Authentication and Access Control

How to secure a MongoDB instance in production environments.

This guide describes the essential steps to secure a MongoDB instance in production environments. Security should be a priority when deploying MongoDB to avoid unauthorized access, data leaks, or data loss.

Enable Authentication

Enable internal authentication to ensure only registered users can access the database.

Steps:

1

Create an admin user with appropriate roles

use admin
db.createUser({
    user: "dmk_user",
    pwd: "password",
    roles: ["root"]
})
2

Edit the configuration file (e.g., mongod.conf) and set:

security:
  authorization: enabled
3

Create a credential file for DMK login

mongodb@vm00:/u01/app/mongodb/admin/mdb01/secret/ [mdb01] cat /u01/app/mongodb/admin/mdb01/secret/cred.yaml
dmk_user: "dmk_user"
dmk_pwd: "password"

Ensure the credential file cred.yaml has appropriate permissions to prevent unauthorized access.

4

Restart the MongoDB instance

dmk_db_ctl.py -a restart -i <instance_name>

Using authentication

After enabling authentication (security.authorization: enabled), attempting to connect using the ms alias without proper credentials will fail:

mongodb@vm00:/home/mongodb/ [mdb01] ms
Current Mongosh Log ID: 68628382b3d1df2e6369e327
Connecting to:          mongodb://127.0.0.1:27017/?tls=true&tlsCertificateKeyFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fclients%2FclientUser.pem&tlsCAFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fca%2Fca.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.6
Using MongoDB:          8.0.11
Using Mongosh:          2.5.6

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

test> use admin
switched to db admin
admin> show collections
MongoServerError[Unauthorized]: Command listCollections requires authentication

Instead, use the msp alias, which reads credentials from the previously created credential file:

mongodb@vm00:/home/mongodb/ [mdb01] msp
Current Mongosh Log ID: 6862838a8c6feb3db869e327
Connecting to:          mongodb://<credentials>@127.0.0.1:27017/?tls=true&tlsCertificateKeyFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fclients%2FclientUser.pem&tlsCAFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fca%2Fca.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.6
Using MongoDB:          8.0.11
Using Mongosh:          2.5.6

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

------
   The server generated these startup warnings when booting
   2025-06-30T04:11:30.912-04:00: For customers running the current memory allocator, we suggest changing the contents of the following sysfsFile
   2025-06-30T04:11:30.912-04:00: We suggest setting the contents of sysfsFile to 0.
   2025-06-30T04:11:30.912-04:00: vm.max_map_count is too low
------

test> use admin
switched to db admin
admin> show collections
system.users
system.version

DMK will then use the granted user credentials automatically.

Note: The ms alias can still be used with other credentials, e.g., ms -u user -p.

PreviousUsing DMK JavaScript ScriptsNextTLS Certificates and Secure Communication

Last updated