Show pageOld revisionsBacklinksODT exportBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======Overview====== Users and roles in Mongo are per databases. Meaning if you want to create a user in a certain database, you have to use that database as follows: =====Enable Authentication===== Authentication is disabled by default, but you can enable it in the configuration file. Again depending on the version: * Less then 3.X: Add the "auth" parameter * Higher than 3.X: Add the following paramer: <sxh bash> security: authorization: "enabled" </sxh> =====User Management===== Like any other database we can: * Create user * Delete user * Reset password * Assign roles to user ====Create User==== User can be created as follows: <sxh bash> >use hunter_dev <- Database to which this user will be authenticated switched to db hunter_dev > db.createUser( ... { ... "user" : "test", ... pwd: "test", ... "roles" : [ ... { ... "role" : "dbOwner", ... "db" : "hunter_dev" ... } ... ] ... } ... ) Successfully added user: { "user" : "test", "roles" : [ { "role" : "dbOwner", "db" : "hunter_dev" } ] } > </sxh> This command will create user called test in database hunter_dev(it will be authenticated by this database) and owner of the database. If you want a user with a DBA owner privileges you can use the following script: <sxh bash> db.createUser( { "user" : "julien", pwd: "password", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "root", "db" : "admin" }, { "role" : "dbOwner", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } ] } ) </sxh> You can select all users from the database and collection: system.users as follows: <sxh bash> use admin; > var collections = db.getCollectionNames(); > for(var i = 0; i< collections.length; i++) { ... print('Collection: ' + collections[i]); // print the name of each collection ... db.getCollection(collections[i]).find().forEach(printjson); //and then print the json of each of its elements ... } Collection: system.indexes { "v" : 1, .............. </sxh> Or if you know the username you can also user: <sxh bash> > db.getUser("adminDBA"); { "_id" : "admin.adminDBA", "user" : "adminDBA", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "root", "db" : "admin" }, { "role" : "dbOwner", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } ] } </sxh> Other way to see all the users authenticated to a certain database is to use the following command: Show users as follows: <sxh bash> > use admin <- Database Name to which users will be authenticated, each DB can have different users switched to db admin > show users { "_id" : "admin.adminDBA", "user" : "adminDBA", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "root", "db" : "admin" }, { "role" : "dbOwner", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } ] } > </sxh> ====Reset password==== Password reset depends on the version: ===For Mongo <3.X=== <sxh bash> > db.changeUserPassword("app_user", "new password") > </sxh> ===For Mongo >=3.X=== <sxh bash> > db.updateUser("adminDBA", {pwd: "password123" }) > </sxh> In order to authenticate yourself you can: ===Login with username and password=== <sxh bash> </sxh> ===Authenticate once connected=== <sxh bash> [root@localhost ~]# mongo MongoDB shell version: 3.0.15 connecting to: test > use admin switched to db admin > db.auth("adminDBA","password123") 1 > > show dbs ExampleDB 0.078GB admin 0.078GB config 0.078GB local 2.077GB test 0.078GB </sxh> ====Roles==== Mongo has also some system roles. In nutshell, a user can be owned of a database, have readwrite accesses and have access to all databases. Roles are set during user creation: <sxh bash> { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "root", "db" : "admin" }, { "role" : "dbOwner", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } </sxh> Setting a role in the admin database, usually carries higher priority and rights and setting role in other databases. More information about roles you can check below: ====Superuser Roles==== Several roles provide either indirect or direct system-wide superuser access. The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database: * dbOwner role, when scoped to the admin database * userAdmin role, when scoped to the admin database * userAdminAnyDatabase role =====Upgrade authentication schema===== In order to upgreade the authentication schema, the following requirements are needed: * Server is at least 3.4 and less than 4.0 * There is a user with the "userAdminAnyDatabase" role in the admin database If these two requirments are met, you can perform the following command from that user: <sxh bash> [root@localhost ~]# mongo MongoDB shell version: 3.0.15 connecting to: test > use admin switched to db admin > db.auth("adminDBA","password123") 1 > > show dbs ExampleDB 0.078GB admin 0.078GB config 0.078GB local 2.077GB test 0.078GB > db.adminCommand({authSchemaUpgrade: 1}); { "done" : true, "ok" : 1 } <- All is fine </sxh> mongo_usrs_roles.txt Last modified: 2019/10/18 20:04by 127.0.0.1