enable-authentication-in-mongodb.md

Enable Authentication In MongoDB

In This Tutorial we are gonna enable Authentication by Enabling Access Control on MongoDB instance.(By default MongoDB does not have any authentication system)

When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.

User Administrator

With access control enabled, Users will have to access MongoDB Instance using username & password. Every Users will be provided with Roles, Some Built-In Roles are

Database User Role ¶

• read:
  Provides the ability to read data on all non-system collections
• readWrite:
  Provides all the privileges of the read role plus ability to modify data on all non-system collections

Database Administration Roles ¶

• dbAdmin:
  Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.
• dbOwner:
  The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.
• userAdmin:
  Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.

Cluster Administration Roles ¶

• clusterAdmin:
  Provides the greatest cluster-management access. This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles. Additionally, the role provides the dropDatabase action.

Backup and Restoration Roles ¶

• backup:
  Provides minimal privileges needed for backing up data.
• restore:
  Provides the necessary privileges to restore data from backups

All-Database Roles ¶

• readAnyDatabase:
  Provides the same read-only privileges as read on all databases.
• readWriteAnyDatabase:
  Provides the same privileges as readWrite on all databases.
• userAdminAnyDatabase:
  Provides the same access to user administration operations as userAdmin on all databases.
• dbAdminAnyDatabase:
  Provides the same privileges as dbAdmin on all databases.

Superuser Roles ¶

• root:
  Provides access to the operations and all the resources of the following roles combined:
  • readWriteAnyDatabase
  • userAdminAnyDatabase
  • dbAdminAnyDatabase
  • clusterAdmin
  • backup
  • restore

(Note:you can read more about it on mongodb documentation page)

Procedure

1.Start MongoDB without access control.

Open your teminal and type following command for Local Instance

ubuntu@your-pc:~# mongod --dbpath /var/lib/mongodb

or for your Remote Instance

ubuntu@your-pc:~# mongod --host <your host name> --port 27017 --dbpath /var/lib/mongodb

2.Connect to the MongoDB instance.

Open you terminal and type following to connect to your Local mongo shell

ubuntu@your-pc:~# mongo

or for your Remote mongo shell

ubuntu@your-pc:~# mongo --host <your host name> --port 27017

3.Create the user administrator.

From the mongo shell, add a user with the userAdminAnyDatabase role in the admin database or you can add any role from MongoDB's Built-In Roles. But if you are creating user for the first time, go with userAdminAnyDatabase.

First select admin database

> use admin

then run following command where is any name

> db.createUser(
    {
      user: "<username>",
      pwd: passwordPrompt(), // or <password>
      roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
    }
  )

passwordPrompt() will ask for password after you hit enter

4.Re-start the MongoDB instance with access control.

Shut down the mongod instance from admin database.

> db.adminCommand( { shutdown: 1 } )

or

> db.shutdownServer()

After then you will see server should be down..., which means everything went well. Now type to exit the mongo shell.

> exit

Now, from your ubuntu terminal, type following command to add the security.auth or security.authorization to the MongoDB config file.

ubuntu@your-pc:~# sudo vi /etc/mongod.conf

or

ubuntu@your-pc:~# sudo nano /etc/mongod.conf

prior to version 4.x, it may look something like

# Turn on/off security.  Off is currently the default
#noauth = true
#auth = true

just uncomment it like this

# Turn on/off security.  Off is currently the default
#noauth = true
auth = true

Or if you are using version greater or equal to 4.x, enable authorization

security:
 authorization: enabled

From your terminal, restart your MongoDB instance

ubuntu@your-pc:~# sudo systemctl restart mongodb

or if you have installed mongodb driver directly from mongodb website instead of ubuntu snap store, then type this command instead

ubuntu@your-pc:~# sudo systemctl restart mongod

Now check your MongoDB instance

ubuntu@your-pc:~# sudo systemctl status mongodb

or

ubuntu@your-pc:~# sudo systemctl status mongod

you should see something like this

Active: active (running)

5.Connect to MongoDB instance with superAdmin access.

ubuntu@your-pc:~# mongo --authenticationDatabase "admin" -u "<username>" -p

once you press enter, you'll get password prompt, just enter the password

MongoDB shell version v3.x.x
Enter password: <password>

######(You can also/should create multiple users for specific database)

6.Create user access for specific database

We'll create user with only read write access

use <your-db-name>
db.createUser({
user: "<username>",
pwd: "<password>",
roles: ["readWrite"]
})

or

db.createUser({
user: "<username>",
pwd: "<password>",
roles: [{"readWrite", db: "<your-db-name>"}]
})

7.Connect to specific MongoDB instance with limited access.

ubuntu@your-pc:~# mongo --authenticationDatabase "<your-db-name>" -u "<username>" -p

and then enter your password which i showed you in step 5.

That's it for today...