MongoDB User Management
MongoDB provides Role-Based Access Control (RBAC), allowing administrators to create users and assign different permission roles to ensure database security.
Enable Authentication
Modify Configuration File
yaml
# mongod.conf
security:
authorization: enabledRestart MongoDB Service
bash
# Linux/macOS
sudo systemctl restart mongod
# Windows
net stop MongoDB
net start MongoDBCreate Administrator User
Connect to admin Database
bash
mongosh
use adminCreate Super Admin
javascript
db.createUser({
user: "admin",
pwd: "strongPassword123",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "clusterAdmin", db: "admin" }
]
})Login as Administrator
bash
mongosh -u admin -p --authenticationDatabase adminBuilt-in Roles
Database User Roles
| Role | Permissions |
|---|---|
| read | Read all non-system collections |
| readWrite | Read and write all non-system collections |
Database Administration Roles
| Role | Permissions |
|---|---|
| dbAdmin | Perform administrative tasks (indexes, statistics, etc.) |
| dbOwner | Database owner permissions (readWrite + dbAdmin + userAdmin) |
| userAdmin | Manage users and roles |
Cluster Administration Roles
| Role | Permissions |
|---|---|
| clusterAdmin | Cluster administration permissions |
| clusterManager | Cluster monitoring and management |
| clusterMonitor | Read-only cluster monitoring |
| hostManager | Server management |
Backup and Restore Roles
| Role | Permissions |
|---|---|
| backup | Backup data |
| restore | Restore data |
All Database Roles
| Role | Permissions |
|---|---|
| readAnyDatabase | Read all databases |
| readWriteAnyDatabase | Read and write all databases |
| userAdminAnyDatabase | Manage users for all databases |
| dbAdminAnyDatabase | Administer all databases |
Create Regular Users
Read-Only User
javascript
use mydb
db.createUser({
user: "readonly",
pwd: "password123",
roles: [
{ role: "read", db: "mydb" }
]
})Read-Write User
javascript
db.createUser({
user: "appuser",
pwd: "appPassword456",
roles: [
{ role: "readWrite", db: "mydb" }
]
})Multi-Database User
javascript
db.createUser({
user: "multiuser",
pwd: "multiPassword789",
roles: [
{ role: "readWrite", db: "mydb" },
{ role: "read", db: "reporting" },
{ role: "dbAdmin", db: "mydb" }
]
})User Management Operations
View All Users
javascript
use admin
db.system.users.find().pretty()
// Or
show usersView Current Database Users
javascript
use mydb
db.getUsers()Change User Password
javascript
db.changeUserPassword("appuser", "newPassword")Grant Roles
javascript
db.grantRolesToUser("appuser", [
{ role: "dbAdmin", db: "mydb" }
])Revoke Roles
javascript
db.revokeRolesFromUser("appuser", [
{ role: "dbAdmin", db: "mydb" }
])Drop User
javascript
db.dropUser("appuser")Custom Roles
Create Custom Role
javascript
use admin
db.createRole({
role: "appReadWrite",
privileges: [
{
resource: { db: "mydb", collection: "" },
actions: ["find", "insert", "update", "remove"]
},
{
resource: { db: "mydb", collection: "system.indexes" },
actions: ["find"]
}
],
roles: []
})Use Custom Role
javascript
db.createUser({
user: "customuser",
pwd: "customPass",
roles: [
{ role: "appReadWrite", db: "admin" }
]
})View Role Information
javascript
db.getRole("appReadWrite", { showPrivileges: true })Drop Role
javascript
db.dropRole("appReadWrite")Connection String Authentication
Basic Connection String
mongodb://username:password@localhost:27017/database?authSource=adminExamples
javascript
// Node.js
const uri = "mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb";
// Python
client = MongoClient("mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb")
// Java
String uri = "mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb";Best Practices
1. Use Strong Passwords
- At least 12 characters
- Include uppercase, lowercase, numbers, and special characters
- Regular password rotation
2. Principle of Least Privilege
- Grant only necessary permissions
- Avoid using super admin roles
- Create separate users for different applications
3. Network Security
- Bind to specific IP addresses
- Use firewall to restrict access
- Enable SSL/TLS encryption
yaml
# mongod.conf
net:
bindIp: 127.0.0.1,10.0.0.5 # Restrict access IPs
port: 27017
security:
authorization: enabled
keyFile: /path/to/keyfile # Replica set authentication4. Regular Auditing
javascript
// View user permissions
db.getUsers()
// View role permissions
db.getRoles({ showPrivileges: true })Summary
MongoDB's user management features provide:
- Role-Based Access Control (RBAC)
- Rich built-in roles
- Custom role support
- Flexible user permission management
Proper use of user management features can effectively protect database security.
In the next chapter, we will learn about MongoDB Create Database.