How to Enable Access Control in MongoDB: Step-by-Step Guide
To enable access control in MongoDB, first create an administrative user in the
admin database, then enable authentication by starting MongoDB with the --auth option or setting security.authorization to enabled in the configuration file. This ensures only authenticated users can access the database.Syntax
Enabling access control in MongoDB involves two main steps:
- Create a user: Use
db.createUser()in theadmindatabase to add users with roles. - Enable authentication: Start MongoDB with
--author setsecurity.authorization: enabledinmongod.conf.
This setup restricts database access to authenticated users only.
mongodb
use admin
db.createUser({
user: "adminUser",
pwd: "strongPassword",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})Output
Successfully added user: { "user" : "adminUser", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
Example
This example shows how to create an admin user and enable authentication by modifying the configuration file.
bash
# Step 1: Create admin user in MongoDB shell use admin db.createUser({ user: "adminUser", pwd: "strongPassword", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] }) # Step 2: Enable authentication in mongod.conf security: authorization: enabled # Step 3: Restart MongoDB server sudo systemctl restart mongod # Step 4: Connect with authentication mongo -u adminUser -p strongPassword --authenticationDatabase admin
Output
MongoDB shell version vX.Y.Z
> use admin
switched to db admin
> db.createUser(...)
Successfully added user
> exit
# After restart
$ mongo -u adminUser -p strongPassword --authenticationDatabase admin
MongoDB shell version vX.Y.Z
>
Common Pitfalls
- Not creating an admin user before enabling authentication: This locks you out of the database.
- Forgetting to restart MongoDB after changing config: Changes won't take effect until restart.
- Using weak passwords: Always use strong, unique passwords for users.
- Connecting without authentication after enabling auth: Connections will be refused.
mongodb
## Wrong way: Enabling auth without creating user
# mongod.conf
security:
authorization: enabled
# This causes connection errors because no users exist
## Right way: Create user first, then enable auth
use admin
db.createUser({ user: "adminUser", pwd: "strongPassword", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] })
# Then enable auth and restart mongodQuick Reference
| Step | Command/Setting | Description |
|---|---|---|
| 1 | use admin | Switch to admin database to create users |
| 2 | db.createUser({...}) | Create admin user with roles |
| 3 | security.authorization: enabled | Enable access control in mongod.conf |
| 4 | sudo systemctl restart mongod | Restart MongoDB to apply changes |
| 5 | mongo -u user -p pwd --authenticationDatabase admin | Connect with authentication |
Key Takeaways
Always create an admin user before enabling access control to avoid lockout.
Enable authentication by setting security.authorization to enabled in mongod.conf or using --auth.
Restart MongoDB after configuration changes to apply access control settings.
Use strong passwords and assign proper roles to users for secure access.
Connect to MongoDB with authentication credentials once access control is enabled.