How to secure MongoDB with username and password

Asked 2/2, 2011 at 23:35 Answered 6/2, 2023 at 16:34

444

I want to set up user name & password authentication for my MongoDB instance, so that any remote access will ask for the user name & password. I tried the tutorial from the MongoDB site and did following:

use admin
db.addUser('theadmin', '12345');
db.auth('theadmin','12345');

After that, I exited and ran mongo again. And I don't need password to access it. Even if I connect to the database remotely, I am not prompted for user name & password.

UPDATE Here is the solution I ended up using

1) At the mongo command line, set the administrator:

    use admin;
    db.addUser('admin','123456');

2) Shutdown the server and exit

    db.shutdownServer();
    exit

3) Restart mongod with --auth

  $ sudo ./mongodb/bin/mongod --auth --dbpath /mnt/db/

4) Run mongo again in 2 ways:

   i) run mongo first then login:

        $ ./mongodb/bin/mongo localhost:27017
        use admin
        db.auth('admin','123456');

  ii) run & login to mongo in command line.

        $ ./mongodb/bin/mongo localhost:27017/admin -u admin -p 123456

The username & password will work the same way for mongodump and mongoexport.

Papeterie answered 2/2, 2011 at 23:35 Comment(6)

this for MongDB version 2.2.x – Clothespress 13/1, 2014 at 14:11

In Mongo 3.0.4 the command for creating a user is db.createUser(). – Shoelace 22/7, 2015 at 13:32

Please follow this for creating an admin user on Mongodb 3.0 docs.mongodb.org/v3.0/tutorial/add-user-administrator – Weldon 29/8, 2015 at 16:49

An update for MongoDB 3.0+: How to set up authentication in MongoDB 3.0. – Eyas 9/9, 2016 at 9:4

Just to be clear, this does not encrypt the bytes that pass over the wire. It is only for access control. – Kordofanian 17/4, 2017 at 16:15

I had to use service mongod restart instead of ./mongodb/bin/mongod. – Sanborn 16/8, 2017 at 20:15

140

You need to start mongod with the --auth option after setting up the user.

From the MongoDB Site:

Run the database (mongod process) with the --auth option to enable security. You must either have added a user to the admin db before starting the server with --auth, or add the first user from the localhost interface.

MongoDB Authentication

Corpse answered 2/2, 2011 at 23:54 Comment(2)

I have tried that and followed the example. now.. i can set it after I restart the server with --auth. However, when I try to login (./mongo -u theadmin -p 12345 ) I fail. I can't login. – Papeterie 3/2, 2011 at 0:10

If after did that you cannot connect, it's because you are trying to connect on the admin db, use another db and try again. Only a userAdmin(AnyDatabase) can connect on admin. – Thickskinned 7/2, 2014 at 22:51

140

Wow so many complicated/confusing answers here.

This is as of v3.4.

Short answer.

Start MongoDB without access control (/data/db or where your db is).
```
mongod --dbpath /data/db
```
Connect to the instance.
```
mongo
```

Create the user.

use some_db
db.createUser(
  {
    user: "myNormalUser",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "some_db" },
             { role: "read", db: "some_other_db" } ]
  }
)

Stop the MongoDB instance and start it again with access control.
```
mongod --auth --dbpath /data/db
```

Connect and authenticate as the user.

use some_db
db.auth("myNormalUser", "xyz123")
db.foo.insert({x:1})
use some_other_db
db.foo.find({})

Long answer: Read this if you want to properly understand.

