In our previous guides, we learnt how to install MongoDB on Ubuntu or Debian systems;
Install MongoDB on Ubuntu 20.04
By default, self hosted MongoDB doesn’t enforce user authentication by default. For example, when you connect to MongoDB from the command line using the mongo
or command mongo mongodb://127.0.0.1:27017
, you will connect with no prompt for authentication.
mongo
Or
mongo mongodb://127.0.0.1:27017
This gets you directly onto the MongoDB shell prompt.
MongoDB shell version v4.4.4
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("e2542d07-93fe-4621-af6d-8894f1899ee3") }
MongoDB server version: 4.4.4
---
...
---
>
This basically means that, any one with access to the system, can do anything possible to MongoDB databases since there is no restriction implemented.
For example, once can list the databases;
show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
Enable Authentication on MongoDB
There are several security features that can be implemented to secure MongoDB deployments. One these features it the ability to enable MongoDB access control through enforcement of user authentication.
Authentication is the process of validating the identity of a user connecting to a MongoDB.
MongoDB uses various authentication mechanisms such as;
- Salted Challenge Response Authentication Mechanism (SCRAM) which is the default MongoDB authentication mechanism. It verifies the supplied user credentials against the user’s
name
,password
andauthentication database
. - x.509 Certificate Authentication, which authenticates clients using x.509 certificates instead of usernames and passwords.
In this guide, we will learn how to enable authentication on MongoDB using SCRAM method, which involves the use of usernames and passwords to validate users identity.
Create MongoDB Administrative User
To begin with, connect to a MongoDB instance and create a MongoDB administrative user.
mongo
If you check from MongoDB shell prompt, no user is created by default;
show users
Or
db.getUsers();
The commands above prints no result.
To create an admin user, switch to default admin MongoDB database.
Listing available databases first;
show dbs
Sample output;
admin 0.000GB
config 0.000GB
local 0.000GB
Next, run the command below from the shell prompt to switch to MongoDB default admin database;
use admin
Once you have switched to admin database, paste the command below on the shell to create MongoDB admin user. Be sure to replace the username of the administrator as you wish.
db.createUser(
{
user: "kifarunixdemoAdmin",
pwd: passwordPrompt(),
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Press Enter once you have pasted the command call above. You will be prompted to enter your password. If you need to display the password in cleartext, simply replace passwordPrompt()
with “your password
“.
Sample output of creating an admin user on MongoDB;
Successfully added user: {
"user" : "kifarunixdemoAdmin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
"readWriteAnyDatabase"
]
}
Once you have created an admin user, exit the database connection;
quit ()
Enable Access Control on MongoDB
MongoDB provides an option, security.authorization
, for enabling or disabling role based access control (RBAC).
To enable this option, edit MongoDB configuration file, /etc/mongod.conf
, and set the value for this option to enabled
.
Open the file for editing;
vim /etc/mongod.conf
Uncomment the line, #security:
, by removing the # at the beginning of that line and set it a follows;
#security:
security:
authorization: enabled
Save and exit the file.
Restart MongoDB service;
systemctl restart mongod
Verifying MongoDB Authentication
Next, to verify if authentication works, connect to MongoDB;
mongo
Try to list available database users;
show users
You will get such an error that usersInfo requires authentication
;
uncaught exception: Error: command usersInfo requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getUsers@src/mongo/shell/db.js:1659:15
shellHelper.show@src/mongo/shell/utils.js:914:9
shellHelper@src/mongo/shell/utils.js:819:15
@(shellhelp2):1:1
To authenticate as a user, switch to admin database;
use admin
Next, run the command below to login as the administrative user created above (Replace the username accordingly);
db.auth("kifarunixdemoAdmin")
Similarly, you can authenticate directly to a specific database from command line;
mongo -u kifarunixdemoAdmin -p --authenticationDatabase admin
Enter your password.
Once connected to MongoDB, run the commands as you wish. e.g list available users;
show users
{
"_id" : "admin.kifarunixdemoAdmin",
"userId" : UUID("b270c458-fb3b-425c-ad87-fdeb0e984a27"),
"user" : "kifarunixdemoAdmin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
You can further create databases and respective users and roles.
That simply marks the end of our tutorial on how to enable authentication on MongoDB.
Reference
Other Tutorials
Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30
Configure Squid Proxy OpenLDAP Authentication on pfSense