How to setup user authentication in MongoDB 3.0/3.2/3.4

By | September 21, 2017

recent analysis showed that there are at least 30.000 instances of MongoDB left unsecured on the Internet. That means than anyone can access it without any kind of authentication.

After some time, I’ve found my own way of setting up a basic MongoDB authentication, so I’ll post the details on how to do it here.


So let’s start! We’ll assume that you have the latest version of MongoDB already installed on your system. At the time writing this, the latest version is v3.0.5. Update (Jan 2017): the latest version is now 3.4.1 but it doesn’t actually matter for this tutorial.

The default auth mechanism with MongoDB 3.x is SCRAM-SHA-1. You can learn more about it here.

In this guide, we are going to create 2 users.

  • the first one will be an admin, for all the databases (so of the whole MongoDB instance). This user will have the “user admin” role, and you will use it only for managing other users
  • the second one is the owner of a single database, and has read and write privileges on it. You can create as many users as you want, one per database usually

Note that the role “admin” differs from the role “owner”. A database admin can do administrative taks on the database(s). For example, creating a new collection, dropping it, viewing stats. A user admin can manage users. A database owner has all the privilegs listed above, plus the full read and write permission on the database.

In this guide, I’m not going to cover all the roles details. You can read more about them on the official documentation.


Creating the users

Open your `mongo` shell and switch to the `admin` database

use admin

Create the “admin” user (you can call it whatever you want)

db.createUser({ user: "admin", pwd: "adminpassword", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })

Don’t panic with all these brackets. We’re passing an “user” object to the createUser function, which contains a “roles” array. In the array we have one “role” object, which defines what the user can do and on which database.

You can generate a safe password on generate-password.com

You can check that the user has been correctly create with this command:

db.auth("admin", "adminpassword")

The command will log you in as admin. Now exit the shell.

exit

We are now going to enable authentication in the mongod.conf file. Open that config file with your favorite editor (vi, nano, etc.)

sudo nano /etc/mongod.conf

Add these lines at the bottom of the YAML config file:

security:
	authorization: enabled

This will enable authentication on your database instance. If you’re using nano, save with CTRL+X and confirm with `y`.

Now restart the mongod service (Ubuntu syntax).

sudo service mongod restart

You can check if the service is up with:

sudo service mongod status

Let’s go back in the `mongo` shell. Switch to the database `admin` and authenticate with the previously created user. Given that the user has the “userAdmin” role, you will be able to create and manage other users.

use admin
db.auth("admin", "adminpassword")

Now switch to your database and create an owner user.

use yourdatabase
db.createUser({ user: "youruser", pwd: "yourpassword", roles: [{ role: "dbOwner", db: "yourdatabase" }] })

The command will create an user with the role of dbOwner on your database. The dbOwner role will give you read and write permissions on the database. Read more here.

Now check that everything went fine with the auth function.

db.auth("youruser", "yourpassword")
show collections

Yay! Your database is now secured.

The connection string to MongoDB for your application will look like this:

mongodb://youruser:[email protected]/yourdatabase

One last thing…

Protecting from external access

Now go back in the mongod.conf file, as we’re going to check the `bind_ip` line. That line tells the mongod process on which interfaces it should listen.

Examples

bind_ip=127.0.0.1

Listening to 127.0.0.1 (localhost, loopback) means that you’ll be able to connect to your database only from the local machine.

bind_ip=0.0.0.0

Listening to 0.0.0.0 (“all the networks”) means that mongod will listen on all the interfaces configured on your system. Pay attention that in this way you are going to allow everyone on the Internet to access your database (as far as they have the auth details, so pay attention on poor passwords too).

bind_ip=127.0.0.1,172.21.200.200

You can also listen on more than one interface: localhost and your private network interface just to name an example.

An interesting solution would also be to set bind_ip to 0.0.0.0 and then configure a firewall like FireHOL to make sure that noone can access the server from remote.

Wrapping up

If your MongoDB instance was among the unsecured ones on the Internet, you should now be safe, or at least safer than before!

There are other steps you can follow for the security of your database, including configuring a firewall and setting up SSL. These topics are covered in the official Security Manual.

I hope this helped, and if it did, show it to the world! Thank you.

Article copied from -> https://medium.com/@matteocontrini/how-to-setup-auth-in-mongodb-3-0-properly-86b60aeef7e8

Сomments аrchive