Users management and Roles in MongoDB

Users management

Each created user should be asigned with an authentication database (what database should they access to first before doing any thing) and some roles and priviliges which define what databases and collections they have access to, what they can do, etc...

Create User

To create user we use the createUser method

User admin

> use admin
> db.createUser({
	user: "username",
	pwd: "password",
	roles: ["userAdminAnyDatabase"]
})

Add user to a database using roles

> use databaseName
> db.createUser({
	user: "username",
	pwd: "password",
	roles: ["readWrite"]
})

Add user to multiple databases

> use databaseName
> db.createUser({
	user: "username",
	pwd: "password",
	roles: [
	"readWrite",
	{role: "readWrite", db: "otherDatabaseName"}
	]
})

When we specify only the role (in our example: "readWrite") the db will be the database where we are (in our example: databaseName)

Edit Users

> use databaseName
> db.updateUser("username",
{
	roles: [
		"readWrite", 
		{role: "readWrite", db: "otherDatabaseName"}
	]
})

Built-in Roles

Here a list of roles in MongoDB:

  • read
  • readWrite
  • dbAdmin
  • dbOwner
  • userAdmin
  • hostManager
  • clusterMonitor
  • clusterManager
  • clusterAdmin
  • backup
  • restore
  • readAnyDatabase
  • readWriteAnyDatabase
  • userAdminAnyDatabase
  • dbAdminAnyDatabase
  • root

To know more about Built-In Roles visit the official documentation: Built-In Roles

Creating a Superuser access

To create a root user, you have a lot of ways:

  • Create a dbOwner on the admin database
  • Create a userAdmin on the admin database
  • Create a user with a userAdminAnyDatabase role
  • Create a user with a root role

With admin scope a user with the userAdmin or dbOwner roles can grant cluster-wide roles or privileges including userAdminAnyDatabase.

User authentication

We have two methods of authentication either from the mongo command or after entering to mongodb console.

Command line

> mongo -u username -p password --authenticationDatabase <authenticationDatabaseName>

Auth method

> mongo
> use <authenticationDatabaseName>
> db.auth('username', 'password')

The authenticationDatabaseName is the database from where the user was created when using the createUser.

Logout

> db.logout()

Create roles for Collection-Level Access Control

To create a Collection-Level Access Control we should implement user-defined roles. By creating a role with privileges that are scoped to a specific collection in a particular database, administrators can provision users with roles that grant privileges on a collection level. To do so we use the db.createRole() method.

db.createRole({
  _id: "myApp.appUser",
  role: "appUser",
  db: "myApp",
  privileges: [
       { resource: { db: "myApp" , collection: "" },
         actions: [ "find", "createCollection", "dbStats", "collStats" ] },
       { resource: { db: "myApp", collection: "logs" },
         actions: [ "insert" ] },
       { resource: { db: "myApp", collection: "data" },
         actions: [ "insert", "update", "remove", "compact" ] },
       { resource: { db: "myApp", collection: "system.js" },
         actions: [ "find" ] },
  ],
  roles: []
})

Empty collection resource means apply this to all collections. To know more visit the official documentation: User-Defined Roles