How to Enable Authentication on MongoDB

Learn how to properly configure the most important and fundamental security feature that comes with MongoDB

Stampery Inc.
Jan 31, 2017 · 2 min read
Image for post
Image for post

Never run a production server without authentication on.

Really, never do so. No authentication means inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data.

Running a testing server? Enable authentication either way, just in case you move it into production one day and you forget to enable it then!

Enabling authentication on MongoDB

Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already enable authentication preemptively.

1. Start MongoDB without authentication

That’s easy, as this is the default behavior.

2. Connect to the server using the mongo shell

$ mongo mongodb://<host>:<port>

The port numberwill likely be 27017, but for additional security, you can always change it to a different one.

3. Create the user administrator

Change to the admin database:

> use admin

You need to create a user with the userAdminAnyDatabase role, which grants the privilege to create other users on any existing database. The following example will create the useradmin user with password “thepianohasbeendrinking”:

> db.createUser(
{
user: "useradmin",
pwd: "thepianohasbeendrinking",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)

Then disconnect from the mongo shell (Ctrl+D).

4. Enable authentication in mongod configuration file

Open /etc/mongod.conf with your favorite code editor and search for the following lines:

security:
authorization: "disabled"

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Change "disable" for "enabled", save the file and restart mongod :

$ sudo service mongodb restart

From now on, all clients connecting to this server must authenticate themselves as a valid users, and they will be only able to perform actions as determined by their assigned roles.

5. Connect and authenticate as the user administrator

$ mongo mongodb://<host>:<port>> db.auth("superadmin", "thepianohasbeendrinking")
1

You can also connect and authenticate in one single step with mongo mongodb://superadmin:thepianohasbeendrinking@<host>:<port> , but this option isn’t advised because it will leave your credentials visible in your terminal history, which any program on your computer can actually read.

6. Finally, create additional users as needed

The following operation adds a user myTester to the test database who has readWrite role in the test database:

> use test
> db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" } ]
}
)

When creating new users and assigning them roles, you should always take into account the MongoDB user credentials best practices.

Mongoaudit — the mongoaudit guides

MongoDB security guides and best practices

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store