Role-Based Access Control and Authentication
MongoDB includes built-in mechanisms for user authentication and authorization. This ensures that only authorized users can access or modify your data. One of the most powerful security features MongoDB provides is Role-Based Access Control (RBAC).
What is Role-Based Access Control?
RBAC is a security mechanism that allows you to assign users specific roles, which define what operations they can perform on which resources. For example, you can give one user read-only access to a database, while giving another user full read-write privileges.
Why Do We Need Authentication in MongoDB?
By default, MongoDB does not require authentication when installed. Anyone who can connect to your MongoDB server can access or change the data — this is dangerous in production. Enabling authentication ensures that only valid users can log in and perform authorized operations.
Enabling Authentication in MongoDB
To enable authentication, you need to start your MongoDB server with the --auth
option.
mongod --auth --dbpath /data/db
Or, if using the config file:
# In mongod.conf
security:
authorization: enabled
After enabling auth, only users with valid credentials can access the database.
Creating the First Admin User
Before you can use authentication, you need to create the first admin user. This must be done without authentication enabled. So start MongoDB without --auth
first:
mongod --dbpath /data/db
Now connect using the Mongo shell:
mongo
Create the admin user in the admin
database:
use admin
db.createUser({
user: "admin",
pwd: "admin123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
});
Output:
{ "ok" : 1 }
This user has full admin capabilities and can manage other users and databases.
Restart MongoDB with Authentication
Now restart MongoDB with authentication enabled:
mongod --auth --dbpath /data/db
Logging in with Authentication
Now that auth is enabled, connect as the admin user:
mongo -u "admin" -p "admin123" --authenticationDatabase "admin"
If successful, you’ll have access to the shell as an authenticated user.
Creating a Read-Only User for a Specific Database
Let’s say you want to give a user read-only access to the products
database. First switch to that database:
use products
db.createUser({
user: "readonly",
pwd: "readonly123",
roles: [ { role: "read", db: "products" } ]
});
Output:
{ "ok" : 1 }
This user can only read data from the products
database and cannot insert, update, or delete anything.
Intuition Check
Q: What happens if the user tries to insert a document into the collection?
A: They’ll get a permission denied error because their role is limited to read
.
Creating a Read/Write User
If you want a user to be able to read and write, use the readWrite
role:
use products
db.createUser({
user: "editor",
pwd: "editor123",
roles: [ { role: "readWrite", db: "products" } ]
});
Listing Users
To view all users in a database:
db.getUsers()
Deleting a User
To remove a user:
db.dropUser("readonly")
Common Built-in Roles
read
– Read-only access to a databasereadWrite
– Read and write accessdbAdmin
– Administrative tasks like index creationuserAdmin
– Can manage usersreadAnyDatabase
,readWriteAnyDatabase
– Global roles
Final Intuition
Q: Should you use the same admin user for your application to read/write data?
A: No. For security, always create limited-scope users for applications, and reserve the admin account for administrative tasks only.
Summary
MongoDB's role-based access control provides a secure way to manage what users can access and do. By enabling authentication and assigning roles like read
and readWrite
, you can protect your data and follow the principle of least privilege.
In the next topic, we'll explore how to backup and restore MongoDB data using commands like mongodump
and mongorestore
.