Introduction
Ok, first things first, it has to be said.
MongoDB is not
- the cooler, newer and shinier MySQL. It is different, in every major aspect
- suitable for thinking in analogies to product X (even couchdb). In fact, if you do so, this will get you well into trouble sooner or later.
- to be taken lightly. You need to read the documentation. Thoroughly. And again.
You really have to stop thinking in terms of "How do I do X like I did in technology Y in technology Z?"
When it comes to data modeling in MongoDB for example, this attitude will cause some pains in the neck to you, some easy to correct (like overembeding), some very, very hard (like choosing a wrong shard key).
Disclaimer Changing security settings may render your instance and/or cluster inaccessible. Proceed with extreme caution and only if you are absolutely positively sure you understood what you are doing.
I will assume that we are talking of a standalone MongoDB instance or a replica set. If you have a sharded cluster, stop reading and ask your DBA – or get one.
Really. I mean it. Sudo read the docs! ;) They are well written, thorough and helpful.
You need to understand what you are doing, hence reading the docs is step 0.
Step 1: Create the administrative user
To have your administrative user ready when you enable the authentication feature, you need to set it up, first.
- Connect to your mongodb instance
Change to the admindatabase
use admin
Create the administrative user
db.createUser({
user: "funkyNameForUserAdminSinceThereIsNoConvention",
pwd: "changeMePlease:Loremipsumdolorsitamet,consecteturt",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})
Note that this user only has the permission to manage other users. The user does not have any other permission. If you need other permissions: add according users with the respective roles after finishing step 4.
Step 2: Enable authentication
Probably the most controversial default setting in MongoDB is that authentication is not enabled by default, which lead to quite some data exposed to the public by... less professional people.
To enable authentication, you need to configure your instance accordingly. Here comes a problem: there are two configuration file formats available: the legacy format and YAML. You ave to find out which one your installation uses and make the change according to the details below.
In legacy format
Add the line
auth=true
to your mongod.conf
In YAML format
Add
security:
authorization: enabled
to your mongod.conf (indentation matters!).
Step 3: Restart your MongoDB instance
Not much to say here, since I do not know your OS, but I am sure you know how to to this
Step 4: Create a user account
In MongoDB, any user can be stored in (almost) any database. So a user with access to "foo" might well be stored in database "bar". The reason for this is that while a user's primary database might be "bar", he might as well be granted access to db "foo" and this way there is no need for duplicate user entries. The user requesting access to "foo" would do so by setting the --authenticationDatabase flag for the shell client:
mongo [host[:port]/]foo --authenticationDatabase bar -u funkyUser -p
We do so now accordingly with our newly created admin user:
mongo [host[:port]/]bar --authenticationDatabase admin \
-u funkyNameForUserAdminSinceThereIsNoConvention -p
We should be now in the database "bar" for which we want to create a user with the readWrite role for "foo" and "bar", as per the example above.
db.createUser({
user: "funkyUser",
pwd: "changeMePlease:Loremipsumdolorsitamet,consecteturt",
roles: [
{role: "readWrite", db:"foo"},
{role: "readWrite", db:"bar"}
]
})
Done!
You should now be able to log in as "funkyUser" and read and change both "foo" and "bar" according to the needs of a web application.
