User and roles

Apart from some authentication systems, MongoDB has users and roles which can be applied to different databases. First, let’s see how to create an admin user for admin database with god-like (root) permissions.

Root permissions for all mongo databases:

use admin
db.createUser(
{
user: “admin”,
pwd: “KeepASecret”,
roles: [ “root” ]

}
)
Successfully added user: { “user” : “admin”, “roles” : [ “root” ] }

Now mongodb will not show you anything. Logout and log in again, this time using those credentials.

root@usurbil:# mongo -u admin -p KeepASecret admin
MongoDB shell version: 2.6.1
connecting to: admin
>

To check the permissions for a certain user:

db.runCommand(
{
usersInfo:”admin”,
showPrivileges:true
}
)

One user just for one database

Somo basic permissions for just one db:

use myotherdb
db.createUser(
{
user: “myotherdbuser”,
pwd: “KeepASecret”,
roles: [“readWrite”,”dbAdmin”]
}
)

That’s it, first we access admin database and then we run db.createUser command with obvious options in json syntax. If anything fails we can just stop mongod and re-run it without the –auth flag. If you try to access with your mongoshell using this admin user you’ll get:

root@linux:# mongo  -u admin -p wrongpass admin
MongoDB shell version: 2.6.1
connecting to: admin
2014-07-18T01:32:04.702+0200 Error: 18 { ok: 0.0, errmsg: “auth failed”, code: 18 } at src/mongo/shell/db.js:1210
exception: login failed
root@linux:#

We could also log without any user and authenticate from the mongo shell

root@linux:# mongo –host localhost admin
MongoDB shell version: 2.6.1
connecting to: localhost:27017/admin
> db.auth({user: ‘admin’,pwd:’KeepASecret’})

Changing password

To change the password, enter as admin, change to the database of that user and execute changeUserPassword command

use myotherdb
switched to db myotherdb
> db.changeUserPassword(“myotherdbuser”, “1234567”)

Updating permissions

Database access are stored in collections of course, in db.system.users. So we can just execute update queries to add new roles, which is but an array where we can push or pop values.

db.system.users.update({_id:”admin.admin”},{$push:{“roles”:{“role”:”root”,”db”:”mytotherdb”}}})