Published on

User Management and Access Control in MongoDB

Authors
  • avatar
    Name
    Hieu Cao
    Twitter

Introduction

MongoDB provides robust features for user management and access control, enabling administrators to define roles, grant permissions, and secure the database. This blog explains how to create users and manage their access rights effectively.

Prerequisites

  • MongoDB installed and running.
  • Access to the mongo shell.
  • Knowledge of basic MongoDB operations.

Enabling Access Control

Before managing users, enable authentication in MongoDB. This requires restarting the MongoDB server with access control enabled.

Step 1: Configure MongoDB

Find the mongod.conf file in your computer.

ps aux | grep mongod

Edit the mongod.conf file to enable authentication:

security:
  authorization: 'enabled'

Restart the MongoDB service:

sudo systemctl restart mongod

Step 2: Access the MongoDB Shell

Log in without authentication (only possible if no users exist):

mongosh

Creating a User

Example: Create an Admin User

Switch to the admin database:

use admin;

Create a user with userAdminAnyDatabase role:

db.createUser({
  user: 'admin',
  pwd: 'admin',
  roles: ['userAdminAnyDatabase', 'dbAdminAnyDatabase'],
})

Authenticate as Admin

Log in as the newly created admin user:

mongo -u admin -p admin --authenticationDatabase admin

Example: Create a Read/Write User

Switch to the desired database:

use myDatabase;

Create a user:

db.createUser({
  user: 'user',
  pwd: 'user',
  roles: ['readWrite'],
})

Example: Create a Read-Only User

Switch to the database:

use myDatabase;

Create a read-only user:

db.createUser({
  user: 'readOnlyUser',
  pwd: 'readOnlyUser',
  roles: ['read'],
})

Example: Create user for Specific Databases

Switch to the database:

use myDatabase;

Create a read-only user:

db.createUser({
  user: 'userSpecificDB',
  pwd: 'userSpecificDB',
  roles: [{ role: 'readWrite', db: 'test' }],
})

Managing User Roles

MongoDB provides predefined roles to simplify user management. Common roles include:

  • read: Grants read-only access to a database.
  • readWrite: Grants read and write access to a database.
  • dbAdmin: Provides administrative access to a database.
  • userAdmin: Allows user creation and role management within a database.
  • clusterAdmin: Grants administrative access to the cluster.

Example: Update User Roles

Modify an existing user's roles:

db.updateUser('dbUser', {
  roles: ['readWrite', 'dbAdmin'],
})

Deleting a User

Remove a user when access is no longer needed.

Example:

db.dropUser('dbUser')

Auditing User Activity

Enable MongoDB’s auditing feature to track user actions and enhance security. Use tools like mongod logs or third-party monitoring solutions to analyze access patterns.

Best Practices for User Management

  1. Use Strong Passwords: Enforce secure password policies.
  2. Least Privilege Principle: Assign minimal permissions required for a user.
  3. Regular Audits: Periodically review and update user roles and permissions.
  4. Separate Roles: Avoid using the same user account for different purposes.
  5. Enable Authentication: Always enforce authentication in production environments.

Conclusion

Effective user management and access control are essential for maintaining the security and integrity of your MongoDB databases. By following these guidelines and examples, you can ensure that your database is protected against unauthorized access while allowing legitimate users to perform their tasks efficiently.

Happy securing!