MongoDB Security Guide

Release 2.6.4
MongoDB Documentation Project
September 16, 2014
Contents
1 Security Introduction 4
1.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Transport Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Encryption at Rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Hardening Deployments and Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Security Concepts 6
2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Client Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authentication Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Collection-Level Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Privileges and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Network Exposure and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Conguration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5 Security and MongoDB API Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
JavaScript and the Security of the mongo Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
HTTP Status Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
REST API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.6 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Audit Events and Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Audit Guarantee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.7 Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Kerberos Components and MongoDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Operational Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Kerberized MongoDB Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3 Security Tutorials 18
3.1 Security Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Require Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Congure Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Encrypt Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Limit Network Exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Audit System Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Encrypt and Protect Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Run MongoDB with a Dedicated User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Run MongoDB with Secure Conguration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Consider Security Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contact MongoDB for Further Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Network Security Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Congure Linux iptables Firewall for MongoDB . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Congure Windows netsh Firewall for MongoDB . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Congure mongod and mongos for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
SSL Conguration for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Upgrade a Cluster to Use SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Congure MongoDB for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3 Security Deployment Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Deploy Replica Set and Congure Authentication and Authorization . . . . . . . . . . . . . . . . . . 37
3.4 Access Control Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Enable Client Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Enable Authentication in a Sharded Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Enable Authentication after Creating the User Administrator . . . . . . . . . . . . . . . . . . . . . . 44
Use x.509 Certicates to Authenticate Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Use x.509 Certicate for Membership Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Authenticate Using SASL and LDAP with ActiveDirectory . . . . . . . . . . . . . . . . . . . . . . . 50
Authenticate Using SASL and LDAP with OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . 53
Congure MongoDB with Kerberos Authentication on Linux . . . . . . . . . . . . . . . . . . . . . . 56
Congure MongoDB with Kerberos Authentication on Windows . . . . . . . . . . . . . . . . . . . . 59
Authenticate to a MongoDB Instance or Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Generate a Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Troubleshoot Kerberos Authentication on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Implement Field Level Redaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.5 User and Role Management Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Create a User Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Add a User to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Create an Administrative User with Unrestricted Access . . . . . . . . . . . . . . . . . . . . . . . . 71
Create a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Assign a User a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Verify User Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Modify a Users Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
View Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Change a Users Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Change Your Password and Custom Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.6 Congure System Events Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Enable and Congure Audit Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Filter Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Filter for a Single Operation Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Filter for Multiple Operation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Filter on Authentication Operations on a Single Database . . . . . . . . . . . . . . . . . . . . . . . . 83
2
3.7 Create a Vulnerability Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create the Report in JIRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Information to Provide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Send the Report via Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Evaluation of a Vulnerability Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4 Security Reference 85
4.1 Security Methods in the mongo Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
User Management Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Role Management Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2 Security Reference Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Built-In Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
system.roles Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
system.users Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Resource Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Privilege Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Default MongoDB Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
System Event Audit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.3 Security Release Notes Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Security Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Index 110
This section outlines basic security and risk management strategies and access control. The included tutorials outline
specic tasks for conguring rewalls, authentication, and system privileges.
Security Introduction (page 4) A high-level introduction to security and MongoDB deployments.
Security Concepts (page 6) The core documentation of security.
Authentication (page 6) Mechanisms for verifying user and instance access to MongoDB.
Authorization (page 9) Control access to MongoDB instances using authorization.
Network Exposure and Security (page 12) Discusses potential security risks related to the network and strate-
gies for decreasing possible network-based attack vectors for MongoDB.
Continue reading fromSecurity Concepts (page 6) for additional documentation of MongoDBs security features
and operation.
Security Tutorials (page 18) Tutorials for enabling and conguring security features for MongoDB.
Security Checklist (page 19) A high level overview of global security consideration for administrators of Mon-
goDB deployments. Use this checklist if you are new to deploying MongoDB in production and want to
implement high quality security practices.
Network Security Tutorials (page 21) Ensure that the underlying network conguration supports a secure oper-
ating environment for MongoDB deployments, and appropriately limits access to MongoDB deployments.
Access Control Tutorials (page 40) These tutorials describe procedures relevant for the conguration, opera-
tion, and maintenance of MongoDBs access control system.
User and Role Management Tutorials (page 66) MongoDBs access control system provides a exible role-
based access control system that you can use to limit access to MongoDB deployments. The tutorials in
this section describe the conguration an setup of the authorization system.
3
Continue reading from Security Tutorials (page 18) for additional tutorials that address the use and management
of secure MongoDB deployments.
Create a Vulnerability Report (page 84) Report a vulnerability in MongoDB.
Security Reference (page 85) Reference for security related functions.
1 Security Introduction
Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and
applications have access to only the data that they require. MongoDB provides features that allow administrators to
implement these controls and restrictions for any MongoDB deployment.
If you are already familiar with security and MongoDB security practices, consider the Security Checklist (page 19)
for a collection of recommended actions to protect a MongoDB deployment.
1.1 Authentication
Before gaining access to a system all clients should identify themselves to MongoDB. This ensures that no client can
access the data stored in MongoDB without being explicitly allowed.
MongoDB supports a number of authentication mechanisms (page 7) that clients can use to verify their identity. Mon-
goDB supports two mechanisms: a password-based challenge and response protocol and x.509 certicates. Addition-
ally, MongoDB Enterprise
1
also provides support for LDAP proxy authentication (page 8) and Kerberos authentication
(page 7).
See Authentication (page 6) for more information.
1.2 Role Based Access Control
Access control, i.e. authorization (page 9), determines a users access to resources and operations. Clients should only
be able to perform the operations required to fulll their approved functions. This is the principle of least privilege
and limits the potential risk of a compromised application.
