dbpath /mnt/db/
4) Run mongo again in 2 ways:
i) run mongo first then login:
$ ./mongodb/bin/mongo localhost:27017
use admin
db.auth('admin','123456');
ii) run & login to mongo in command line.
$ ./mongodb/bin/mongo localhost:27017/admin -u admin -p 123456
The username & password will work the same way for mongodump and mongoexport.
You need to start mongod with the --auth option after setting up the user.
From the MongoDB Site:
Run the database (mongod process) with the --auth option to enable security. You must either have added a user to the admin db before starting the server with --auth, or add the first user from the localhost interface.
Wow so many complicated/confusing answers here.
This is as of v3.4.
Short answer.
Start MongoDB without access control. mongod --dbpath /data/db Connect to the instance. mongo Create the user. use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } ) Stop the MongoDB instance and start it again with access control. mongod --auth --dbpath /data/db Connect and authenticate as the user. use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})
Long answer: Read this if you want to properly understand.
It's really simple. I'll dumb the following down https://docs.mongodb.com/manual/tutorial/enable-authentication/
If you want to learn more about what the roles actually do read more here: https://docs.mongodb.com/manual/reference/built-in-roles/
Start MongoDB without access control. mongod --dbpath /data/db Connect to the instance. mongo Create the user administrator. The following creates a user administrator in the admin authentication database. The user is a dbOwner over the some_db database and NOT over the admin database, this is important to remember. use admin db.createUser( { user: "myDbOwner", pwd: "abc123", roles: [ { role: "dbOwner", db: "some_db" } ] } )
Or if you want to create an admin which is admin over any database:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Stop the MongoDB instance and start it again with access control. mongod --auth --dbpath /data/db Connect and authenticate as the user administrator towards the admin authentication database, NOT towards the some_db authentication database. The user administrator was created in the admin authentication database, the user does not exist in the some_db authentication database. use admin db.auth("myDbOwner", "abc123")
You are now authenticated as a dbOwner over the some_db database. So now if you wish to read/write/do stuff directly towards the some_db database you can change to it.
use some_db
//...do stuff like db.foo.insert({x:1})
// remember that the user administrator had dbOwner rights so the user may write/read, if you create a user with userAdmin they will not be able to read/write for example.
More on roles: https://docs.mongodb.com/manual/reference/built-in-roles/
If you wish to make additional users which aren't user administrators and which are just normal users continue reading below.
Create a normal user. This user will be created in the some_db authentication database down below. use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } ) Exit the mongo shell, re-connect, authenticate as the user. use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})
Last but not least due to users not reading the commands I posted correctly regarding the --auth flag, you can set this value in the configuration file for mongoDB if you do not wish to set it as a flag.
First, un-comment the line that starts with #auth=true in your mongod configuration file (default path /etc/mongod.conf). This will enable authentication for mongodb.
Then, restart mongodb : sudo service mongod restart
/etc/mongod.conf not /etc/mongo.conf
authorization: enabled for version 4.4. See Mongodb authentication paragraph 4 Re-start the MongoDB instance with access control Be also sure to uncomment the #security:. Example: security: authorization: enabled
This answer is for Mongo 3.2.1 Reference
Terminal 1:
$ mongod --auth
Terminal 2:
db.createUser({user:"admin_name", pwd:"1234",roles:["readWrite","dbAdmin"]})
if you want to add without roles (optional):
db.createUser({user:"admin_name", pwd:"1234", roles:[]})
to check if authenticated or not:
db.auth("admin_name", "1234")
it should give you:
1
else :
Error: Authentication failed.
0
use admin before createUser otherwise it gave an error.
Here is a javascript code to add users.
Start mongod with --auth = true Access admin database from mongo shell and pass the javascript file. mongo admin "Filename.js" "Filename.js" // Adding admin user db.addUser("admin_username", " admin_password"); // Authenticate admin user db.auth("admin_username ", " admin_password "); // use database code from java script db = db.getSiblingDB("newDatabase"); // Adding newDatabase database user db.addUser("database_username ", " database_ password "); Now user addition is complete, we can verify accessing the database from mongo shell
https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization
Edit the mongo settings file;
sudo nano /etc/mongod.conf
Add the line:
security.authorization : enabled
Restart the service
sudo service mongod restart
Regards
You could change /etc/mongod.conf.
Before
#security:
After
security:
authorization: "enabled"
Then sudo service mongod restart
First run mongoDB on terminal using
mongod
now run mongo shell use following commands
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with access control.
