Enabling access control for MongoDB deployment will enforce user authentication, requiring users to identify themselves when logging in to the MongoDB system. When accessing a MongoDB deployment with access control enabled, users can only perform operations determined by their roles.
Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.
For authentication, MongoDB supports various authentication mechanisms.
The following tutorial enables access control for a standalone mongod instance and uses the
default authentication mechanism.
After the user administrator enables access control, make sure that there are users with userAdmin or userAdminAnyDatabase roles in the admin database. The user can manage users and roles, for example: create users, grant or revoke user roles, and create or modify defined roles.
You can create users before or after enabling access control. If you enable access control before creating any users, MongoDB will provide local host exceptions, allowing user administrators to be created in the management database. After creation, you must authenticate as a user administrator to create other users as needed.
Procedure The following procedure first adds the user administrator to the MongoDB instance running without access control, and then enables access control.
Step 1: Start MongoDB without access control
For example, the following starts a standalone mongod instance without access control.
mongod --port 27017 --dbpath /data/db1
Step 2: Connect to the instance
For example, use the mongo shell to connect to the instance.
mongo --port 27017
Specify other command line options as needed to connect the mongo shell to the deployment, such as --host.
Step 3: Create user administrator
In the management database, add a user with the userAdminAnyDatabase role. For example, the following creates the user myUserAdmin in the admin database:
Note: The database that created the user (admin in this example) is the user's
authentication database. The user will authenticate to this database, but the user can assume roles in other databases; that is, the user's authentication database does not limit the user's permissions.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [{role: "userAdminAnyDatabase", db: "admin"}]
}
) After executing the above command, disconnect the mongo shell.
Step 4: Restart the MongoDB instance with access control
Use the --auth command line option to restart the mongod instance, or if a configuration file is used, perform the security.authorization setting.
mongod --auth --port 27017 --dbpath /data/db1
Clients connecting to this instance must now authenticate as a MongoDB user. Customers can only perform operations determined by their assigned roles.
Step 5: Connect and verify as a user administrator
Using mongo shell, you can:
Pass the user credentials or connect withouth authentication, and then issue the db.auth() method for authentication.
Authenticate during connection
Use the -u <username>, -p <password> and --authenticationDatabase <database> command line options to start a mongo shell:
$ mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
Verify after connection
Connect mongo shell to mongodb, that is, connect first, and then verify user identity:
mongo --port 27017
Switch to the authentication database (admin in this case) and use the db.auth(<username>,<pwd>) method for authentication:
use admin
db.auth("myUserAdmin", "abc123")
Step 6: Create other users as needed
After the administrator user is authenticated, other users can be created using db.createUser(). Users can be assigned any built-in roles or user-defined roles.
The myUserAdmin user only has the authority to manage users and roles. If you use myUserAdmin to try to perform any other operations, such as reading data from the foo collection in the test database, MongoDB will return an error.
The following operation adds the user myTester to the test database and gives it the readWrite role of the test database and the read role in the reporting database.
Note: The database that created the user (test in this example) is the user's authentication database. Although the user will authenticate to this database, the user can assume roles in other databases; that is, the user's authentication database will not restrict the user's permissions.
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [{role: "readWrite", db: "test" },
{role: "read", db: "reporting"}]
}
)
Step 7: Connect and verify as myTester
Authenticate during connection
Use the -u <username>, -p <password> and --authenticationDatabase <database> command line options to start a mongo shell:
$ mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
Verify after connection
Connect the mongo shell to mongodb:
$ mongo --port 27017
Switch to the authentication database (test here), and use the db.auth(<username>,<pwd>) method for authentication:
> use test
> db.auth("myTester", "xyz123") Insert a collection using user myTester
Use user myTester, this user has the right to perform read and write operations in the test database (and perform read operations in the reporting database). For example, perform the following insert operation in the test database:
> db.foo.insert( {x: 1, y: 1}) Finally, use the user myTester to perform an insert operation in the reporting database to see the returned result:
> use reporting
db.auth("myTester", "xyz123")
db.product.insert( {x: 1, y: 1})
