Authentication and User Management

Beginner10 min

Secure your MongoDB deployment by enabling authentication, creating users with specific roles, and managing access control.

Prerequisites

-MongoDB installed and running
-mongosh available

Steps

Create an admin user

Create a superuser in the admin database before enabling authentication.

$ mongosh --eval 'db.getSiblingDB("admin").createUser({user: "admin", pwd: "secure_admin_pass", roles: [{role: "userAdminAnyDatabase", db: "admin"}, {role: "readWriteAnyDatabase", db: "admin"}, {role: "clusterAdmin", db: "admin"}]})'

Create the admin user BEFORE enabling authentication. Once auth is enabled, you cannot connect without credentials.

Create an application user with specific database access

Add a user with read-write access limited to a single database.

$ mongosh -u admin -p secure_admin_pass --authenticationDatabase admin --eval 'db.getSiblingDB("mydb").createUser({user: "app_user", pwd: "app_secure_pass", roles: [{role: "readWrite", db: "mydb"}]})'

Create a read-only user

Add a user that can only read data for reporting or analytics.

$ mongosh -u admin -p secure_admin_pass --authenticationDatabase admin --eval 'db.getSiblingDB("mydb").createUser({user: "readonly_user", pwd: "readonly_pass", roles: [{role: "read", db: "mydb"}]})'

Enable authentication in mongod config

Update the MongoDB configuration to require authentication for all connections.

$ echo -e 'security:\n authorization: enabled' | sudo tee -a /etc/mongod.conf && sudo systemctl restart mongod

After this restart, all connections must authenticate. Test with: mongosh -u admin -p secure_admin_pass --authenticationDatabase admin

List all users in a database

View existing users and their assigned roles.

$ mongosh -u admin -p secure_admin_pass --authenticationDatabase admin --eval 'db.getSiblingDB("mydb").getUsers()'

Full Script

full-script.sh

#!/bin/bash
# MongoDB User Management
set -euo pipefail

ADMIN_USER="admin"
ADMIN_PASS="secure_admin_pass"
AUTH_DB="admin"
TARGET_DB="mydb"

echo "=== Current users in $TARGET_DB ==="
mongosh -u "$ADMIN_USER" -p "$ADMIN_PASS" --authenticationDatabase "$AUTH_DB" --quiet --eval "
const users = db.getSiblingDB('$TARGET_DB').getUsers();
users.users.forEach(u => {
  const roles = u.roles.map(r => r.role + '@' + r.db).join(', ');
  print(u.user + ': ' + roles);
});
"

echo ""
echo "=== All users across all databases ==="
mongosh -u "$ADMIN_USER" -p "$ADMIN_PASS" --authenticationDatabase "$AUTH_DB" --quiet --eval "
const adminDb = db.getSiblingDB('admin');
const allUsers = adminDb.aggregate([
  {$currentOp: {allUsers: true, idleConnections: false}},
]).toArray();
// List users from admin system
db.getSiblingDB('admin').system.users.find({}, {user: 1, db: 1, roles: 1}).forEach(u => {
  const roles = u.roles.map(r => r.role + '@' + r.db).join(', ');
  print(u.user + '@' + u.db + ': ' + roles);
});
"

echo ""
echo "=== Testing connections ==="
mongosh -u "app_user" -p "app_secure_pass" --authenticationDatabase "$TARGET_DB" --quiet --eval "
print('app_user connected successfully to $TARGET_DB');
print('Can read: ' + (db.runCommand({find: 'test', limit: 1}).ok === 1));
" "$TARGET_DB" 2>/dev/null || echo "app_user: connection failed or user does not exist"

FAQ

Discussion

Loading comments...

#!/bin/bash # MongoDB User Management set -euo pipefail ADMIN_USER="admin" ADMIN_PASS="secure_admin_pass" AUTH_DB="admin" TARGET_DB="mydb" echo "=== Current users in $TARGET_DB ===" mongosh -u "$ADMIN_USER" -p "$ADMIN_PASS" --authenticationDatabase "$AUTH_DB" --quiet --eval " const users = db.getSiblingDB('$TARGET_DB').getUsers(); users.users.forEach(u => { const roles = u.roles.map(r => r.role + '@' + r.db).join(', '); print(u.user + ': ' + roles); }); " echo "" echo "=== All users across all databases ===" mongosh -u "$ADMIN_USER" -p "$ADMIN_PASS" --authenticationDatabase "$AUTH_DB" --quiet --eval " const adminDb = db.getSiblingDB('admin'); const allUsers = adminDb.aggregate([ {$currentOp: {allUsers: true, idleConnections: false}}, ]).toArray(); // List users from admin system db.getSiblingDB('admin').system.users.find({}, {user: 1, db: 1, roles: 1}).forEach(u => { const roles = u.roles.map(r => r.role + '@' + r.db).join(', '); print(u.user + '@' + u.db + ': ' + roles); }); " echo "" echo "=== Testing connections ===" mongosh -u "app_user" -p "app_secure_pass" --authenticationDatabase "$TARGET_DB" --quiet --eval " print('app_user connected successfully to $TARGET_DB'); print('Can read: ' + (db.runCommand({find: 'test', limit: 1}).ok === 1)); " "$TARGET_DB" 2>/dev/null || echo "app_user: connection failed or user does not exist"