How to add users to MongoDB and make them authenticate?
Before you add users to databases, you need to add admins to the MongoDB server. If the server is not running with the
--auth option, all you have to do is call the
db.addUser() function on the
admin database. If it is running with the
--auth option, you need to select the admin database and identify yourself as a valid admin.
> use admin
> db.auth('root', 'w00t')
admin database comes by default in all MongoDB installation, you don't have to create it. Assuming, MongoDB is not running with auth, let's add some admins:
> use admin
> db.addUser('captain', 't3HlulZ')
"_id" : ObjectId("4f223e9801f4350f5d09546f"),
"user" : "captain",
"readOnly" : false,
"pwd" : "7893c786c6354f50ca1c8c764f82afae"
"readOnly" : false? What it means that this admin has read-write access to the whole database. Ok. So, how do you add a read-only admin? You do it this way:
> db.addUser('admin', 't3hHAX', true)
"user" : "admin",
"readOnly" : true,
"pwd" : "b66423859d0142d1187a30b4c455d9b6"
The third parameter of
db.addUser() is the read-only option, which is
false by default. Meaning, if you don't set it, it is assumed as false, meaning the user (in this case the admin) will have read-only access.
What does it mean to have and not have read-write access on the
Users in the admin database with read-write access can add and delete other admins and users; read, write, and delete on all databases on the MongoDB system. Those with read-only access can see all the data on MongoDB but can't edit or delete them.
Now similar to what we saw on the
admin database, every database on MongoDB has
db.addUser() function on them. To add users to specific databases you select the database and call the
db.addUser() on them. Here are some examples:
> use videos
> db.addUser('jack', 'hax0r')
That added a user called
jack who has read-write access to the database
jack can add stuff on the database, edit, and delete them; even delete the database itself!
> use videos
> db.addUser('crack', 'l0ll0l', true)
crack can only see what's all there on the videos database.
To delete a user from a database call the
db.removeUser() function on the database where you want to delete the user from. If we were to remove the user crack, we'd do this:
Make sure you have selected the right database, else the command will do nothing or you will end up deleting another user from some other database.
So how do you authenticate yourself for a certain database?
You select the database and call the
db.auth() on the database. Here is an example of how
jack would identify itself to the database called
> use videos
> db.auth('jack', 'hax0r')
db.auth() will print 1 for success, and 0 for failure.
And how do you authenticate yourself as an admin? You select the admin database and call the
db.auth() on it. Once authenticated, you can continue as an admin anywhere on the system till you authenticate yourself as someone else.
Now, probably the most important part. When you start MongoDB this way:
it will not apply any authentication restrictions to the users connected to the server - even if you have added admins and users to databases. In this mode, anyone connected to MongoDB is an admin!
So how do you enforce authentication? Start MongoDB with the
$ mongod --auth
Now everyone will be forced to authenticate themselves before they can issue commands on the system. Now the admins and users you have added will come into play.
To view the users added on a database, do this:
To change a user's password, you just re-add the user with a new password:
> db.addUser('captain', 'l0lwtf')
captain has just been assigned a new password
If you have been observant enough, you might have noticed that we don't really need to add admins before we can add users on databases. All you have to do is start MongoDB without the
--auth option, add users to databases, and restart the server with the
--auth option. TADA! But just because you can does not mean, you should!
I hope you have fun adding admins and users on your MongoDB and making them authenticate in the greater interest of the data on your system. Any comments, queries, whatever ... I'll be available at the comments. Adios!