Securing MongoDB Logins: Best Practices for Creating Users, Managing Roles, and Ensuring Safe Authentication
In MongoDB, creating secure logins and managing access control is crucial for protecting your database. MongoDB uses role-based access control (RBAC) to manage user permissions. To create a login and secure access to MongoDB, you typically create users with roles that determine what actions the user can perform on specific databases.
Here’s a detailed explanation of how to create a login in MongoDB using the db.createUser()
method, along with the important options and best practices to ensure secure access control.
Steps to Create a Login in MongoDB
- Enable Authentication (if not already enabled)
- By default, MongoDB doesn’t require user authentication for connections. You need to enable authentication for secure login. To do so, configure MongoDB to enforce authentication by adding the following to the
mongod.conf
file:
12security:authorization: enabled - Restart the MongoDB service after making this change.
1sudo systemctl restart mongod
- By default, MongoDB doesn’t require user authentication for connections. You need to enable authentication for secure login. To do so, configure MongoDB to enforce authentication by adding the following to the
- Access MongoDB without Authentication (if this is your first time setting up) If authentication has been enabled, but you haven’t created a user yet, you can temporarily start MongoDB without the
authorization
option to create the initial user. - Switch to the
admin
Database Users who can manage other users or the system itself should be created in theadmin
database. Use the following command to switch to theadmin
database:
1use admin - Create a User with the
db.createUser()
Command MongoDB uses thedb.createUser()
method to create user logins. The command includes several important options for securing the login and assigning appropriate roles.
db.createUser()
Syntax
Here’s the general syntax for creating a user in MongoDB:
1 2 3 4 5 6 7 |
db.createUser({ user: "username", pwd: "password", roles: [ { role: "roleName", db: "databaseName" } ], mechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"], passwordDigestor: "server" }) |
Key Options for Securing Login in MongoDB
user
(username):- This specifies the username for the new login. Ensure that usernames are unique within a MongoDB deployment (i.e., per database).
1user: "secureUser"pwd
(password):- This is the password associated with the user. Make sure to use strong passwords that are difficult to guess and follow best practices such as:
- Minimum 12 characters
- Mix of uppercase and lowercase letters
- Inclusion of numbers and symbols
1pwd: "sEcUr3_P@ssw0rd!"- This is the password associated with the user. Make sure to use strong passwords that are difficult to guess and follow best practices such as:
roles
(Role-Based Access Control):- The
roles
option defines the user’s privileges. MongoDB’s Role-Based Access Control (RBAC) framework allows you to assign different levels of permissions based on user roles. You should only assign the minimum roles required for the user to perform their tasks.
Common roles include:
readWrite
: Allows the user to read and write data from the specified database.dbAdmin
: Grants administrative access to the database, including schema modification and index creation.userAdmin
: Allows the user to create and manage users on the database.root
: Full admin access to all databases (should be used sparingly and securely).
Example of assigning
readWrite
access on thesales
database:1roles: [ { role: "readWrite", db: "sales" } ]To assign multiple roles, you can specify them in an array:
1234roles: [{ role: "readWrite", db: "sales" },{ role: "dbAdmin", db: "sales" }]- The
mechanisms
(Authentication Mechanisms):- MongoDB supports two main authentication mechanisms:
- SCRAM-SHA-1: A secure, salted challenge-response authentication mechanism.
- SCRAM-SHA-256: A more secure version of SCRAM-SHA-1 and recommended for modern security.
It’s advisable to use SCRAM-SHA-256 whenever possible, as it provides better security.
Example:
1mechanisms: ["SCRAM-SHA-1", "SCRAM-SHA-256"]By default, MongoDB uses both mechanisms. For maximum security, you can limit it to
SCRAM-SHA-256
only:1mechanisms: ["SCRAM-SHA-256"]- MongoDB supports two main authentication mechanisms:
passwordDigestor
:- This controls where the password hashing occurs. The default option is
"server"
, meaning the password is hashed on the server side before storing it in MongoDB. For most cases, this default should be kept.
1passwordDigestor: "server"- This controls where the password hashing occurs. The default option is
Example: Creating a Secure User
Here is an example of creating a secure user in MongoDB:
1 2 3 4 5 6 7 8 9 10 |
db.createUser({ user: "adminUser", pwd: "S3cur3P@ssword123!", roles: [ { role: "userAdminAnyDatabase", db: "admin" }, { role: "dbAdminAnyDatabase", db: "admin" } ], mechanisms: ["SCRAM-SHA-256"], passwordDigestor: "server" }) |
userAdminAnyDatabase
: Allows this user to manage users across all databases.dbAdminAnyDatabase
: Allows the user to perform database administrative tasks on any database.SCRAM-SHA-256
: This ensures that the authentication is performed using the more secure SCRAM-SHA-256 mechanism.
Best Practices for Secured Login in MongoDB
- Use Strong Passwords:
- Always use complex, unique passwords that follow best practices (length, character variety, etc.).
- Consider using password managers to store and generate strong passwords securely.
- Limit User Privileges (Principle of Least Privilege):
- Assign only the roles that a user needs. Avoid granting
root
ordbOwner
unless absolutely necessary. This reduces the risk of malicious activities if credentials are compromised.
- Assign only the roles that a user needs. Avoid granting
- Use SCRAM-SHA-256:
- Enable and enforce the use of SCRAM-SHA-256 wherever possible. This is a more secure authentication method than SCRAM-SHA-1.
- Regularly Rotate Credentials:
- Change passwords periodically and enforce password expiration policies for users with sensitive roles.
- Remove or disable inactive users to prevent potential misuse.
- Enable SSL/TLS for Data Encryption:
- Ensure that MongoDB connections are encrypted by enabling SSL/TLS. This prevents man-in-the-middle attacks where an attacker could intercept and read credentials sent over the network.
Example configuration in
mongod.conf
:1234net:ssl:mode: requireSSLPEMKeyFile: /etc/ssl/mongodb.pem - Use Two-Factor Authentication (2FA) (Optional):
- If MongoDB is integrated with external authentication systems (e.g., LDAP, Kerberos), you can enforce two-factor authentication (2FA) to further secure logins.
Conclusion
Securing MongoDB logins is essential for protecting your data from unauthorized access. By carefully managing roles, using strong passwords, and implementing secure authentication mechanisms like SCRAM-SHA-256, you can significantly reduce the risk of security breaches. Regular monitoring of user activities, combined with best practices such as encryption and two-factor authentication, ensures a robust security posture for your MongoDB deployments.
© 2024 MinervaDB Inc. All rights reserved. MongoDB® is a registered trademark of MongoDB, Inc. MinervaDB™ is a trademark of MinervaDB Inc.