I am using the same connection string on local and production.
When the connection string is mongodb://localhost/mydb
What is the username and password?
Is it secure to keep it this way?
By default mongodb has no enabled access control, so there is no default user or password.
To enable access control, use either the command line option --auth or security.authorization configuration file setting.
You can use the following procedure or refer to Enabling Auth in the MongoDB docs.
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongosh --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongosh --port 27017 --authenticationDatabase "admin"\
-u "myUserAdmin" -p
In addition with what #Camilo Silva already mentioned, if you want to give free access to create databases, read, write databases, etc, but you don't want to create a root role, you can change the 3rd step with the following:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
}
)
If you have already created the user, you can update the user as follows:
First log on:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
The add permissions:
use admin
db.grantRolesToUser(
"myUserAdmin",
[ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
)
For MongoDB earlier than 2.6, the command to add a root user is addUser (e.g.)
db.addUser({user:'admin',pwd:'<password>',roles:["root"]})
In addition to previously provided answers, one option is to follow the 'localhost exception' approach to create the first user if your db is already started with access control (--auth switch). In order to do that, you need to have localhost access to the server and then run:
mongo
use admin
db.createUser(
{
user: "user_name",
pwd: "user_pass",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" }
]
})
As stated in MongoDB documentation:
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role. Connections using the localhost exception only have access to create the first user on the admin database.
Here is the link to that section of the docs.
Go to mongo in your instance
mongo
use admin
db.createUser({user:"Username", pwd:"Password", roles:[{role:"root", db:"admin"}]})
mongod --bind_ip_all --auth
use this command after modifying the .conf file:
network interfaces
net:
port: 27017
bindIp: 127.0.0.1,mongodb_server_ip
Related
I have a monogDB replica set running on windows , im trying to add users and authentication to them.
use admin
db.createUser(
{
user: "admin",
pwd: "password",
roles: [ { role: "root", db: "admin" } ]
}
);
exit;
mongo --port 27017 -u admin -p password --authenticationDatabase admin
use test
db.createUser(
{
user: "tester",
pwd: "password",
roles: [
{ role: "read", db: "test1" },
{ role: "read", db: "test2" },
{ role: "read", db: "test3" },
{ role: "readWrite", db: "test" }
]
}
);
after creating the user I modify the cfg files of all three replica nodes changing to authorization: enabled. restarting the service and try to log in to servers.
I am able to enter with the user but all nodes changes the status to "OTHER", and if I change the authorization to unmarked (# - like it was) the replica set is working fine but the user I created doesn't work.
Any suggestions?
or does anyone know the actual steps to create replica set with authentication enabled?
Usually you do it the other way around. First enable authentication, then create the users. And typically all users are created in admin database only.
Anyway, regarding your problem: When you enable authentication then the nodes must also authenticate internally, i.e. when a replica set member connects to another replica set member.
See Internal/Membership Authentication
The simple way is to use a keyfile for this.
First create the keyfile:
openssl rand -base64 756 > <path-to-keyfile>
If you don't have openSSL you can download it from OpenSSL for Windows. Then copy this keyfile to each replica set member.
Put this option to the MongoDB configuration files:
security:
authorization: enabled
keyFile: <path-to-keyfile>
Restart the MongoDB service, then it should work.
See also Deploy Replica Set With Keyfile Authentication or Update Replica Set to Keyfile Authentication or Update Replica Set to Keyfile Authentication (No Downtime)
How to use authentication in Mongodb docker container? Create user and use that user authentication in Mongodb containers
While using Mongodb and Python flask application, we want to secure mongodb container with perticular username and password.
As written in the documentation on docker hub, you need to run the image with the --auth flag, and then add the initial admin user. Summary of the steps:
Start the Database
docker run --name some-mongo -d mongo --auth
Add the Initial Admin User
$ docker exec -it some-mongo mongo admin
connecting to: admin
> db.createUser({ user: 'jsmith', pwd: 'some-initial-password', roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] });
Successfully added user: {
"user" : "jsmith",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
I firstly installed MongoDB 3.4.1 today. But when I start it and use MongoDB shell, it gave me these warnings below:
C:\Users\hs>"C:\Program Files\MongoDB\Server\3.4\bin\mongo.exe
MongoDB shell version v3.4.1
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.1
Server has startup warnings:
2017-01-12T21:19:46.941+0800 I CONTROL [initandlisten]
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten]
my computer is Microsoft Windows [version 10.0.14393].
Mongodb v3.4
You need to do the following to create a secure database:
Make sure the user starting the process has permissions and that the directories exist (/data/db in this case).
1) Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db
2) Connect to the instance.
mongo --port 27017
3) Create the user administrator (in the admin authentication database).
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
4) Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db
5) Connect and authenticate as the user administrator.
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
6) Create additional users as needed for your deployment (e.g. in the test authentication database).
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
7) Connect and authenticate as myTester.
mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
I basically just explained the short version of the official docs here: https://docs.mongodb.com/master/tutorial/enable-authentication/
OMG, what a gas plant, that top answer!
All you need to do is to:
Edit your config, e.g. C:\Program Files\MongoDB\Server\4.4\bin\mongodb.cfg
Turn the security: authorization: to enabled, as illustrated; note that this sub-entry may be missing completely. Just add it then.
Restart your MongoDB Server service from the Windows Services control panel.
Obviously, if, following this, set up a read/readWrite role-based policy, that will make much more sense.
Ref: https://docs.mongodb.com/manual/tutorial/configure-scram-client-authentication/
I've just tested this using phpunit, works as expected.
you can create an admin user or another role.
run it on mongo shell.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"]})
if you get SCRAM-SHA-256error you can set the SHA-1 mechanism.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"], mechanisms: ["SCRAM-SHA-1"]})
You need to delete your old db folder and recreate new one. It will resolve your issue.
I know this has been asked many times before but trust me i have used that,
I just want to know the step to step procudure to authenticate the mongodb 3.0+ on linux aws server.
You can use following procedure to enable auth on stand-alone mongodb deployment:
Create an administrator user
use admin
db.createUser(
{
user: "userAdmin",
pwd: "xxxxx",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Modify mongod.conf file to enable auth
security:
authorization: enabled
Restart mongod service:
sudo service mongod restart
Connect and authenticate as the user administrator
mongo
use admin
db.auth("userAdmin", "xxxxx")
Create additional users as needed for your deployment:
use yourdb
db.createUser(
{
user: "testuser",
pwd: "xxxxxx",
roles: [ { role: "readWrite", db: "yourdb" }
]
}
)
Try logging in using mongo shell
mongo
Reference doc
I would like to give acces to a user to 2 databases in MongoDB.
I tried this, but it only give access to the admin db.
use admin;
db.runCommand(
{
createUser: "myuser",
pwd : "mypwd",
roles:
[
{ role: "readWrite", db: "db1" } ,
{ role: "readWrite", db: "db2" }
]
});
I tried to create the user on each db, but i end up with 2 users:
user#db1 and user#db2
Any suggestions?
Users can basically be saved in any database, which is why you can provide --authenticationDatabase on the command line tools, for example.
Taking the example for the cli, your command line should look something like this
mongo yourhost:yourport/db1 -u myuser --authenticationDatabase admin -p
and
mongo yourhost:yourport/db2 -u myuser --authenticationDatabase admin -p
respectively, where you obvisouly have to substitute yourhost and yourport for actual values.