Role-Based Access Control and Authentication

Role-Based Access Control and Authentication

MongoDB includes built-in mechanisms for user authentication and authorization. This ensures that only authorized users can access or modify your data. One of the most powerful security features MongoDB provides is Role-Based Access Control (RBAC).

What is Role-Based Access Control?

RBAC is a security mechanism that allows you to assign users specific roles, which define what operations they can perform on which resources. For example, you can give one user read-only access to a database, while giving another user full read-write privileges.

Why Do We Need Authentication in MongoDB?

By default, MongoDB does not require authentication when installed. Anyone who can connect to your MongoDB server can access or change the data — this is dangerous in production. Enabling authentication ensures that only valid users can log in and perform authorized operations.

Enabling Authentication in MongoDB

To enable authentication, you need to start your MongoDB server with the --auth option.

    mongod --auth --dbpath /data/db

Or, if using the config file:

    # In mongod.conf
    security:
      authorization: enabled

After enabling auth, only users with valid credentials can access the database.

Creating the First Admin User

Before you can use authentication, you need to create the first admin user. This must be done without authentication enabled. So start MongoDB without --auth first:

    mongod --dbpath /data/db

Now connect using the Mongo shell:

    mongo

Create the admin user in the admin database:

    use admin
    db.createUser({
      user: "admin",
      pwd: "admin123",
      roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
    });

    {
      "ok" : 1
    }

This user has full admin capabilities and can manage other users and databases.

Restart MongoDB with Authentication

Now restart MongoDB with authentication enabled:

    mongod --auth --dbpath /data/db

Logging in with Authentication

Now that auth is enabled, connect as the admin user:

    mongo -u "admin" -p "admin123" --authenticationDatabase "admin"

If successful, you’ll have access to the shell as an authenticated user.

Creating a Read-Only User for a Specific Database

Let’s say you want to give a user read-only access to the products database. First switch to that database:

    use products
    db.createUser({
      user: "readonly",
      pwd: "readonly123",
      roles: [ { role: "read", db: "products" } ]
    });

    {
      "ok" : 1
    }

This user can only read data from the products database and cannot insert, update, or delete anything.

Intuition Check

Q: What happens if the user tries to insert a document into the collection?

A: They’ll get a permission denied error because their role is limited to read.

Creating a Read/Write User

If you want a user to be able to read and write, use the readWrite role:

    use products
    db.createUser({
      user: "editor",
      pwd: "editor123",
      roles: [ { role: "readWrite", db: "products" } ]
    });

Listing Users

To view all users in a database:

    db.getUsers()

Deleting a User

To remove a user:

    db.dropUser("readonly")

Common Built-in Roles

• read – Read-only access to a database
• readWrite – Read and write access
• dbAdmin – Administrative tasks like index creation
• userAdmin – Can manage users
• readAnyDatabase, readWriteAnyDatabase – Global roles

Final Intuition

Q: Should you use the same admin user for your application to read/write data?

A: No. For security, always create limited-scope users for applications, and reserve the admin account for administrative tasks only.

Summary

MongoDB's role-based access control provides a secure way to manage what users can access and do. By enabling authentication and assigning roles like read and readWrite, you can protect your data and follow the principle of least privilege.

In the next topic, we'll explore how to backup and restore MongoDB data using commands like mongodump and mongorestore.