mongod --auth
Now authenticate yourself from the command line using
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
I read it from
https://docs.mongodb.com/manual/tutorial/enable-authentication/
MongoDB Enterprise > db.system.users.find() { "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SC RAM-SHA-1" : { "iterationCount" : 10000, "salt" : "k96PCEflidMY5seVju+gAw==", "s toredKey" : "CabQTnJtny7cv0wT5X8oX9QOn3A=", "serverKey" : "RJyCdnlIhyIfj2+d44L61 bYK+MU=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "dbAdmin", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" }, { "role" : "root", "db" : "admin" } ] } still authentication fails
root role to provides access to the operations and all the resources of the following roles combined... role root
This is what I did on Ubuntu 18.04:
$ sudo apt install mongodb
$ mongo
> show dbs
> use admin
> db.createUser({ user: "root", pwd: "rootpw", roles: [ "root" ] }) // root user can do anything
> use lefa
> db.lefa.save( {name:"test"} )
> db.lefa.find()
> show dbs
> db.createUser({ user: "lefa", pwd: "lefapw", roles: [ { role: "dbOwner", db: "lefa" } ] }) // admin of a db
> exit
$ sudo vim /etc/mongodb.conf
auth = true
$ sudo systemctl restart mongodb
$ mongo -u "root" -p "rootpw" --authenticationDatabase "admin"
> use admin
> exit
$ mongo -u "lefa" -p "lefapw" --authenticationDatabase "lefa"
> use lefa
> exit
User creation with password for a specific database to secure database access :
use dbName
db.createUser(
{
user: "dbUser",
pwd: "dbPassword",
roles: [ "readWrite", "dbAdmin" ]
}
)
Follow the below steps in order
Create a user using the CLI
use admin
db.createUser(
{
user: "admin",
pwd: "admin123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Enable authentication, how you do it differs based on your OS, if you are using windows you can simply mongod --auth in case of linux you can edit the /etc/mongod.conf file to add security.authorization : enabled and then restart the mongd service
To connect via cli mongo -u "admin" -p "admin123" --authenticationDatabase "admin". That's it
You can check out this post to go into more details and to learn connecting to it using mongoose.
This is what i did for ubuntu 20.04 and mongodb enterprise 4.4.2:
start mongo shell by typing mongo in terminal. use admin database:
use admin
create a new user and assign your intended role:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
exit mongo and add the following line to etc/mongod.conf:
security:
authorization: enabled
restart mongodb server
(optional) 6.If you want your user to have root access you can either specify it when creating your user like:
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
or you can change user role using:
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])
Some of the answers are sending mixed signals between using --auth command line flag or setting config file property.
security:
authorization: enabled
I would like to clarify that aspect. First of all, authentication credentials (ie user/password) in both cases has to be created by executing db.createUser query on the default admin database. Once credentials are obtained, there are two ways to enable authentication:
Without a custom config file: This is when the former auth flag is applicable. Start mongod like: usr/bin/mongod --auth With a custom config file: This is when the latter configs has to be present in the custom config file.Start mongod like: usr/bin/mongod --config
To connect to the mongo shell with authentication: mongo -u <user> -p <password> --authenticationDatabase admin
--authenticationDatabase here is the database name where the user was created. All other mongo commands like mongorestore, mongodump accept the additional options ie -u <user> -p <password> --authenticationDatabase admin
Refer to https://docs.mongodb.com/manual/tutorial/enable-authentication/ for details.
The best practice to connect to mongoDB as follow:
After initial installation, use admin Then run the following script to create admin user
db.createUser(
{
user: "YourUserName",
pwd: "YourPassword",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "clusterAdmin", db: "admin" }
]
})
the following script will create the admin user for the DB.
log into the db.admin using mongo -u YourUserName -p YourPassword admin After login, you can create N number of the database with same admin credential or different by repeating the 1 to 3.
This allows you to create different user and password for the different collection you creating in the MongoDB
These steps worked on me:
write mongod --port 27017 on cmd then connect to mongo shell : mongo --port 27017 create the user admin : use admin db.createUser( { user: "myUserAdmin", pwd: "abc123", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } ) disconnect mongo shell restart the mongodb : mongod --auth --port 27017 start mongo shell : mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin" To authenticate after connecting, Connect the mongo shell to the mongod: mongo --port 27017 switch to the authentication database : use admin db.auth("myUserAdmin", "abc123"
You'll need to switch to the database you want the user on (not the admin db) ...
use mydatabase
See this post for more help ... https://web.archive.org/web/20140316031938/http://learnmongo.com/posts/quick-tip-mongodb-users/
admin
after you create new user, please don't forget to grant read/write/root permission to the user. you can try the
cmd: db.grantRolesToUser('yourNewUsername',[{ role: "root", db: "admin" }])
mongodb 4.4.13 community
1. create database user
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
1.2 verify working
> db.auth('myUserAdmin','abc123')
< { ok: 1 }
if it fails you get
> db.auth('myUserAdmin','amongus')
MongoServerError: Authentication failed.
2. modify /etc/mongod.conf
nano /etc/mongod.conf
change:
#security:
to:
security:
authorization: enabled
3. restart mongod service
sudo service mongod restart
this is what worked for me.
Many duplicate answers but I think they miss an important note:
Even when authentication is enabled properly you can connect to the Mongo database without username/password!
However, you can execute only harmless commands like db.help(), db.getMongo(), db.listCommands(), etc.
$ mongo
MongoDB shell version v4.4.3
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f662858b-8658-4e33-a735-120e3639c131") }
MongoDB server version: 4.4.3
mongos> db.getMongo()
connection to 127.0.0.1:27017
mongos> db
test
mongos> db.version()
4.4.3
mongos> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1,
"operationTime" : Timestamp(1618996970, 2),
"$clusterTime" : {
"clusterTime" : Timestamp(1618996970, 2),
"signature" : {
"hash" : BinData(0,"Kre9jvnJvsW+OVCl1QC+eKSBbbY="),
"keyId" : NumberLong("6944343118355365892")
}
}
}
Follow WeChat
Success story sharing
admindb, use another db and try again. Only a userAdmin(AnyDatabase) can connect onadmin.