Enable Authentication on MongoDB

In our previous guides, we learnt how to install MongoDB on Ubuntu or Debian systems;

Install MongoDB on Debian 10

Install MongoDB on Ubuntu 20.04

By default, self hosted MongoDB doesn’t enforce user authentication by default. For example, when you connect to MongoDB from the command line using the mongo or command mongo mongodb://127.0.0.1:27017, you will connect with no prompt for authentication.

mongo

Or

mongo mongodb://127.0.0.1:27017

This gets you directly onto the MongoDB shell prompt.

MongoDB shell version v4.4.4
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("e2542d07-93fe-4621-af6d-8894f1899ee3") }
MongoDB server version: 4.4.4
---
...
---
>

This basically means that, any one with access to the system, can do anything possible to MongoDB databases since there is no restriction implemented.

For example, once can list the databases;

show dbs

admin   0.000GB
config  0.000GB
local   0.000GB

Enable Authentication on MongoDB

There are several security features that can be implemented to secure MongoDB deployments. One these features it the ability to enable MongoDB access control through enforcement of user authentication.

Authentication is the process of validating the identity of a user connecting to a MongoDB.

MongoDB uses various authentication mechanisms such as;

• Salted Challenge Response Authentication Mechanism (SCRAM) which is the default MongoDB authentication mechanism. It verifies the supplied user credentials against the user’s name, password and authentication database.
• x.509 Certificate Authentication, which authenticates clients using x.509 certificates instead of usernames and passwords.

In this guide, we will learn how to enable authentication on MongoDB using SCRAM method, which involves the use of usernames and passwords to validate users identity.

Create MongoDB Administrative User

To begin with, connect to a MongoDB instance and create a MongoDB administrative user.

mongo

If you check from MongoDB shell prompt, no user is created by default;

show users

Or

db.getUsers();

The commands above prints no result.

To create an admin user, switch to default admin MongoDB database.

Listing available databases first;

show dbs

Sample output;

admin   0.000GB
config  0.000GB
local   0.000GB

Next, run the command below from the shell prompt to switch to MongoDB default admin database;

use admin

Once you have switched to admin database, paste the command below on the shell to create MongoDB admin user. Be sure to replace the username of the administrator as you wish.

db.createUser(
  {
    user: "kifarunixdemoAdmin",
    pwd: passwordPrompt(),
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

Press Enter once you have pasted the command call above. You will be prompted to enter your password. If you need to display the password in cleartext, simply replace passwordPrompt() with “your password“.

Sample output of creating an admin user on MongoDB;

Successfully added user: {
	"user" : "kifarunixdemoAdmin",
	"roles" : [
		{
			"role" : "userAdminAnyDatabase",
			"db" : "admin"
		},
		"readWriteAnyDatabase"
	]
}

Once you have created an admin user, exit the database connection;

quit ()

Enable Access Control on MongoDB

MongoDB provides an option, security.authorization, for enabling or disabling role based access control (RBAC).

To enable this option, edit MongoDB configuration file, /etc/mongod.conf, and set the value for this option to enabled.

Open the file for editing;

vim /etc/mongod.conf

Uncomment the line, #security:, by removing the # at the beginning of that line and set it a follows;

#security:
security:
  authorization: enabled

Save and exit the file.

Restart MongoDB service;

systemctl restart mongod

Verifying MongoDB Authentication

Next, to verify if authentication works, connect to MongoDB;

mongo

Try to list available database users;

show users

You will get such an error that usersInfo requires authentication;

uncaught exception: Error: command usersInfo requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getUsers@src/mongo/shell/db.js:1659:15
shellHelper.show@src/mongo/shell/utils.js:914:9
shellHelper@src/mongo/shell/utils.js:819:15
@(shellhelp2):1:1

To authenticate as a user, switch to admin database;

use admin

Next, run the command below to login as the administrative user created above (Replace the username accordingly);

db.auth("kifarunixdemoAdmin")

Similarly, you can authenticate directly to a specific database from command line;

mongo -u kifarunixdemoAdmin -p --authenticationDatabase admin

Enter your password.

Once connected to MongoDB, run the commands as you wish. e.g list available users;

show users

{
	"_id" : "admin.kifarunixdemoAdmin",
	"userId" : UUID("b270c458-fb3b-425c-ad87-fdeb0e984a27"),
	"user" : "kifarunixdemoAdmin",
	"db" : "admin",
	"roles" : [
		{
			"role" : "userAdminAnyDatabase",
			"db" : "admin"
		},
		{
			"role" : "readWriteAnyDatabase",
			"db" : "admin"
		}
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}

You can further create databases and respective users and roles.

That simply marks the end of our tutorial on how to enable authentication on MongoDB.

Reference

MongoDB Authentication

Other Tutorials

Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30

Configure Squid Proxy OpenLDAP Authentication on pfSense

Configure Offline Authentication via OpenLDAP on MacOS X

Configure OpenLDAP Authentication on MacOS X