How to secure MongoDB with username and password

Question

I want to set up user name & password authentication for my MongoDB instance, so that any remote access will ask for the user name & password. I tried the tutorial from the MongoDB site and did following:

use admin db.addUser('theadmin', '12345'); db.auth('theadmin','12345'); 

After that, I exited and ran mongo again. And I don't need password to access it. Even if I connect to the database remotely, I am not prompted for user name & password.

---

UPDATE Here is the solution I ended up using

1) At the mongo command line, set the administrator:      use admin;     db.addUser('admin','123456');  2) Shutdown the server and exit      db.shutdownServer();     exit  3) Restart mongod with --auth    $ sudo ./mongodb/bin/mongod --auth --dbpath /mnt/db/  4) Run mongo again in 2 ways:     i) run mongo first then login:          $ ./mongodb/bin/mongo localhost:27017         use admin         db.auth('admin','123456');    ii) run & login to mongo in command line.          $ ./mongodb/bin/mongo localhost:27017/admin -u admin -p 123456 

The username & password will work the same way for mongodump and mongoexport.

Answer 1

You need to start mongod with the --auth option after setting up the user.

From the MongoDB Site:

Run the database (mongod process) with the --auth option to enable security. You must either have added a user to the admin db before starting the server with --auth, or add the first user from the localhost interface.

MongoDB Authentication

Answer 2

Wow so many complicated/confusing answers here.

This is as of v3.4.

Short answer.

1. Start MongoDB without access control.

   mongod --dbpath /data/db

2. Connect to the instance.

   mongo

3. Create the user.

   use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } )

4. Stop the MongoDB instance and start it again with access control.

   mongod --auth --dbpath /data/db

5. Connect and authenticate as the user.

   use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})

Long answer: Read this if you want to properly understand.

It's really simple. I'll dumb the following down https://docs.mongodb.com/manual/tutorial/enable-authentication/

If you want to learn more about what the roles actually do read more here: https://docs.mongodb.com/manual/reference/built-in-roles/

1. Start MongoDB without access control.

   mongod --dbpath /data/db

2. Connect to the instance.

   mongo

3. Create the user administrator. The following creates a user administrator in the admin authentication database. The user is a dbOwner over the some_db database and NOT over the admin database, this is important to remember.

   use admin db.createUser( { user: "myDbOwner", pwd: "abc123", roles: [ { role: "dbOwner", db: "some_db" } ] } )

Or if you want to create an admin which is admin over any database:

use admin db.createUser(   {     user: "myUserAdmin",     pwd: "abc123",     roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]   } ) 

4. Stop the MongoDB instance and start it again with access control.

   mongod --auth --dbpath /data/db

5. Connect and authenticate as the user administrator towards the admin authentication database, NOT towards the some_db authentication database. The user administrator was created in the admin authentication database, the user does not exist in the some_db authentication database.

   use admin db.auth("myDbOwner", "abc123")

You are now authenticated as a dbOwner over the some_db database. So now if you wish to read/write/do stuff directly towards the some_db database you can change to it.

use some_db //...do stuff like db.foo.insert({x:1}) // remember that the user administrator had dbOwner rights so the user may write/read, if you create a user with userAdmin they will not be able to read/write for example. 

More on roles: https://docs.mongodb.com/manual/reference/built-in-roles/

If you wish to make additional users which aren't user administrators and which are just normal users continue reading below.

6. Create a normal user. This user will be created in the some_db authentication database down below.

   use some_db db.createUser( { user: "myNormalUser", pwd: "xyz123", roles: [ { role: "readWrite", db: "some_db" }, { role: "read", db: "some_other_db" } ] } )

7. Exit the mongo shell, re-connect, authenticate as the user.

   use some_db db.auth("myNormalUser", "xyz123") db.foo.insert({x:1}) use some_other_db db.foo.find({})

Last but not least due to users not reading the commands I posted correctly regarding the --auth flag, you can set this value in the configuration file for mongoDB if you do not wish to set it as a flag.