Authorization with MongoDB

MongoDB's most basic authorization relies on the username/password method. By default, MongoDB will not start with authorization enabled. To enable it, we need to start our server with the --auth parameter:

$ mongod --auth

To set up authorization, we need to start our server without authorization to set up a user. Setting up an admin user is as simple as follows:

> use admin
> db.createUser(
 {
   user: <adminUser>,
   pwd: <password>,
   roles: [ { role: <adminRole>, db: "admin" } ]
 }
)

Here, <adminUser> is the name of the user we want to create, <password> is the password, and <adminRole> can be any of the following values ordered from more powerful to least:

• root
• dbAdminAnyDatabase
• userAdminAnyDatabase
• readWriteAnyDatabase
• readAnyDatabase
• dbOwner
• dbAdmin
• userAdmin
• readWrite
• read

Of these roles, root is the superuser allowed access to everything. This is not recommended to be used, except for special circumstances.

All the AnyDatabase roles provide access to all databases, of which dbAdminAnyDatabase combines the userAdminAnyDatabase and readWriteAnyDatabase scopes, being an admin again, in all databases.

The rest of the roles are defined in the database that we want them to apply, by changing the roles subdocument of the preceding db.createUser(). For example, to create a dbAdmin for our  mongo_book database , we would use the following:

> db.createUser(
 {
   user: <adminUser>,
   pwd: <password>,
   roles: [ { role: "dbAdmin", db: "mongo_book" } ]
 }
)

Cluster administration has even more roles, which we will cover in more depth in Chapter 10, Replication.

Finally, when we restart our database with the --auth flag set, we can use either the command line or the connection string (from any driver) to connect as admin and create new users with predefined or custom defined roles:

mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]