It's really simple. I'll dumb the following down https://docs.mongodb.com/manual/tutorial/enable-authentication/

If you want to learn more about what the roles actually do read more here: https://docs.mongodb.com/manual/reference/built-in-roles/

Start MongoDB without access control.
```
mongod --dbpath /data/db
```
Connect to the instance.
```
mongo
```
Create the user administrator. The following creates a user administrator in the admin authentication database. The user is a dbOwner over the some_db database and NOT over the admin database, this is important to remember.
```
use admin
db.createUser(
  {
    user: "myDbOwner",
    pwd: "abc123",
    roles: [ { role: "dbOwner", db: "some_db" } ]
  }
)
```

Or if you want to create an admin which is admin over any database:

   use admin
   db.createUser(
     {
       user: "myUserAdmin",
       pwd: "abc123",
       roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
     }
   )

Stop the MongoDB instance and start it again with access control.
```
mongod --auth --dbpath /data/db
```
Connect and authenticate as the user administrator towards the admin authentication database, NOT towards the some_db authentication database. The user administrator was created in the admin authentication database, the user does not exist in the some_db authentication database.
```
use admin
db.auth("myDbOwner", "abc123")
```

You are now authenticated as a dbOwner over the some_db database. So now if you wish to read/write/do stuff directly towards the some_db database you can change to it.

use some_db
//...do stuff like db.foo.insert({x:1})
// remember that the user administrator had dbOwner rights so the user may write/read, if you create a user with userAdmin they will not be able to read/write for example.

More on roles: https://docs.mongodb.com/manual/reference/built-in-roles/

If you wish to make additional users which aren't user administrators and which are just normal users continue reading below.

Create a normal user. This user will be created in the some_db authentication database down below.

use some_db
db.createUser(
  {
    user: "myNormalUser",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "some_db" },
             { role: "read", db: "some_other_db" } ]
  }
)

Exit the mongo shell, re-connect, authenticate as the user.

use some_db
db.auth("myNormalUser", "xyz123")
db.foo.insert({x:1})
use some_other_db
db.foo.find({})

Last but not least due to users not reading the commands I posted correctly regarding the --auth flag, you can set this value in the configuration file for mongoDB if you do not wish to set it as a flag.

Resale answered 21/3, 2017 at 14:25 Comment(10)

Finally I got an idea what is really happening. – Ascomycete 20/6, 2017 at 17:36

#41616074 – Resale 26/6, 2017 at 7:39

I find myself wishing accepted answers could get refreshed on SO. This is the most relevant solution as of July 2017. – Coppersmith 17/7, 2017 at 15:51

Please update your answer! I don't know from where you got userAdminAnyDatabase from but it doesn't work. The role is root for admin access over all the dbs. – Annis 15/11, 2017 at 23:26

@AakashVerma docs.mongodb.com/manual/reference/built-in-roles/… ;) Also NEVER USE ROOT unless for development purposes where you know you cannot be compromised! (tbh just never use root lol) – Resale 16/11, 2017 at 9:42

I don't understand why you need /data/db. The dbpath isn't dbPath: /var/lib/mongodb ? – Precedential 22/8, 2018 at 9:40

@Precedential You are correct, dbpath can be whatever you like, aslong as it is pointing towards your db! (in this example I had my db at /data/db) – Resale 7/3, 2019 at 13:18

Our server just got hacked cause the authentication flag was missing in the config, not on your answer. – Digressive 25/12, 2020 at 11:55

@OliverDixon I'm sorry to hear that. If you look at my answer the --auth flag is included when starting the mongoDB process, so I did include it. Yes this flag can also be set in the configuration, whichever one suits your needs. – Resale 21/1, 2022 at 14:45

And for anyone wondering, if you see mongosh in the docs, that because it is the new mongo db shell. – Brython 21/8, 2023 at 13:5

First, un-comment the line that starts with #auth=true in your mongod configuration file (default path /etc/mongod.conf). This will enable authentication for mongodb.

