Secure your MongoDB Deployment

Deployment Type:

Author: MongoDB Documentation Team

This guide describes how to enforce authentication on your local MongoDB deployment.

Time required: 10 minutes

What You’ll Need

Check Your Environment

Ensure that your MongoDB instance is running.

To make sure that your MongoDB instance is running on Windows, run the following command from the Windows command prompt:

copy 
tasklist /FI "IMAGENAME eq mongod.exe"

If a mongod.exe instance is running, you will see something like:

copy 
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
mongod.exe                    8716 Console                    1      9,508 K

To make sure your MongoDB instance is running on mac, run the following command from your terminal:

copy 
ps -e | grep 'mongod'

If a mongod instance is running, you will see something like:

copy 
89780 ttys026    0:53.48 ./mongod

To make sure your MongoDB instance is running on linux, run the following command from your terminal:

copy 
ps -e| grep 'mongod'

If a mongod instance is running, you will see something like:

copy 
89780 ttys026    0:53.48 ./mongod

Procedure

1

Locate the mongo shell.

The mongo shell is packaged with the MongoDB Server Community and Enterprise distributions, and is also available for users of Atlas as a client-only download.

MongoDB binaries are located in a directory that starts with mongodb-. Within a bin directory, you should see a file named mongo, which is the shell executable.

If you do not have mongo shell installed, follow the install directions for your environment.

Download the latest stable version for your environment.

After downloading, click on the downloaded .msi file. The Windows Installer will guide you through the installation.

Download the latest stable version for your environment.

Double click the tgz file to untar the file.

Download the latest stable version for your environment.

Extract the tar file and locate the mongo executable under the bin directory of your install root.

copy 
tar -xvzf <tgz file>
2

Connect to your MongoDB instance

Select the operating system platform on which you are running the MongoDB client you have selected.

Note

If you are running your mongod instance with the default host (localhost) and port (27017), you can leave those parameters out when running mongo shell.

copy 
mongo.exe --host <HOSTNAME> --port <PORT>
copy 
mongo --host <HOSTNAME> --port <PORT>
copy 
mongo --host <HOSTNAME> --port <PORT>
3

Switch to the admin database.

copy 
use admin
4

Create a root user with the db.createUser() method.

copy 
db.createUser(
  {
    user: "superuser",
    pwd: "changeMeToAStrongPassword",
    roles: [ "root" ]
  }
)

Users with the root role have full privileges on all resources. You can therefore use your new superuser user to query your database, add indexes, create additional users, administer your deployment, etc.

5

Verify that you have successfully added your user.

Run show users to see if your user was created:

copy 
show users

You should see output similar to the following:

copy 
{
   "_id" : "admin.superuser",
   "userId" : UUID("7c2aee5c-6af5-4e25-ae0f-4422c6a8a03c"),
   "user" : "superuser",
   "db" : "admin",
   "roles" : [
           {
             "role" : "root",
             "db" : "admin"
           }
   ],
   "mechanisms" : [
           "SCRAM-SHA-1",
           "SCRAM-SHA-256"
   ]
 }
6

Shut down your MongoDB instance.

From the mongo shell, shut down your mongod instance.

copy 
db.shutdownServer()

You should see a message that resembles server should be down....

Type exit to exit the mongo shell.

copy 
exit
7

Restart your MongoDB instance with access control.

To restart MongoDB, run mongod.exe with the --auth option.

copy 
"C:\Program Files\MongoDB\Server\4.0\bin\mongod.exe" --dbpath "d:\test\mongo db data" --auth

This starts the main MongoDB database process. The waiting for connections message in the console output indicates that the mongod.exe process is running successfully.

To restart MongoDB with access control, run the mongod process from your terminal with the --auth option. The mongod process is located in a bin folder in the MongoDB installation directory.

copy 
mongod --dbpath <path to data directory> --auth

If you used the default data directory for your MongoDB deployment, (i.e., /data/db), you can leave off the --dbpath option.

If your mongod instance has successfully started, you will see logging output in your terminal that includes [initandlisten] waiting for connections.

Note

The following instructions assume that you installed MongoDB from a tar.gz archive rather than using a package manager. If you used the package manager for your Linux distribution to install MongoDB, edit your configuration file to include the security.authorization setting before starting your mongod service as usual. Refer to the configuration file documentation for more information.

To restart MongoDB with access control, run the mongod process from your terminal with the --auth option. The mongod process is located in a bin folder in the MongoDB installation directory.

copy 
mongod --dbpath <path to data directory> --auth

If you used the default data directory for your MongoDB deployment, (i.e., /data/db), you can leave off the --dbpath option.

If your mongod instance has successfully started, you will see logging output in your terminal that includes [initandlisten] waiting for connections.

Summary

If you have successfully completed this guide you have enabled basic authentication on your local MongoDB instance.

What’s Next

The next guide walks you through connecting to your new MongoDB instance.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.