Tag: linux

How to set user access rights in MongoDB

1. Set authorization OFF in mongod.conf

First, you need to make sure that in /etc/mongod.conf option security.authorization is not set (if it is not present that means it is disabled) or it is set to “disabled”  so you can easily login to mongo without a user authorization in order to add mongo users and add them privileges on databases. Whenever you change mongod.conf you will need to restart mongo server.

2. Set user rights to manage all users to all databases

Here we will create mongo user with privileges to be an administrator of all users on all databases. This user doesn’t have any privileges to work with databases cannot even list collections they can only manage users.

  1. Start mongo server if it is not already started:
    $ sudo mongod -f /etc/mongod.conf
  2. Connect to the server with the mongo client terminal command (if the server is not localhost you will need to change params, localhost can be omitted):
    $ mongo --host localhost --port 27017
    # or
    $ mongo mongodb://localhost:27017
    # or for localhost and default port 27017 you can just type
    $ mongo
  3. In mongo console type following commands:
    > use admin
    switched to db admin
    > db.createUser(
       {
         user: "username",
         pwd: "password",
         roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
       }
     )

3. Set authorization ON and allow outbound connections in mongod.conf

Until now authorization was disabled and now we will enable it and allow only authorized users to access databases.

  1. Make sure that you have following line in /etc/mongod.conf to enable authorization
    security:
      authorization: enabled
  2. Allow outbound connection so you can connect on mongo server from the other networks and computers. Change bindIp from 127.0.0.1 to be 0.0.0.0 or just add IP address of your public network interface with comma separation (bindIp: 127.0.0.1,109.121.29.34):
    # network interfaces
    net:
      port: 27017
      bindIp: 0.0.0.0
  3. Restart mongo server.

4. Set user rights to allow user to read and write only one custom database

This is pretty much the same procedure like one described above for adding a user to be an administrator for all users except here we will use a custom database instead of admin database and add role readWrite instead of userAdminbAnyDatabase. This user has all read and write privileges on database test.

  1. Login with the terminal client by providing  previously created the user in step 2.3 which is allowed to do administration of users and database admin:
    $ mongo --host localhost --port 27017 -u username -p password admin
    # or
    $ mongo mongodb://username:password@localhost:27017/admin
    # or for localhost and default port just
    $ mongo -u username -p password admin
  2. Create a user with readWrite access to database test:
    > use test
    switched to db test
    > db.createUser(
       {
         user: "username2",
         pwd: "password2",
         roles: [ { role: "readWrite", db: "test" } ]
       }
     )
  3. Now you can login to database test with user username2:
    $ mongo mongodb://username2:password2@localhost:27017/test

5. Create super admin user with all privileges on all databases

  1. Login with user created in step 2.3.
    $ mongo mongodb://username:password@localhost:27017/admin
  2. Add super admin user:
    > db.createUser(
       {
         user: "superadminuser",
         pwd: "superadminpass",
         roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]
       }
     )
    > db.grantRolesToUser('superadminuser',[{ role: "root", db: "admin" }])
    

6. Useful links