Overview
Users and roles in Mongo are per databases. Meaning if you want to create a user in a certain database, you have to use that database as follows:
Enable Authentication
Authentication is disabled by default, but you can enable it in the configuration file. Again depending on the version:
- Less then 3.X: Add the “auth” parameter
- Higher than 3.X: Add the following paramer:
security: authorization: "enabled"
User Management
Like any other database we can:
- Create user
- Delete user
- Reset password
- Assign roles to user
Create User
User can be created as follows:
>use hunter_dev <- Database to which this user will be authenticated
switched to db hunter_dev
> db.createUser(
... {
... "user" : "test",
... pwd: "test",
... "roles" : [
... {
... "role" : "dbOwner",
... "db" : "hunter_dev"
... }
... ]
... }
... )
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "dbOwner",
"db" : "hunter_dev"
}
]
}
>
This command will create user called test in database hunter_dev(it will be authenticated by this database) and owner of the database.
If you want a user with a DBA owner privileges you can use the following script:
db.createUser(
{
"user" : "julien",
pwd: "password",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
]
}
)
You can select all users from the database and collection: system.users as follows:
use admin;
> var collections = db.getCollectionNames();
> for(var i = 0; i< collections.length; i++) {
... print('Collection: ' + collections[i]); // print the name of each collection
... db.getCollection(collections[i]).find().forEach(printjson); //and then print the json of each of its elements
... }
Collection: system.indexes
{
"v" : 1,
..............
Or if you know the username you can also user:
> db.getUser("adminDBA");
{
"_id" : "admin.adminDBA",
"user" : "adminDBA",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
]
}
Other way to see all the users authenticated to a certain database is to use the following command: Show users as follows:
> use admin <- Database Name to which users will be authenticated, each DB can have different users
switched to db admin
> show users
{
"_id" : "admin.adminDBA",
"user" : "adminDBA",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
]
}
>
Reset password
Password reset depends on the version:
For Mongo <3.X
> db.changeUserPassword("app_user", "new password")
>
For Mongo >=3.X
> db.updateUser("adminDBA", {pwd: "password123" })
>
In order to authenticate yourself you can:
Login with username and password
Authenticate once connected
[root@localhost ~]# mongo
MongoDB shell version: 3.0.15
connecting to: test
> use admin
switched to db admin
> db.auth("adminDBA","password123")
1
>
> show dbs
ExampleDB 0.078GB
admin 0.078GB
config 0.078GB
local 2.077GB
test 0.078GB
Roles
Mongo has also some system roles. In nutshell, a user can be owned of a database, have readwrite accesses and have access to all databases. Roles are set during user creation:
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
Setting a role in the admin database, usually carries higher priority and rights and setting role in other databases. More information about roles you can check below:
Superuser Roles
Several roles provide either indirect or direct system-wide superuser access.
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
- dbOwner role, when scoped to the admin database
- userAdmin role, when scoped to the admin database
- userAdminAnyDatabase role
Upgrade authentication schema
In order to upgreade the authentication schema, the following requirements are needed:
- Server is at least 3.4 and less than 4.0
- There is a user with the “userAdminAnyDatabase” role in the admin database
If these two requirments are met, you can perform the following command from that user:
[root@localhost ~]# mongo
MongoDB shell version: 3.0.15
connecting to: test
> use admin
switched to db admin
> db.auth("adminDBA","password123")
1
>
> show dbs
ExampleDB 0.078GB
admin 0.078GB
config 0.078GB
local 2.077GB
test 0.078GB
> db.adminCommand({authSchemaUpgrade: 1});
{ "done" : true, "ok" : 1 } <- All is fine