Securing MongoDB Logins

Securing MongoDB Logins: Best Practices for Creating Users, Managing Roles, and Ensuring Safe Authentication



In MongoDB, creating secure logins and managing access control is crucial for protecting your database. MongoDB uses role-based access control (RBAC) to manage user permissions. To create a login and secure access to MongoDB, you typically create users with roles that determine what actions the user can perform on specific databases.

Here’s a detailed explanation of how to create a login in MongoDB using the db.createUser() method, along with the important options and best practices to ensure secure access control.

Steps to Create a Login in MongoDB

  1. Enable Authentication (if not already enabled)
    • By default, MongoDB doesn’t require user authentication for connections. You need to enable authentication for secure login. To do so, configure MongoDB to enforce authentication by adding the following to the mongod.conf file:
    • Restart the MongoDB service after making this change.
  2. Access MongoDB without Authentication (if this is your first time setting up) If authentication has been enabled, but you haven’t created a user yet, you can temporarily start MongoDB without the authorization option to create the initial user.
  3. Switch to the admin Database Users who can manage other users or the system itself should be created in the admin database. Use the following command to switch to the admin database:
  4. Create a User with the db.createUser() Command MongoDB uses the db.createUser() method to create user logins. The command includes several important options for securing the login and assigning appropriate roles.

db.createUser() Syntax

Here’s the general syntax for creating a user in MongoDB:

Key Options for Securing Login in MongoDB

  1. user (username):
    • This specifies the username for the new login. Ensure that usernames are unique within a MongoDB deployment (i.e., per database).

  2. pwd (password):
    • This is the password associated with the user. Make sure to use strong passwords that are difficult to guess and follow best practices such as:
      • Minimum 12 characters
      • Mix of uppercase and lowercase letters
      • Inclusion of numbers and symbols

  3. roles (Role-Based Access Control):
    • The roles option defines the user’s privileges. MongoDB’s Role-Based Access Control (RBAC) framework allows you to assign different levels of permissions based on user roles. You should only assign the minimum roles required for the user to perform their tasks.

    Common roles include:

    • readWrite: Allows the user to read and write data from the specified database.
    • dbAdmin: Grants administrative access to the database, including schema modification and index creation.
    • userAdmin: Allows the user to create and manage users on the database.
    • root: Full admin access to all databases (should be used sparingly and securely).

    Example of assigning readWrite access on the sales database:

    To assign multiple roles, you can specify them in an array:

  4. mechanisms (Authentication Mechanisms):
    • MongoDB supports two main authentication mechanisms:
      • SCRAM-SHA-1: A secure, salted challenge-response authentication mechanism.
      • SCRAM-SHA-256: A more secure version of SCRAM-SHA-1 and recommended for modern security.

    It’s advisable to use SCRAM-SHA-256 whenever possible, as it provides better security.

    Example:

    By default, MongoDB uses both mechanisms. For maximum security, you can limit it to SCRAM-SHA-256 only:

  5. passwordDigestor:
    • This controls where the password hashing occurs. The default option is "server", meaning the password is hashed on the server side before storing it in MongoDB. For most cases, this default should be kept.


Example: Creating a Secure User

Here is an example of creating a secure user in MongoDB:

  • userAdminAnyDatabase: Allows this user to manage users across all databases.
  • dbAdminAnyDatabase: Allows the user to perform database administrative tasks on any database.
  • SCRAM-SHA-256: This ensures that the authentication is performed using the more secure SCRAM-SHA-256 mechanism.

Best Practices for Secured Login in MongoDB

  1. Use Strong Passwords:
    • Always use complex, unique passwords that follow best practices (length, character variety, etc.).
    • Consider using password managers to store and generate strong passwords securely.
  2. Limit User Privileges (Principle of Least Privilege):
    • Assign only the roles that a user needs. Avoid granting root or dbOwner unless absolutely necessary. This reduces the risk of malicious activities if credentials are compromised.
  3. Use SCRAM-SHA-256:
    • Enable and enforce the use of SCRAM-SHA-256 wherever possible. This is a more secure authentication method than SCRAM-SHA-1.
  4. Regularly Rotate Credentials:
    • Change passwords periodically and enforce password expiration policies for users with sensitive roles.
    • Remove or disable inactive users to prevent potential misuse.
  5. Enable SSL/TLS for Data Encryption:
    • Ensure that MongoDB connections are encrypted by enabling SSL/TLS. This prevents man-in-the-middle attacks where an attacker could intercept and read credentials sent over the network.

    Example configuration in mongod.conf:

  6. Use Two-Factor Authentication (2FA) (Optional):
    • If MongoDB is integrated with external authentication systems (e.g., LDAP, Kerberos), you can enforce two-factor authentication (2FA) to further secure logins.

Conclusion

Securing MongoDB logins is essential for protecting your data from unauthorized access. By carefully managing roles, using strong passwords, and implementing secure authentication mechanisms like SCRAM-SHA-256, you can significantly reduce the risk of security breaches. Regular monitoring of user activities, combined with best practices such as encryption and two-factor authentication, ensures a robust security posture for your MongoDB deployments.

 

© 2024 MinervaDB Inc. All rights reserved. MongoDB® is a registered trademark of MongoDB, Inc. MinervaDB™ is a trademark of MinervaDB Inc.

 

How to tune Linux Threads for MongoDB IOPS Performance?

 

Optimizing MongoDB Checkpointing for Performance

About Shiv Iyer 496 Articles
Open Source Database Systems Engineer with a deep understanding of Optimizer Internals, Performance Engineering, Scalability and Data SRE. Shiv currently is the Founder, Investor, Board Member and CEO of multiple Database Systems Infrastructure Operations companies in the Transaction Processing Computing and ColumnStores ecosystem. He is also a frequent speaker in open source software conferences globally.