How to secure MongoDB with username and password
AuthenticationMongodbAuthentication Problem Overview
I want to set up user name & password authentication for my MongoDB instance, so that any remote access will ask for the user name & password. I tried the tutorial from the MongoDB site and did following:
use admin
db.addUser('theadmin', '12345');
db.auth('theadmin','12345');
After that, I exited and ran mongo again. And I don't need password to access it. Even if I connect to the database remotely, I am not prompted for user name & password.
UPDATE Here is the solution I ended up using
1) At the mongo command line, set the administrator:
use admin;
db.addUser('admin','123456');
2) Shutdown the server and exit
db.shutdownServer();
exit
3) Restart mongod with --auth
$ sudo ./mongodb/bin/mongod --auth --dbpath /mnt/db/
4) Run mongo again in 2 ways:
i) run mongo first then login:
$ ./mongodb/bin/mongo localhost:27017
use admin
db.auth('admin','123456');
ii) run & login to mongo in command line.
$ ./mongodb/bin/mongo localhost:27017/admin -u admin -p 123456
The username & password will work the same way for mongodump
and mongoexport
.
Authentication Solutions
Solution 1 - Authentication
You need to start mongod
with the --auth
option after setting up the user.
From the MongoDB Site:
> Run the database (mongod process) with the --auth
option to enable
> security. You must either have added a user to the admin db before
> starting the server with --auth
, or add the first user from the
> localhost interface.
Solution 2 - Authentication
Wow so many complicated/confusing answers here.
This is as of v3.4.
Short answer.
-
Start MongoDB without access control.
mongod --dbpath /data/db
-
Connect to the instance.
mongo
-
Create the user.
use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } )
-
Stop the MongoDB instance and start it again with access control.
mongod --auth --dbpath /data/db
-
Connect and authenticate as the user.
use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})
Long answer: Read this if you want to properly understand.
It's really simple. I'll dumb the following down https://docs.mongodb.com/manual/tutorial/enable-authentication/
If you want to learn more about what the roles actually do read more here: https://docs.mongodb.com/manual/reference/built-in-roles/
-
Start MongoDB without access control.
mongod --dbpath /data/db
-
Connect to the instance.
mongo
-
Create the user administrator. The following creates a user administrator in the
admin
authentication database. The user is adbOwner
over thesome_db
database and NOT over theadmin
database, this is important to remember.use admin db.createUser( { user: "myDbOwner", pwd: "abc123", roles: [ { role: "dbOwner", db: "some_db" } ] } )
Or if you want to create an admin which is admin over any database:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
4) Stop the MongoDB instance and start it again with access control.
mongod --auth --dbpath /data/db
5) Connect and authenticate as the user administrator towards the admin
authentication database, NOT towards the some_db
authentication database. The user administrator was created in the admin
authentication database, the user does not exist in the some_db
authentication database.
use admin
db.auth("myDbOwner", "abc123")
You are now authenticated as a dbOwner
over the some_db
database. So now if you wish to read/write/do stuff directly towards the some_db
database you can change to it.
use some_db
//...do stuff like db.foo.insert({x:1})
// remember that the user administrator had dbOwner rights so the user may write/read, if you create a user with userAdmin they will not be able to read/write for example.
More on roles: https://docs.mongodb.com/manual/reference/built-in-roles/
If you wish to make additional users which aren't user administrators and which are just normal users continue reading below.
-
Create a normal user. This user will be created in the
some_db
authentication database down below.use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } )
-
Exit the mongo shell, re-connect, authenticate as the user.
use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})
Last but not least due to users not reading the commands I posted correctly regarding the --auth
flag, you can set this value in the configuration file for mongoDB if you do not wish to set it as a flag.
Solution 3 - Authentication
First, un-comment the line that starts with #auth=true
in your mongod configuration file (default path /etc/mongod.conf
). This will enable authentication for mongodb.
Then, restart mongodb : sudo service mongod restart
Solution 4 - Authentication
This answer is for Mongo 3.2.1 Reference
Terminal 1:
$ mongod --auth
Terminal 2:
db.createUser({user:"admin_name", pwd:"1234",roles:["readWrite","dbAdmin"]})
if you want to add without roles (optional):
db.createUser({user:"admin_name", pwd:"1234", roles:[]})
to check if authenticated or not:
db.auth("admin_name", "1234")
it should give you:
1
else :
Error: Authentication failed.
0
Solution 5 - Authentication
Here is a javascript code to add users.
-
Start
mongod
with--auth = true
-
Access admin database from mongo shell and pass the javascript file.
mongo admin "Filename.js"
"Filename.js" // Adding admin user db.addUser("admin_username", " admin_password"); // Authenticate admin user db.auth("admin_username ", " admin_password "); // use database code from java script db = db.getSiblingDB("newDatabase"); // Adding newDatabase database user db.addUser("database_username ", " database_ password ");
-
Now user addition is complete, we can verify accessing the database from mongo shell
Solution 6 - Authentication
https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization
Edit the mongo settings file;
sudo nano /etc/mongod.conf
Add the line:
security.authorization : enabled
Restart the service
sudo service mongod restart
Regards
Solution 7 - Authentication
First run mongoDB on terminal using
mongod
now run mongo shell use following commands
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with access control.
mongod --auth
Now authenticate yourself from the command line using
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
I read it from
https://docs.mongodb.com/manual/tutorial/enable-authentication/
Solution 8 - Authentication
You could change /etc/mongod.conf
.