Then, restart mongodb : sudo service mongod restart

Flection answered 4/11, 2013 at 13:38 Comment(5)

default path is /etc/mongod.conf not /etc/mongo.conf – Uncork 7/9, 2015 at 6:58

or, firstly uncomment, then restart :))) – Vachill 9/3, 2016 at 13:24

Update: Now restart service with : sudo service mongodb restart – Roxannaroxanne 24/10, 2016 at 19:32

config file location and name is as: /etc/mongodb.conf – Indocile 1/5, 2020 at 21:53

In the config file its authorization: enabled for version 4.4. See Mongodb authentication paragraph 4 Re-start the MongoDB instance with access control Be also sure to uncomment the #security:. Example: security: authorization: enabled – Dumpy 15/3, 2021 at 9:32

This answer is for Mongo 3.2.1 Reference

Terminal 1:

$ mongod --auth

Terminal 2:

db.createUser({user:"admin_name", pwd:"1234", roles:["readWrite","dbAdmin"]})

if you want to add without roles (optional):

db.createUser({user:"admin_name", pwd:"1234", roles:[]})

to check if authenticated or not:

db.auth("admin_name", "1234")

it should give you:

else :

Error: Authentication failed.
0

Internationalize answered 24/1, 2016 at 4:31 Comment(2)

older versions such as 2.4 would use db.addUser – Goodrow 30/8, 2016 at 7:52

I had to type use admin before createUser otherwise it gave an error. – Gaze 12/6, 2017 at 14:42

Here is a javascript code to add users.

Start mongod with --auth = true

Access admin database from mongo shell and pass the javascript file.

mongo admin "Filename.js"

"Filename.js"

// Adding admin user
db.addUser("admin_username", " admin_password");
// Authenticate admin user
db.auth("admin_username ", " admin_password ");
// use  database code from java script
db = db.getSiblingDB("newDatabase");
// Adding newDatabase database user  
db.addUser("database_username ", " database_ password ");

Now user addition is complete, we can verify accessing the database from mongo shell

Purificator answered 20/11, 2012 at 10:43 Comment(4)

Setting user name and password in a file does not look very secure. – Nectareous 12/4, 2014 at 1:49

Javascript. Not "java script". – Hoofbound 23/8, 2014 at 0:9

what is the purpose of javascript file here ? – Hibbitts 13/9, 2016 at 15:59

@CamiloMartin JavaScript, not "Javascript". – Frisket 4/3, 2020 at 18:12

https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization

Edit the mongo settings file;

sudo nano /etc/mongod.conf

Add the line:

security.authorization : enabled

Restart the service

sudo service mongod restart

Regards

Carton answered 23/10, 2016 at 11:33 Comment(2)

I don't understand why everybody don't mention this. It's so important – Precedential 22/8, 2018 at 9:31

Probably the most important answer. Our server got hacked cause the other answers didn't mention this. – Digressive 25/12, 2020 at 11:56

You could change /etc/mongod.conf.

Before

#security:

After

security:
    authorization: "enabled"

Then sudo service mongod restart

Berkey answered 2/10, 2019 at 18:30 Comment(0)

First run mongoDB on terminal using

mongod

now run mongo shell use following commands

    use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Re-start the MongoDB instance with access control.

mongod --auth

Now authenticate yourself from the command line using

mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"

I read it from

https://docs.mongodb.com/manual/tutorial/enable-authentication/

Draff answered 7/12, 2016 at 11:6 Comment(3)

i defined a user, with root, then add more and more till i find you,

MongoDB Enterprise > db.system.users.find() { "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SC RAM-SHA-1" : { "iterationCount" : 10000, "salt" : "k96PCEflidMY5seVju+gAw==", "s toredKey" : "CabQTnJtny7cv0wT5X8oX9QOn3A=", "serverKey" : "RJyCdnlIhyIfj2+d44L61 bYK+MU=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, {  "role" : "dbAdmin", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" },  { "role" : "root", "db" : "admin" } ] }

still authentication fails – Alkalosis 11/6, 2017 at 15:16

i even used db.changeUserPassword(), or any thing it was, even after that, when i call db.auth('admin', 'my pass') or the way you done it, it says authentication failed for user admin – Alkalosis 11/6, 2017 at 15:18

Use root role to provides access to the operations and all the resources of the following roles combined... role root – Pledget 17/2, 2020 at 23:31

