⬅ Previous Topic
Creating Users and Assigning Roles in MongoDBNext Topic ⮕
Basic MongoDB Security Best Practices⬅ Previous Topic
Creating Users and Assigning Roles in MongoDBNext Topic ⮕
Basic MongoDB Security Best PracticesMongoDB includes built-in mechanisms for user authentication and authorization. This ensures that only authorized users can access or modify your data. One of the most powerful security features MongoDB provides is Role-Based Access Control (RBAC).
RBAC is a security mechanism that allows you to assign users specific roles, which define what operations they can perform on which resources. For example, you can give one user read-only access to a database, while giving another user full read-write privileges.
By default, MongoDB does not require authentication when installed. Anyone who can connect to your MongoDB server can access or change the data — this is dangerous in production. Enabling authentication ensures that only valid users can log in and perform authorized operations.
To enable authentication, you need to start your MongoDB server with the --auth
option.
mongod --auth --dbpath /data/db
Or, if using the config file:
# In mongod.conf
security:
authorization: enabled
After enabling auth, only users with valid credentials can access the database.
Before you can use authentication, you need to create the first admin user. This must be done without authentication enabled. So start MongoDB without --auth
first:
mongod --dbpath /data/db
Now connect using the Mongo shell:
mongo
Create the admin user in the admin
database:
use admin
db.createUser({
user: "admin",
pwd: "admin123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
});
{ "ok" : 1 }
This user has full admin capabilities and can manage other users and databases.
Now restart MongoDB with authentication enabled:
mongod --auth --dbpath /data/db
Now that auth is enabled, connect as the admin user:
mongo -u "admin" -p "admin123" --authenticationDatabase "admin"
If successful, you’ll have access to the shell as an authenticated user.
Let’s say you want to give a user read-only access to the products
database. First switch to that database:
use products
db.createUser({
user: "readonly",
pwd: "readonly123",
roles: [ { role: "read", db: "products" } ]
});
{ "ok" : 1 }
This user can only read data from the products
database and cannot insert, update, or delete anything.
Q: What happens if the user tries to insert a document into the collection?
A: They’ll get a permission denied error because their role is limited to read
.
If you want a user to be able to read and write, use the readWrite
role:
use products
db.createUser({
user: "editor",
pwd: "editor123",
roles: [ { role: "readWrite", db: "products" } ]
});
To view all users in a database:
db.getUsers()
To remove a user:
db.dropUser("readonly")
read
– Read-only access to a databasereadWrite
– Read and write accessdbAdmin
– Administrative tasks like index creationuserAdmin
– Can manage usersreadAnyDatabase
, readWriteAnyDatabase
– Global rolesQ: Should you use the same admin user for your application to read/write data?
A: No. For security, always create limited-scope users for applications, and reserve the admin account for administrative tasks only.
MongoDB's role-based access control provides a secure way to manage what users can access and do. By enabling authentication and assigning roles like read
and readWrite
, you can protect your data and follow the principle of least privilege.
In the next topic, we'll explore how to backup and restore MongoDB data using commands like mongodump
and mongorestore
.
⬅ Previous Topic
Creating Users and Assigning Roles in MongoDBNext Topic ⮕
Basic MongoDB Security Best PracticesYou can support this website with a contribution of your choice.
When making a contribution, mention your name, and programguru.org in the message. Your name shall be displayed in the sponsors list.