# Authentication and Access Control This guide describes the essential steps to secure a MongoDB instance in production environments. Security should be a priority when deploying MongoDB to avoid unauthorized access, data leaks, or data loss. *** ### Enable Authentication Enable internal authentication to ensure only registered users can access the database. #### Steps: {% stepper %} {% step %} #### Create an admin user with appropriate roles ```js use admin db.createUser({ user: "dmk_user", pwd: "password", roles: ["root"] }) ``` {% endstep %} {% step %} #### Edit the configuration file (e.g., `mongod.conf`) and set: ```yaml security: authorization: enabled ``` {% endstep %} {% step %} #### Create a credential file for DMK login ```bash mongodb@vm00:/u01/app/mongodb/admin/mdb01/secret/ [mdb01] cat /u01/app/mongodb/admin/mdb01/secret/cred.yaml dmk_user: "dmk_user" dmk_pwd: "password" ``` {% hint style="danger" %} Ensure the credential file `cred.yaml` has appropriate permissions to prevent unauthorized access. {% endhint %} {% endstep %} {% step %} #### Restart the MongoDB instance ```bash dmk_db_ctl.py -a restart -i ``` {% endstep %} {% endstepper %} ### Using authentication After enabling authentication (`security.authorization: enabled`), attempting to connect using the `ms` alias without proper credentials will fail: ```bash mongodb@vm00:/home/mongodb/ [mdb01] ms Current Mongosh Log ID: 68628382b3d1df2e6369e327 Connecting to: mongodb://127.0.0.1:27017/?tls=true&tlsCertificateKeyFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fclients%2FclientUser.pem&tlsCAFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fca%2Fca.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.6 Using MongoDB: 8.0.16 Using Mongosh: 2.5.6 For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/ test> use admin switched to db admin admin> show collections MongoServerError[Unauthorized]: Command listCollections requires authentication ``` Instead, use the `msp` alias, which reads credentials from the previously created credential file: ```bash mongodb@vm00:/home/mongodb/ [mdb01] msp Current Mongosh Log ID: 6862838a8c6feb3db869e327 Connecting to: mongodb://@127.0.0.1:27017/?tls=true&tlsCertificateKeyFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fclients%2FclientUser.pem&tlsCAFile=%2Fu01%2Fapp%2Fmongodb%2Fadmin%2Fmdb01%2Fsecret%2Fmongo-x509%2Fca%2Fca.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.6 Using MongoDB: 8.0.16 Using Mongosh: 2.5.6 For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/ ------ The server generated these startup warnings when booting 2025-06-30T04:11:30.912-04:00: For customers running the current memory allocator, we suggest changing the contents of the following sysfsFile 2025-06-30T04:11:30.912-04:00: We suggest setting the contents of sysfsFile to 0. 2025-06-30T04:11:30.912-04:00: vm.max_map_count is too low ------ test> use admin switched to db admin admin> show collections system.users system.version ``` DMK will then use the granted user credentials automatically. {% hint style="info" %} **Note:** The `ms` alias can still be used with other credentials, e.g., `ms -u user -p`. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dbi-services.gitbook.io/dmk-mongodb/securing-a-mongodb-instance/authentication_and_access_control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.