This is what I did on Ubuntu 18.04:

$ sudo apt install mongodb
$ mongo
> show dbs
> use admin
> db.createUser({  user: "root",  pwd: "rootpw",  roles: [ "root" ]  })  // root user can do anything
> use lefa
> db.lefa.save( {name:"test"} )
> db.lefa.find()
> show dbs
> db.createUser({  user: "lefa",  pwd: "lefapw",  roles: [ { role: "dbOwner", db: "lefa" } ]  }) // admin of a db
> exit
$ sudo vim /etc/mongodb.conf
auth = true
$ sudo systemctl restart mongodb
$ mongo -u "root" -p "rootpw" --authenticationDatabase  "admin"
> use admin
> exit
$ mongo -u "lefa" -p "lefapw" --authenticationDatabase  "lefa"
> use lefa
> exit

Amplification answered 24/4, 2019 at 22:32 Comment(0)

User creation with password for a specific database to secure database access :

use dbName

db.createUser(
   {
     user: "dbUser",
     pwd: "dbPassword",
     roles: [ "readWrite", "dbAdmin" ]
   }
)

Costly answered 17/12, 2017 at 11:36 Comment(0)

mongodb 4.4.13 community

1. create database user

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

1.2 verify working

> db.auth('myUserAdmin','abc123')

< { ok: 1 }

if it fails you get

> db.auth('myUserAdmin','amongus')

MongoServerError: Authentication failed.

2. modify /etc/mongod.conf

nano /etc/mongod.conf

change:

#security:

to:

security:
  authorization: enabled

3. restart mongod service

sudo service mongod restart

this is what worked for me.

Spina answered 2/6, 2022 at 5:29 Comment(0)

Follow the below steps in order

Create a user using the CLI

use admin
db.createUser(
  {
    user: "admin",
    pwd: "admin123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

Enable authentication, how you do it differs based on your OS, if you are using windows you can simply mongod --auth in case of linux you can edit the /etc/mongod.conf file to add security.authorization : enabled and then restart the mongd service
To connect via cli mongo -u "admin" -p "admin123" --authenticationDatabase "admin". That's it

You can check out this post to go into more details and to learn connecting to it using mongoose.

Harlamert answered 4/3, 2019 at 7:42 Comment(0)

The best practice to connect to mongoDB as follow:

After initial installation,

use admin
Then run the following script to create admin user

    db.createUser(
     {
         user: "YourUserName",
         pwd: "YourPassword",
         roles: [
                   { role: "userAdminAnyDatabase", db: "admin" },
                   { role: "readWriteAnyDatabase", db: "admin" },
                   { role: "dbAdminAnyDatabase", db: "admin" },
                   { role: "clusterAdmin", db: "admin" }
                ]
     })

the following script will create the admin user for the DB.

log into the db.admin using

mongo -u YourUserName -p YourPassword admin
After login, you can create N number of the database with same admin credential or different by repeating the 1 to 3.

This allows you to create different user and password for the different collection you creating in the MongoDB

Hough answered 22/7, 2018 at 8:29 Comment(1)

after this go to sudo nano /etc/mongod.conf and put this line security.authorization: enabled, you can see the reference link here : https://mcmap.net/q/81734/-mongodb-status-failed-after-editing-mongo-conf-code-exited-status-2 – Tendentious 16/5, 2020 at 23:8

This is what i did for ubuntu 20.04 and mongodb enterprise 4.4.2:

start mongo shell by typing mongo in terminal.
use admin database:

use admin

create a new user and assign your intended role:

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: passwordPrompt(), // or cleartext password
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

exit mongo and add the following line to etc/mongod.conf:

security:
    authorization: enabled

restart mongodb server

(optional) 6.If you want your user to have root access you can either specify it when creating your user like:

db.createUser(
  {
    user: "myUserAdmin",
    pwd: passwordPrompt(), // or cleartext password
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

or you can change user role using:

db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])

Tailpiece answered 2/12, 2020 at 13:54 Comment(0)

