My MongoDb journey continues :) and I had my first attempt to put a username and password protection against a MongoDB instance. It went OK besides some hiccups along the way :) Let's see what I did.
First, I downloaded the latest (v2.6.0) MongoDB binaries as zip file and unzipped them. I put all MongoDB related stuff inside the c:\mongo directory for my development environment on windows and the structure of my c:\mongo directory is a little different:
In order to set up the username and password authentication, first I need to get the mongod instance up and running with the authorization on. I achieved that by configuring it with the config file. Here is how it looks like:
dbpath = c:\mongo\data\db port = 27017 logpath = c:\mongo\data\logs\mongo.log auth = true
With this config file in place, I can get the mongod instance up:
First, I need to connect to this mongod instance and create the admin user. As you can see inside my config file, the server requires authentication. However, there is a localhost exception if there is no user defined inside the system. So, I can connect to my instance anonymously (as I’m running on port 27017 on localhost, I don’t need to define anything while firing up the mongo shell):
All great! Let’s create the system user administrator. As everything else, this chore is nicely documented, too:
use admin db.createUser( { user: "tugberk", pwd: "12345678", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
We are pretty much done. We have a user to administer our server now. Let’s disconnect from the mongo shell and reconnect to our mongod instance with our credentials:
mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin
I’m all there and I can see what my privileges at the server with this user are.
If you try to connect to this MonogDB server anonymously, you will see that you are still able to connect to it. This’s really bad, isn’t it? Not at the level that you think it would be at. The real story is that MongoDB still allows you to connect to, but you won’t be able to do anything as the anonymous access is fully disabled.
The bad thing here is that your server existence is exposed which is still an important issue. Just be aware of this fact before getting started.
The user we created still has restricted access to MonogDB server. If you want to have a user with unrestricted access, you can create a user with root role assigned. In our case here, I will assign myself the root role:
use admin db.grantRolesToUser("tugberk", ["root"])