On this page
To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.
User Management Interface¶
The first user created in the database should be a user administrator who has the privileges to manage other users. See Enable Auth.
You can also update existing users, such as to change password and grant or revoke roles. For a full list of user management methods, see User Management.
When adding a user, you create the user in a specific database. This database is the authentication database for the user.
A user can have privileges across different databases; i.e. a user’s privileges are not limited to the authentication database. By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases. For more information on roles, see Role-Based Access Control.
The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.
Authenticate a User¶
To authenticate a user, either
- Use the command line authentication options (e.g.
--authenticationDatabase) when connecting to the
- Connect first to the
mongosinstance, and then run the
authenticatecommand or the
db.auth()method against the authentication database.
To authenticate, the client must authenticate the user against the user’s authentication database.
For instance, if using the
mongo shell as a client, you can
specify the authentication database for the user with the
Centralized User Data¶
Changed in version 2.6.
Do not access this collection directly but instead use the user management commands.
The localhost exception allows you to enable access control and then
create the first user in the system. With the localhost exception, after
you enable access control, connect to the localhost interface and create
the first user in the
admin database. The first user must have
privileges to create other users, such as a user with the
Changed in version 3.0: The localhost exception changed so that these connections only
have access to create the first user on the
database. In previous versions, connections that gained access
using the localhost exception had unrestricted access to the
The localhost exception applies only when there are no users created in the MongoDB instance.
In the case of a sharded cluster, the localhost exception applies to each shard
individually as well as to the cluster as a whole. Once you create a sharded
cluster and add a user administrator through the
you must still prevent unauthorized access to the individual shards. Follow one
of the following steps for each shard in your cluster:
- Create an administrative user, or
- Disable the localhost exception at startup. To disable the localhost
exception, set the