Before
#security:
After
security:
authorization: "enabled"
Then sudo service mongod restart
Solution 9 - Authentication
This is what I did on Ubuntu 18.04:
$ sudo apt install mongodb
$ mongo
> show dbs
> use admin
> db.createUser({ user: "root", pwd: "rootpw", roles: [ "root" ] }) // root user can do anything
> use lefa
> db.lefa.save( {name:"test"} )
> db.lefa.find()
> show dbs
> db.createUser({ user: "lefa", pwd: "lefapw", roles: [ { role: "dbOwner", db: "lefa" } ] }) // admin of a db
> exit
$ sudo vim /etc/mongodb.conf
auth = true
$ sudo systemctl restart mongodb
$ mongo -u "root" -p "rootpw" --authenticationDatabase "admin"
> use admin
> exit
$ mongo -u "lefa" -p "lefapw" --authenticationDatabase "lefa"
> use lefa
> exit
Solution 10 - Authentication
Follow the below steps in order
- Create a user using the CLI
use admin
db.createUser(
{
user: "admin",
pwd: "admin123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
- Enable authentication, how you do it differs based on your OS, if you are using windows you can simply
mongod --auth
in case of linux you can edit the/etc/mongod.conf
file to addsecurity.authorization : enabled
and then restart the mongd service - To connect via cli
mongo -u "admin" -p "admin123" --authenticationDatabase "admin"
. That's it
You can check out this post to go into more details and to learn connecting to it using mongoose.
Solution 11 - Authentication
You'll need to switch to the database you want the user on (not the admin db) ...
use mydatabase
See this post for more help ... https://web.archive.org/web/20140316031938/http://learnmongo.com/posts/quick-tip-mongodb-users/
Solution 12 - Authentication
User creation with password for a specific database to secure database access :
use dbName
db.createUser(
{
user: "dbUser",
pwd: "dbPassword",
roles: [ "readWrite", "dbAdmin" ]
}
)
Solution 13 - Authentication
The best practice to connect to mongoDB as follow:
-
After initial installation,
use admin
-
Then run the following script to create admin user
db.createUser(
{
user: "YourUserName",
pwd: "YourPassword",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "clusterAdmin", db: "admin" }
]
})
the following script will create the admin user for the DB.
-
log into the
db.admin
usingmongo -u YourUserName -p YourPassword admin
-
After login, you can create N number of the database with same admin credential or different by repeating the 1 to 3.
This allows you to create different user and password for the different collection you creating in the MongoDB
Solution 14 - Authentication
This is what i did for ubuntu 20.04 and mongodb enterprise 4.4.2:
-
start mongo shell by typing
mongo
in terminal. -
use admin database:
use admin
- create a new user and assign your intended role:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
- exit mongo and add the following line to
etc/mongod.conf
:
security:
authorization: enabled
- restart mongodb server
(optional) 6.If you want your user to have root access you can either specify it when creating your user like:
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
or you can change user role using:
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])
Solution 15 - Authentication
Some of the answers are sending mixed signals between using --auth
command line flag or setting config file property.
security:
authorization: enabled
I would like to clarify that aspect. First of all, authentication credentials (ie user/password) in both cases has to be created by executing db.createUser
query on the default admin
database. Once credentials are obtained, there are two ways to enable authentication:
- Without a custom config file: This is when the former
auth
flag is applicable. Startmongod
like:usr/bin/mongod --auth
- With a custom config file: This is when the latter configs has to be present in the custom config file.Start
mongod
like:usr/bin/mongod --config <config file path>
To connect to the mongo shell with authentication:
mongo -u <user> -p <password> --authenticationDatabase admin
--authenticationDatabase
here is the database name where the user was created. All other mongo commands like mongorestore
, mongodump
accept the additional options ie -u <user> -p <password> --authenticationDatabase admin
Refer to https://docs.mongodb.com/manual/tutorial/enable-authentication/ for details.
Solution 16 - Authentication
These steps worked on me:
- write mongod --port 27017 on cmd
- then connect to mongo shell : mongo --port 27017
- create the user admin : use admin db.createUser( { user: "myUserAdmin", pwd: "abc123", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
- disconnect mongo shell
- restart the mongodb : mongod --auth --port 27017
- start mongo shell : mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
- To authenticate after connecting, Connect the mongo shell to the mongod: mongo --port 27017
- switch to the authentication database : use admin db.auth("myUserAdmin", "abc123"
Solution 17 - Authentication
after you create new user, please don't forget to grant
read/write/root
permission to the user. you can try the
cmd: db.grantRolesToUser('yourNewUsername',[{ role: "root", db: "admin" }])
Solution 18 - Authentication
Many duplicate answers but I think they miss an important note:
Even when authentication is enabled properly you can connect to the Mongo database without username/password!
However, you can execute only harmless commands like db.help()
, db.getMongo()
, db.listCommands()
, etc.
$ mongo
MongoDB shell version v4.4.3
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f662858b-8658-4e33-a735-120e3639c131") }
MongoDB server version: 4.4.3
mongos> db.getMongo()
connection to 127.0.0.1:27017
mongos> db
test
mongos> db.version()
4.4.3
mongos> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1,
"operationTime" : Timestamp(1618996970, 2),
"$clusterTime" : {
"clusterTime" : Timestamp(1618996970, 2),
"signature" : {
"hash" : BinData(0,"Kre9jvnJvsW+OVCl1QC+eKSBbbY="),
"keyId" : NumberLong("6944343118355365892")
}
}
}