Quick Tip: Using Users in MongoDB

in Administration, Quick Tip

By default a MongoDB install does not use a username/password combination to access the database.

No Password, But Why?

This is down to the design philosophy of MongoDB which is to push much of the “logic” to the application level and keep the database doing what databases do best! Hence,  given the way that MongoDB is normally used it’s generally not necessary.

In a SQL environment you might have multiple users with multiple groups and schemas to lock down different levels of the database, tables, views, stored procedures, etc. …

The idea of this is of course to 1) protect data from unauthorized modification or deletion as well as 2)  limiting the tug ‘o war between users by clearly defining their rights.

So, you can give the accounting department different privileges then the marketing department or given root access to the developers (of course.)

Conversely MongoDB’s design philosophy would pass these (generally) over to the application itself to handle.

I Don’t Care, I Still Want Passwords!

No worries, if the idea of no users/passwords keeps you up at nights you can still have them!

MongoDB (currently) supports users on the database level with both “read/write” and “read only” options.

You can see all the users in a database in the system.users collection …

> use mydatabase
> db.system.users.find()

Creating MongoDB Users

To adding a new user is fairly straight forward …

Read/Write User

$ ./mongo
> use mydatabase
> db.addUser("admin", "Sup3rG00dP@azzword")

This creates a read/write user for the database mydatabase (you can choose any username you wish.)

This user will be “good for” this database alone.

Read Only User

> db.addUser("web", "prettyGoodPass", true)

The “true” parameter there makes the user read only (great for parts of the application code that you want to make sure never accidentally preform a write operation.)

Using A User: Authenticate

To “login” as a user you’ll need to authenticate, simply use …

> db.auth("admin", "Sup3rG00dP@azzword")

You can also authenticate via the command line using the mongo parameters below …

  -u [ --username ] arg username for authentication
  -p [ --password ] arg password for authentication

Changing Passwords

To change the password simply run the addUser command again with a new password.

> db.addUser("web", "wayGooderPass", true)

Delete a User

To remove a user you need to remove the corresponding document for that user in the system.users collection.

> db.system.users.remove({"user" : "web"});

Set MongoDB to Force Authentication

To force MongoDB to use authentication you’ll need to add the –auth parameter to MongoDB at startup (so you would need to restart.)

If you are using an unauthorized user you’ll get an error something like …

error: { “$err” : “unauthorized for db [mydatabase] lock type: -1 ” }

If you have a read only user and attempt a write option you’ll simply get back …

unauthorized

Lastly, if you try to use a user that doesn’t have read/write privlages on the admin database …

So, if you try to do something like list the avaible database on the server ( > show dbs ) you’ll get error too and you’ll need to make sure you switch to an account with read/write privlages in admin.

4 Comments