Authentication is enforced when access control is enabled on a MongoDB deployment, requiring users to identify themselves. Users can only conduct activities that are defined by their roles when visiting a MongoDB deployment with access control enabled.

In this article, We will utilize the default authentication approach to provide access control on a solo Mongo instance and see Authentication Techniques for a list of all supported authentication mechanisms.

Administrator of Users

• If access control is enabled, make sure the admin database has a user with the userAdmin or userAdminAnyDatabase roles.
• This user can manage users and roles, including the ability to create new users, give or revoke roles to existing users, and create or change custom roles.
• To access or alter the database, MongoDB does not require a login or password by default. Mandatory authentication should be enabled and configured.

Note: The instance of MongoDB uses port 27017 as well as the location of data /var/lib/mongodb. The example presumes the existence of the data directory, i.e., /var/lib/mongodb. And specify a different data directory as appropriate.

How to Enable Authentication on MongoDB

Follow the below steps to enable Authentication as defined:

Step 1: Open a Mongo Shell 

mongo

Output:

Step 2: Setting Up Administrator and Service Users in MongoDB

The database binstar must be able to read and write to the repository. To establish an administrator user and a service user, run the following commands in the MongoDB shell:

use admin

Step 3: To manage database users, create an administrative user

db.createUser({user:'siteUserAdmin', pwd: '<secure password #1>', 
               roles:['userAdminAnyDatabase']})

Output:

Step 4: To validate the password, log in as that user

db.auth('siteUserAdmin', '<secure password #1>')

Step 5: Create a Repository service user

db.createUser({user:'spandan', pwd: '<secure password #2>', 
               roles:[{db:'binstar', role:'readWrite'}]})

Step 6: In MongoDB, enable required authentication

• Add the auth key to /etc/mongod.conf if you’re using the classic MongoDB configuration format:

auth=true

• Add the security.authorization key to /etc/mongod.conf if you’re using the current MongoDB configuration format:

security:
    authorization: enabled

Step 7: To reload the settings, restart MongoDB

sudo service mongod restart

Step 8: Set the MONGO URL option in the Repository configuration file to mongodb:/username:password@hostname>. 

Step 9: Restart Repository after modifying the configuration file to see the changes take effect.

Exception for localhost

• It is possible to create users before or after access control is activated.
• MongoDB allows a localhost exception if you enable access control before creating any users..
• This enables you to create a user administrator in the admin database.
• Once a user is created, you must log in as the user administrator to add additional users as needed.

Conclusion

Enabling authentication in MongoDB is essential for securing your database by ensuring that only authorized users can perform specific operations based on their roles. This tutorial provided a step-by-step guide to setting up authentication on a standalone MongoDB instance and creating necessary users with appropriate roles. Following these steps will help maintain the security and integrity of your MongoDB deployment.

Frequently Asked Questions

What is the default authentication mechanism in MongoDB?

MongoDB uses the SCRAM (Salted Challenge Response Authentication Mechanism) protocol as its default authentication mechanism, ensuring a secure and robust method for verifying user credentials.

What happens if I enable access control but do not create any users?

MongoDB provides a localhost exception, allowing you to connect to the database from the localhost without authentication initially. This allows you to create the first user with administrative privileges before enabling full access control.

Can I modify the roles of an existing user?

Yes, you can modify the roles of an existing user by using the db.updateUser() method. This allows you to grant or revoke roles as needed.

What should I do if I forget the password of the administrative user?

If you forget the password of the administrative user, you can restart MongoDB without authentication, create a new administrative user, and then re-enable authentication. This should be done with caution and preferably in a maintenance window to avoid security risks.