A big feature of a database is user and role management. MongoDB user and role management is no different. In this article we are going to go over managing users for any number of databases in your MongoDB instance.
Creating the MongoDB admin user
First, you need to create a user. Although MongoDB user management is very different than other traditional SQL servers, it’s fairly straightforward. To create a user you need to use the “admin” database to store users and roles. We’ll start with creating the main “admin” user using the MongoDB createUser() method:
use admin
db.createUser(
{
user: "YourAdminUserName",
// pwd: passwordPrompt(), // or cleartext password
pwd: 'MyPassword', // or cleartext password
roles: [
{
role: "userAdminAnyDatabase",
db: "admin"
},
"readWriteAnyDatabase"
]
}
)We start by first going into the admin database. Then we create a new user called, YourAdminUserName. You can of course change this user to any username of your liking. You can also choose to use the builtin command passwordPrompt() or set the password directly (just change MyPassword to the password of your liking.
Key here is the roles field. We are using “userAdminAnyDatabase” which ensures this user can access and administer any database in our MongoDB instance. In addition, we are specifying “readWriteAnyDatabase” so that this user can read and modify data in any database. Some companies may choose not to do this so that administrators cannot access corporate data, as a security measure.
Adding a user to a MongoDB database
Adding a user to a MongoDB database requires a bit more configuration. With this example we are going limit the connection to a specific IP address. This would be for the case where we only want this particular user to be used for a website.
db.createUser(
{
user: "websiteserveruser",
// pwd: passwordPrompt(), // or cleartext password
pwd: 'password', // or cleartext password
roles: [
{
role: "readWrite",
db: "session"
},
{
role: "readWrite",
db: "websitedb"
}
],
authenticationRestrictions: [{
clientSource: [
"192.168.1.42",
"192.168.1.43"
]
}]
}
)Here we are using the MongoDB command db.createUser command again (still using the admin database). The user and pwd elements are still the same, except now we are creating a separate “websiteserveruser” that will be specifically used by our website connections. Next we use the roles to give read and write, “readWrite”, access to both our session and websitedb databases. You can include as many databases as you want in this instance.
Finally we are limiting where the connections for this user are allowed from. Using the authenticationRestrictions field, we can specify any number of clientSource IP addresses. In this case, assuming we have two servers in a load balanced situation, we specify each of the clientSource IP addresses that will be connecting to these two databases. In our case we have specified 192.168.1.42 and 192.168.1.43. You can add as many specific IPs as you need here.
Adding a user and role to another database
Many times you will want to add an existing user to another database. We do this with the use of the MongoDB db.grantRolesToUser() command. Assuming we’ve created a “reportingdb”, we can assign our existing “websiteserveruser” from above to this database.
use reportingdb;
db.grantRolesToUser('websiteserveruser', [
{
role: 'readWrite',
db: 'reportingdb'
}
]);Here we’ve created a “reportingdb” and have assigned our existing “websiteserveruser” to this database.
You’ve learned in this article how to assign users and roles to both administer the entire MongoDB server instance, and to assign users to specific databases. Let us know how you implement your users and roles by commenting on this article.
Try it for yourself and all the best on your MongoDB updates!
For can find additional information on MongoDB here on DavidDietrich.com, or by going directly to createUser at MongoDB, or here for the usage of grantRolesToUser.