Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MongoDB should I put users in admin db or local db

Tags:

mongodb

Is there any best practice in MongoDB as to where I should put my database users?

I've just set up a local MongoDB server and I've added users in the admin database and granted them access to "their" (by their I mean the only database the users have access to) database.

Do you think it would be better to just put the users in "their" database and not in the admin database?

like image 330
mortb Avatar asked Mar 23 '18 08:03

mortb


People also ask

What is authentication database in MongoDB?

Authentication Database: In MongoDB, user can have privileges across different databases. When adding a user, you create the user in a specific database. This database is the authentication database for this user.

What is the default user in MongoDB?

MongoDB is a source-available cross-platform document-oriented database program for high-volume storage. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB database clusters come configured with a default database ( admin) and a default administrative user ( doadmin ).

What is the difference between useradminanydatabase and root in MongoDB?

Admin vs Root: The role userAdminAnyDatabase in MongoDB gives ability to create users and assign roles to them, but by itself it doesn’t allow the user to do anything else. The superuser role in MongoDB is the root. Switch to the database in which you would like to create a common user: Create my-user with readWrite permissions on my-database:

Where does MongoDB store the role information?

Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the admin.system.roles collection in the admin database. the createRole action on that database resource.


1 Answers

Regardless of the user's authentication database, Mongo always stores user information in admin.

MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.

See centralized-user-data and system-users-collection.

When you create a user and grant that user access to a single database (aka their authentication database) then that information can only be stored in the admin database.

So, it's not really a question of "best practice"; storing user details in admin is MongoDB's choice, as implemented by their user management commands.

Update in response to this comment:

Ok, so the users are always located in the admin db, but I may also add "duplicates" to the other dbs? Maybe the question should be whether there any advantage in adding users to the other "non admin" dbs?

If you intend to have a single user with access to multiple databases then create a single user with roles in each of those databases rather than creating that user multiple times i.e. once in each of those databases. For example:

use admin;
db.createUser({user:'userName', pwd:'passwordValue', roles:[
    {role:'readWrite', db:'DatabaseA'},
    {role:'readWrite', db:'DatabaseB'}
]});
like image 166
glytching Avatar answered Sep 29 '22 18:09

glytching