In this article, we dive deep into the world of MongoDB authentication. Whether you're a beginner or an experienced developer, this comprehensive guide will teach you everything you need to know about securing your MongoDB database. From understanding authentication mechanisms to implementing role-based access control (RBAC), we cover it all.
Authentication and Authorization are both important in data security features, which allow the security guarding of an automated data system. Both are very decisive subjects often associated with the internet as key components of its service infrastructure. In the authentication process, the user’s identities are verified to grant access to the system, whereas in the authorization process, the user’s permissions are verified to access resources. Authentication leads to the authorization process, while the authorization process occurs after authentication.
Authentication
Let’s check out how we can configure authentication on MongoDB.
In MongoDB need to create an admin user who can manage other users and their roles before enabling the authentication.
Check out the below screen print to create the Admin user using Robo 3T.
![Admin user]()
Check out the below command to create the Admin user using the Mongo shell.
test> use admin
admin> db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
After creating the Admin user needs to enable Authentication. To enable the Authentication we need to update the Mongod.cfg file available on C:\Program Files\MongoDB\Server\<version>\bin.
![Authentication]()
Add the below-mentioned key to the Mongod.cfg file.
Security:
Authorization: enabled
Now, Restart the Mongo DB service from the services. To open services application (Window + R > services.msc). Find MongoDB Service and restart.
![MongoDB Service]()
Now Let's try to execute the command without authentication. Check out the below screen print it throw the MongoServerError “command find requires authentication”.
![MongoServerError]()
Let's log in with the admin user or authenticate an admin user.
Using Robo 3T we can have UI to set authentication in connection as shown in the below screen print.
![Robo 3T]()
Using the Mongo shell command we need to authenticate a user using the below connection string.
mongodb://admin:admin%40321@localhost:27017/
![Mongo shell]()
Authorization
Authorize the created user using an admin user. There are several roles in MongoDB as defined below.
- read: Make a provision to read data on all non-system collections and the system.js collection
- readWrite: Make a provision of the read role plus the ability to modify data on all non-system collections and the system.js collection.
- dbAdmin: Make a provision to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.
- dbOwner: The database owner can perform any administrative action on the database. This role combines the authorization granted by the read-write, dbAdmin, and userAdmin roles.
- userAdmin: Make a provision to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.
- readAnyDatabase: Make a provision to the same read-only privileges as read on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.
- readWriteAnyDatabase: Make a provision to the same privileges as readWrite on all databases except local and config.
- userAdminAnyDatabase: Make a provision to the same access to user administration operations as userAdmin on all databases except local and config.
- dbAdminAnyDatabase: Make a provision to the same privileges as dbAdmin on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.
- Superuser Roles: The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database.
- dbOwner role, when scoped to the admin database
- userAdmin role, when scoped to the admin database
- userAdminAnyDatabase role
Let’s check with an example by creating users and providing roles.
Create a user using Robo 3T with read and readAnyDatabase access only.
![Database]()
Let’s connect with user1 using Robo 3T and try to access/read a collection of any database.
![Connect with user1]()
Now let’s try to write/insert to the same collection using the same user having read/readAnyDatabase role.
db.products.insert( { Name : "Product_1", ProductType: "Simple products", Description:"Product sample description", ProductValidityPeriod:"1 Year" } )
![Same collection]()
Now let’s create a user who can have access to read and write both. Let’s create a user using the command.
db.createUser(
{
user: "ManagementUser",
pwd: "12345678",
roles: [
{ role: "readWrite", db: "ECommerceDB" }
]
}
)
![Create a user]()
Login with a newly created user with the below-given connection string.
Read Data from the collection
![Read Data]()
Write Data for collection
![Write Data]()
Inference
It is possible to create users prior to or after access control is enabled. MongoDB supports a localhost exception if you activate access control before establishing any user. This allows you to establish a user administrator in the admin database. Once a user has been created, you must log in as the user administrator to add other users as needed.