#db.createuser

Adding User in MongoDB

Let’s get started with routine MongoDB administration work. One of the first priorities for Database administrators is to ensure their Database is secure. The best way to handle security with MongoDB is to run it in a trusted environment,ensuring that only trusted users are able to connect to the server.

Each database in a MongoDB instance can have any number of users.When security is enabled, only authenticated users of a database are able to perform read or write operations.There are two special databases: users in the admin and local databases can perform operations on any database.After authenticating, admin users are able to read or write from any database and are able to perform certain admin-only commands, such as listDatabases or shutdown.

Let’s add some users to “admin” and example “mymongo” database with different roles.

Note — The ‘addUser’ shell helper is DEPRECATED. Use ‘createUser’ instead

Adding a “root” user in mongodb .(admin database) >use admin switched to db admin >db.createUser( … { … user: “superuser”, … pwd: “pass”, … roles: [ “root” ] … } … ) Successfully added user: { “user” : “superuser”, “roles” : [ “root” ] }

Adding a “readOnly” user (mymongo database) >db.createUser( { user: “db_read1”, pwd: “pass”, roles: [ { role: “read”, db: “mymongo” }]})

Adding a “readWrite” user (mymongo database) db.createUser( {  user: “db_write”,  pwd: “pass”,roles:  [{ role: “readWrite”, db: “mymongo” } ] })

Now restart the server, this time adding the – -auth command-line option or in mongodb.conf as auth=true to enable security.

When we first connect, we are unable to perform any operations (read or write) on the mymongo database.

#mongo mymongo -u db_read1 -p MongoDB shell version: 2.6.4 Enter password: connecting to: mymongo

>db.collection1.findOne() { “_id” : ObjectId(“54da125004655bd6347700d3”), “x” : 1 } > db.collection1.insert({o:99}) WriteResult({ “writeError” : { “code” : 13, “errmsg” : “not authorized on mymongo to execute command { insert: \”collection1\”, documents: [ { _id: ObjectId(’54da150f7a2bdd3ffd58bb93′), o: 99.0 } ], ordered: true }” } })

After authenticating as the “db_read1” user, however, we are able to perform a simple find. When we try to insert data, we are met with a failure because of the lack of authorization.

So we try with “db_write” user.

# mongo mymongo -u db_write -p MongoDB shell version: 2.6.4 Enter password: connecting to: mymongo > > db.collection1.insert({u:23}) WriteResult({ “nInserted” : 1 })

root(superuser) user, who is able to perform operations on any database.

]# mongo admin -u superuser -p MongoDB shell version: 2.6.4 Enter password: connecting to: admin > use mymongo switched to db mymongo > db.collection1.insert({k:4444}); WriteResult({ “nInserted” : 1 })

With sharding, the admin database is kept on the config servers, so shard mongods have no idea it even exists. Therefore, as far as they know, they are running with authentication enabled but no admin user.Thus, shards will allow a local client to read and write from them without authentication. However, if you are worried about clients running locally on shards and connecting directly to them instead of going through the mongos, you may wish to add admin users to your shards.

Make sure that  replica sets on which you are creating users ,are already shards(i.e added) in the cluster. If you create an admin user and then try to add the mongods as a shard the addShard command will not work (because the cluster already contains an admin database).