MongoDB – Add Users and Authenticate

How to add users to MongoDB and make them authenticate?

Before you add users to databases, you need to add admins to the MongoDB server. If the server is not running with the --auth option, all you have to do is call the db.addUser() function on the admin database. If it is running with the --auth option, you need to select the admin database and identify yourself as a valid admin.

> use admin
> db.auth('root', 'w00t')

The admin database comes by default in all MongoDB installation, you don’t have to create it. Assuming, MongoDB is not running with auth, let’s add some admins:

> use admin
> db.addUser('captain', 't3HlulZ')
"_id" : ObjectId("4f223e9801f4350f5d09546f"),
"user" : "captain",
"readOnly" : false,
"pwd" : "7893c786c6354f50ca1c8c764f82afae"

Notice that "readOnly" : false? What it means that this admin has read-write access to the whole database. Ok. So, how do you add a read-only admin? You do it this way:

> db.addUser('admin', 't3hHAX', true)
"user" : "admin",
"readOnly" : true,
"pwd" : "b66423859d0142d1187a30b4c455d9b6"

The third parameter of db.addUser() is the read-only option, which is false by default. Meaning, if you don’t set it, it is assumed as false, meaning the user (in this case the admin) will have read-only access.

What does it mean to have and not have read-write access on the admin database?

Users in the admin database with read-write access can add and delete other admins and users; read, write, and delete on all databases on the MongoDB system. Those with read-only access can see all the data on MongoDB but can’t edit or delete them.

Now similar to what we saw on the admin database, every database on MongoDB has db.addUser() function on them. To add users to specific databases you select the database and call the db.addUser() on them. Here are some examples:

> use videos
> db.addUser('jack', 'hax0r')

That added a user called jack who has read-write access to the database videos. jack can add stuff on the database, edit, and delete them; even delete the database itself!

> use videos
> db.addUser('crack', 'l0ll0l', true)

The user crack can only see what’s all there on the videos database.

To delete a user from a database call the db.removeUser() function on the database where you want to delete the user from. If we were to remove the user crack, we’d do this:

> db.removeUser('crack')

Make sure you have selected the right database, else the command will do nothing or you will end up deleting another user from some other database.

So how do you authenticate yourself for a certain database?

You select the database and call the db.auth() on the database. Here is an example of how jack would identify itself to the database called videos.

> use videos
> db.auth('jack', 'hax0r')

db.auth() will print 1 for success, and 0 for failure.

And how do you authenticate yourself as an admin? You select the admin database and call the db.auth() on it. Once authenticated, you can continue as an admin anywhere on the system till you authenticate yourself as someone else.

Now, probably the most important part. When you start MongoDB this way:

$ mongod

it will not apply any authentication restrictions to the users connected to the server – even if you have added admins and users to databases. In this mode, anyone connected to MongoDB is an admin!

So how do you enforce authentication? Start MongoDB with the --auth option.

$ mongod --auth

Now everyone will be forced to authenticate themselves before they can issue commands on the system. Now the admins and users you have added will come into play.

To view the users added on a database, do this:

> db.system.users.find()

To change a user’s password, you just re-add the user with a new password:

> db.addUser('captain', 'l0lwtf')

The user captain has just been assigned a new password l0lwtf.

If you have been observant enough, you might have noticed that we don’t really need to add admins before we can add users on databases. All you have to do is start MongoDB without the --auth option, add users to databases, and restart the server with the --auth option. TADA! But just because you can does not mean, you should!

I hope you have fun adding admins and users on your MongoDB and making them authenticate in the greater interest of the data on your system. Any comments, queries, whatever … I’ll be available at the comments. Adios!



Captain of the Internets Hack Sparrow