Is there any best practice in MongoDB as to where I should put my database users?
I've just set up a local MongoDB server and I've added users in the admin database and granted them access to "their" (by their I mean the only database the users have access to) database.
Do you think it would be better to just put the users in "their" database and not in the admin database?
Authentication Database: In MongoDB, user can have privileges across different databases. When adding a user, you create the user in a specific database. This database is the authentication database for this user.
MongoDB is a source-available cross-platform document-oriented database program for high-volume storage. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB database clusters come configured with a default database ( admin) and a default administrative user ( doadmin ).
Admin vs Root: The role userAdminAnyDatabase in MongoDB gives ability to create users and assign roles to them, but by itself it doesn’t allow the user to do anything else. The superuser role in MongoDB is the root. Switch to the database in which you would like to create a common user: Create my-user with readWrite permissions on my-database:
Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the admin.system.roles collection in the admin database. the createRole action on that database resource.
Regardless of the user's authentication database, Mongo always stores user information in admin
.
MongoDB stores all user information, including name, password, and the user's authentication database, in the
system.users
collection in the admin database.
See centralized-user-data and system-users-collection.
When you create a user and grant that user access to a single database (aka their authentication database) then that information can only be stored in the admin
database.
So, it's not really a question of "best practice"; storing user details in admin
is MongoDB's choice, as implemented by their user management commands.
Update in response to this comment:
Ok, so the users are always located in the admin db, but I may also add "duplicates" to the other dbs? Maybe the question should be whether there any advantage in adding users to the other "non admin" dbs?
If you intend to have a single user with access to multiple databases then create a single user with roles in each of those databases rather than creating that user multiple times i.e. once in each of those databases. For example:
use admin;
db.createUser({user:'userName', pwd:'passwordValue', roles:[
{role:'readWrite', db:'DatabaseA'},
{role:'readWrite', db:'DatabaseB'}
]});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With