Docs Home → Develop Applications → MongoDB Manual
Enable Access Control
Overview
Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves. When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.
You can configure authentication in the UI for deployments hosted in MongoDB Atlas.
Note
You can't disable access control in MongoDB Atlas.
Access Control Resources
If you would like to enable access control for a standalone MongoDB instance, please refer to one of the following resources:
The following tutorial enables access control on a standalone
mongod instance and uses the default
authentication mechanism. For all
supported authentication mechanisms, see
Authentication Mechanisms.
User Administrator
With access control enabled, ensure you have a user with
userAdmin or userAdminAnyDatabase role in the
admin database. This user can administrate user and roles such as:
create users, grant or revoke roles from users, and create or modify
customs roles.
Procedure
The following procedure first adds a user administrator to a MongoDB instance running without access control and then enables access control.
Note
The example MongoDB instance uses port 27017 and the data directory /var/lib/mongodb directory . The
example assumes the existence of the data directory
/var/lib/mongodb. Specify a different data directory as
appropriate.
Start MongoDB without access control.
Start a standalone mongod instance without access
control.
Open a terminal and run the following command as the mongod user:
mongod --port 27017 --dbpath /var/lib/mongodb
The mongod instance in this tutorial uses
port 27017 and the /var/lib/mongodb
data directory.
The tutorial assumes that the /var/lib/mongodb directory exists
and is the default dbPath. You may specify a
different data directory or port as needed.
Create the user administrator.
From the mongo shell, add a user with the
userAdminAnyDatabase role in the admin database. Include additional roles as
needed for this user. For example, the following
creates the user myUserAdmin in the admin database with the
userAdminAnyDatabase role and the
readWriteAnyDatabase role.
Tip
Starting in version 4.2 of the mongo shell, you can
use the passwordPrompt() method in conjunction with
various user authentication/management methods/commands to prompt
for the password instead of specifying the password directly in the
method/command call. However, you can still specify the password
directly as you would with earlier versions of the
mongo shell.
use admin db.createUser( { user: "myUserAdmin", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ] } )
Note
The database where you create the user (in this example,
admin) is the user's authentication database. Although the user would
authenticate to this database, the user can
have roles in other databases; i.e. the user's authentication
database does not limit the user's privileges.
Re-start the MongoDB instance with access control.
Shut down the
mongodinstance. For example, from themongoshell, issue the following command:db.adminCommand( { shutdown: 1 } ) Exit the
mongoshell.Start the
mongodwith access control enabled.If you start the
mongodfrom the command line, add the--authcommand line option:mongod --auth --port 27017 --dbpath /var/lib/mongodb If you start the
mongodusing a configuration file, add thesecurity.authorizationconfiguration file setting:security: authorization: enabled
Clients that connect to this instance must now authenticate themselves as a MongoDB user. Clients can only perform actions as determined by their assigned roles.
Create additional users as needed for your deployment.
Once authenticated as the user administrator, use
db.createUser() to create additional users. You can assign
any built-in roles or
user-defined roles to the
users.
The following operation adds a user myTester to the test
database who has readWrite role in the test
database as well as read role in the reporting
database.
Tip
Starting in version 4.2 of the mongo shell, you can
use the passwordPrompt() method in conjunction with
various user authentication/management methods/commands to prompt
for the password instead of specifying the password directly in the
method/command call. However, you can still specify the password
directly as you would with earlier versions of the
mongo shell.
use test db.createUser( { user: "myTester", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "readWrite", db: "test" }, { role: "read", db: "reporting" } ] } )
Note
The database where you create the user (in this example,
test) is that user's authentication database. Although the user would
authenticate to this database, the user can have roles in other
databases; i.e. the user's authentication database does not limit
the user's privileges.
After creating the additional users, disconnect the
mongo shell.
Insert a document as myTester.
As myTester, you have privileges to perform read and write
operations in the test database (as well as perform read
operations in the reporting database). Once authenticated as
myTester, insert a document into a collection in test
database. For example, you can perform the following insert
operation in the test database:
db.foo.insert( { x: 1, y: 1 } )
Tip
See also:
Additional Considerations
Replica Sets and Sharded clusters
Replica sets and sharded clusters require internal authentication between members when access control is enabled. For more details, please see Internal/Membership Authentication.
Localhost Exception
You can create users either before or after enabling access control. If
you enable access control before creating any user, MongoDB provides a
localhost exception which allows you to
create a user administrator in the admin database. Once created,
you must authenticate as the user administrator to create additional
users as needed.