Some of the answers are sending mixed signals between using --auth command line flag or setting config file property.

security:
  authorization: enabled

I would like to clarify that aspect. First of all, authentication credentials (ie user/password) in both cases has to be created by executing db.createUser query on the default admin database. Once credentials are obtained, there are two ways to enable authentication:

Without a custom config file: This is when the former auth flag is applicable. Start mongod like: usr/bin/mongod --auth
With a custom config file: This is when the latter configs has to be present in the custom config file.Start mongod like: usr/bin/mongod --config <config file path>

To connect to the mongo shell with authentication: mongo -u <user> -p <password> --authenticationDatabase admin

--authenticationDatabase here is the database name where the user was created. All other mongo commands like mongorestore, mongodump accept the additional options ie -u <user> -p <password> --authenticationDatabase admin

Refer to https://docs.mongodb.com/manual/tutorial/enable-authentication/ for details.

Possessory answered 20/1, 2021 at 11:32 Comment(0)

You'll need to switch to the database you want the user on (not the admin db) ...

use mydatabase

See this post for more help ... https://web.archive.org/web/20140316031938/http://learnmongo.com/posts/quick-tip-mongodb-users/

Litt answered 2/2, 2011 at 23:49 Comment(2)

don't need because setting db = db.getSiblingDB("newDatabase"); – Contrasty 19/6, 2013 at 5:40

I cannot imagine any reason why users should be created in other database than admin – Estrade 21/6, 2022 at 12:33

These steps worked on me:

write mongod --port 27017 on cmd
then connect to mongo shell : mongo --port 27017
create the user admin : use admin db.createUser( { user: "myUserAdmin", pwd: "abc123", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
disconnect mongo shell
restart the mongodb : mongod --auth --port 27017
start mongo shell : mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
To authenticate after connecting, Connect the mongo shell to the mongod: mongo --port 27017
switch to the authentication database : use admin db.auth("myUserAdmin", "abc123"

Choose answered 17/1, 2018 at 5:16 Comment(0)

after you create new user, please don't forget to grant read/write/root permission to the user. you can try the

cmd: db.grantRolesToUser('yourNewUsername',[{ role: "root", db: "admin" }])

Morgenthaler answered 8/6, 2017 at 8:45 Comment(0)

Many duplicate answers but I think they miss an important note:

Even when authentication is enabled properly you can connect to the Mongo database without username/password!

However, you can execute only harmless commands like db.help(), db.getMongo(), db.listCommands(), etc.

$ mongo 
MongoDB shell version v4.4.3
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f662858b-8658-4e33-a735-120e3639c131") }
MongoDB server version: 4.4.3
mongos> db.getMongo()
connection to 127.0.0.1:27017
mongos> db
test
mongos> db.version()
4.4.3
mongos> db.runCommand({connectionStatus : 1})
{
        "authInfo" : {
                "authenticatedUsers" : [ ],
                "authenticatedUserRoles" : [ ]
        },
        "ok" : 1,
        "operationTime" : Timestamp(1618996970, 2),
        "$clusterTime" : {
                "clusterTime" : Timestamp(1618996970, 2),
                "signature" : {
                        "hash" : BinData(0,"Kre9jvnJvsW+OVCl1QC+eKSBbbY="),
                        "keyId" : NumberLong("6944343118355365892")
                }
        }
}

Estrade answered 21/4, 2021 at 9:28 Comment(0)

I have done this in version 6.0 how to set user name and password for a database;

install MongoDB 6.0 or higher create database(whatever the name may be) in MongoDB using compass

install MongoDB Shell https://www.mongodb.com/try/download/shell

open cmd

cd C:\Program Files\mongosh

mongosh "mongodb://localhost:27017"

use #your database name#

db.createUser( { user: "xxx", pwd: "xxx", roles: [ { role: "readWrite", db: "xxx" } ] } )

Brottman answered 6/2, 2023 at 16:34 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++