|
1 | | -=============================================== |
2 | | -Use Authentication to Control Access to MongoDB |
3 | | -=============================================== |
| 1 | +======================================================= |
| 2 | +Control Access to MongoDB Instances with Authentication |
| 3 | +======================================================= |
4 | 4 |
|
5 | 5 | .. default-domain:: mongodb |
6 | 6 |
|
7 | | -Basic authentication and access control is enabled with the |
8 | | -:option:`--auth <mongod --auth>` |
9 | | -or |
10 | | -:option:`--keyFile <mongod --keyFile>` |
11 | | -options in versions of MongoDB up to and including version 2.2. |
| 7 | +MongoDB provides a basic authentication system, that you can enable |
| 8 | +with the :setting:`auth` and :setting:`keyFile` configuration |
| 9 | +settings. [#cli-options]_ See the :ref:`authentication |
| 10 | +<security-authentication>` section of the :doc:`/authentication/security` |
| 11 | +document. |
12 | 12 |
|
13 | | -Some important things to note about authentication: |
| 13 | +This document contains an overview of all operations related to |
| 14 | +authentication and managing a MongoDB deployment with authentication. |
14 | 15 |
|
15 | | -* Authentication is off by default. |
16 | | -* Prior to version 2.0, it is not possible to enable authentication |
17 | | - in a sharded environment. |
| 16 | +.. see:: The :ref:`configuration-security` section of the |
| 17 | + :doc:`/administration/configuration` document for more information |
| 18 | + on configuring authentication. |
18 | 19 |
|
19 | | -* Once authenticated, a normal user has full "read and write" access |
20 | | - to the database. You can also create read-only users, who only |
21 | | - have read access. |
22 | | - |
23 | | -Each database contains a "system.users" collection, which contains |
24 | | -all the user information. For example: |
25 | | - |
26 | | -.. code-block:: javascript |
27 | | - |
28 | | - > db.system.users.find() |
29 | | - { "_id": ObjectId("5075362366b2b6e3603b65c9"), "user": "readOnly", "readOnly": true, "pwd": "76841722f39207db6b332e64bfacd4ba" } |
30 | | - Fetched 1 record(s) in 1ms -- Index[none] -- More[false] |
31 | | - |
32 | | - |
33 | | -Role-based access control with MongoDB is simple |
34 | | -with only two roles – "read" and "normal" (i.e. full read/write |
35 | | -access). There are several tickets related to improving the |
36 | | -implementation of authorization within MongoDB: |
37 | | - |
38 | | -* :issue:`SERVER-3198` |
39 | | -* :issue:`SERVER-7122` |
40 | | -* :issue:`SERVER-7124` |
41 | | - |
42 | | -The admin database is special. Several administrative commands |
43 | | -can only run on the admin database (and so can only be run by an |
44 | | -admin user). You can use the `db.admin.command()` shell helper as |
45 | | -one way of running administrative commands. For example, to list |
46 | | -all databases: |
47 | | - |
48 | | -.. code-block:: javascript |
49 | | - |
50 | | - db.adminCommand( { listDatabases : 1 } ) |
51 | | - |
52 | | -Additionally, please be aware that users with access to the admin |
53 | | -database have “read and write” access to all other databases on |
54 | | -the server/cluster. |
| 20 | +.. [#cli-options] Use the :option:`--auth <mongod --auth>` |
| 21 | + :option:`--keyFile <mongod --keyFile>` options on the command |
| 22 | + line. |
55 | 23 |
|
56 | 24 | Adding Users |
57 | 25 | ------------ |
58 | 26 |
|
59 | | -You must either: |
60 | | - |
61 | | -#. have added a user to the admin db before starting the server with |
62 | | - :option:`--auth <mongod --auth>`, |
63 | | - |
64 | | -#. added the first user from a localhost connection (you cannot add |
65 | | - the first user from a connection that is not local with respect to |
66 | | - the :program:`mongod` process). |
67 | | - |
68 | | -.. note:: |
| 27 | +When setting up authentication for the first time you must either: |
69 | 28 |
|
70 | | - Option (2) to add a user via localhost does not work in |
71 | | - sharded clusters running v2.2+ due to :issue:`SERVER-6591`. If you are |
72 | | - running 2.2 with a sharded cluster and want to use secure mode you |
73 | | - must setup the cluster and add an admin user before restarting the |
74 | | - cluster to run with :option:`--keyFile <mongod --keyFile>`. |
| 29 | +#. add at least one user to the ``admin`` database before starting |
| 30 | + the :program:`mongod` instance with :setting:`auth`. |
75 | 31 |
|
76 | | -Configuration |
77 | | -~~~~~~~~~~~~~ |
| 32 | +#. add the first user to the ``admin`` database when connected to the |
| 33 | + :program:`mongod` instance from a ``localhost`` |
| 34 | + connection. [#sharded-localhost]_ |
78 | 35 |
|
79 | | -First create an administrator for the `mongod` instance. This |
80 | | -user is stored under the special `admin` database. |
| 36 | +Begin by setting up the first administrative user for the |
| 37 | +:program:`mongod` instance. Administrative users are those users that |
| 38 | +have "normal" or read and write access to the ``admin`` |
| 39 | +database. Connect to the :program:`mongod` on the ``localhost`` |
| 40 | +interface using the :program:`mongo` shell. |
81 | 41 |
|
82 | 42 | If there are no admin users, one may access the database from the |
83 | 43 | localhost interface without authenticating. Therefore, on the |
@@ -353,4 +313,4 @@ MongoDB instance. The MongoDB instance will exit with an error if |
353 | 313 | the keyFile is readable, writeable or executable by any other |
354 | 314 | account on the system. |
355 | 315 |
|
356 | | -Currently, permissions are not checked by :program:`mongod.exe` on Windows. |
| 316 | +Currently, permissions are not checked by :program:`mongod.exe` on Windows. |
0 commit comments