MongoDBs role-based access control system allows administrators to control all access and ensure that all granted
access applies as narrowly as possible. MongoDB does not enable authorization by default. When you enable autho-
rization (page 9), MongoDB will require authentication for all connections.
When authorization is enabled, MongoDB controls a users access through the roles assigned to the user. A role
consists of a set of privileges, where a privilege consists of actions, or a set of operations, and a resource upon which
the actions are allowed.
Users may have one or more role that describes their access. MongoDB provides several built-in roles (page 86) and
users can construct specic roles tailored to clients actual requirements.
See Authorization (page 9) for more information.
1.3 Auditing
Auditing provides administrators with the ability to verify that the implemented security policies are controlling activ-
ity in the system. Retaining audit information ensures that administrators have enough information to perform forensic
investigations and comply with regulations and polices that require audit data.
1
http://www.mongodb.com/products/mongodb-enterprise
4
See Auditing (page 15) for more information.
1.4 Encryption
Transport Encryption
You can use SSL to encrypt all of MongoDBs network trafc. SSL ensures that MongoDB network trafc is only
readable by the intended client.
See Congure mongod and mongos for SSL (page 28) for more information.
Encryption at Rest
There are two broad classes of approaches to encrypting data at rest with MongoDB. You can use these solutions
together or independently:
Application Level Encryption
Provide encryption on a per-eld or per-document basis within the application layer. To encrypt document or eld
level data, write custom encryption and decryption routines or use a commercial solutions such as the Vormetric Data
Security Platform
2
.
Storage Encryption
Encrypt all MongoDB data on the storage or operating system to ensure that only authorized processes can access
protected data. A number of third-party libraries can integrate with the operating system to provide transparent disk-
level encryption. For example:
Linux Unied Key Setup (LUKS) LUKS is available for most Linux distributions. For conguration explanation,
see the LUKS documentation from Red Hat
3
.
IBM Guardium Data Encryption IBM Guardium Data Encryption
4
provides support for disk-level encryption for
Linux and Windows operating systems.
Vormetric Data Security Platform The Vormetric Data Security Platform
5
provides disk and le-level encryption in
addition to application level encryption.
Bitlocker Drive Encryption Bitlocker Drive Encryption
6
is a feature available on Windows Server 2008 and 2012
that provides disk encryption.
Properly congured disk encryption, when used alongside good security policies that protect relevant accounts, pass-
words, and encryption keys, can help ensure compliance with standards, including HIPAA, PCI-DSS, and FERPA.
2
http://www.vormetric.com/sites/default/les/sb-MongoDB-Letter-2014-0611.pdf
3
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-
LUKS_Disk_Encryption.html
4
http://www-03.ibm.com/software/products/en/infosphere-guardium-data-encryption
5
http://www.vormetric.com/sites/default/les/sb-MongoDB-Letter-2014-0611.pdf
6
http://technet.microsoft.com/en-us/library/hh831713.aspx
5
1.5 Hardening Deployments and Environments
In addition to implementing controls within MongoDB, you should also place controls around MongoDB to reduce
the risk exposure of the entire MongoDB system. This is a defense in depth strategy.
Hardening MongoDB extends the ideas of least privilege, auditing, and encryption outside of MongoDB. Reducing
risk includes: conguring the network rules to ensure that only trusted hosts have access to MongoDB, and that the
MongoDB processes only have access to the parts of the lesystem required for operation.
2 Security Concepts
These documents introduce and address concepts and strategies related to security practices in MongoDBdeployments.
Authentication (page 6) Mechanisms for verifying user and instance access to MongoDB.
Authorization (page 9) Control access to MongoDB instances using authorization.
Collection-Level Access Control (page 11) Scope privileges to specic collections.
Network Exposure and Security (page 12) Discusses potential security risks related to the network and strategies for
decreasing possible network-based attack vectors for MongoDB.
Security and MongoDB API Interfaces (page 14) Discusses potential risks related to MongoDBs JavaScript, HTTP
and REST interfaces, including strategies to control those risks.
Auditing (page 15) Audit server and client activity for mongod and mongos instances.
Kerberos Authentication (page 16) Kerberos authentication and MongoDB.
2.1 Authentication
Authentication is the process of verifying the identity of a client. When access control, i.e. authorization (page 9), is
enabled, MongoDB requires all clients to authenticate themselves rst in order to determine the access for the client.
Although authentication and authorization (page 9) are closely connected, authentication is distinct fromauthorization.
Authentication veries the identity of a user; authorization determines the veried users access to resources and
operations.
MongoDB supports a number of authentication mechanisms (page 7) that clients can use to verify their identity. These
mechanisms allow MongoDB to integrate into your existing authentication system. See Authentication Mechanisms
(page 7) for details.
In addition to verifying the identity of a client, MongoDB can require members of replica sets and sharded clusters to
authenticate their membership (page 8) to their respective replica set or sharded cluster. See Authentication Between
MongoDB Instances (page 8) for more information.
Client Users
To authenticate a client in MongoDB, you must add a corresponding user to MongoDB. When adding a user, you
create the user in a specic database. Together, the users name and database serve as a unique identier for that
user. That is, if two users have the same name but are created in different databases, they are two separate users. To
authenticate, the client must authenticate the user against the users database. For instance, if using the mongo shell
as a client, you can specify the database for the user with the authenticationDatabase option.
To add and manage user information, MongoDB provides the db.createUser() method as well as other user
management methods. For an example of adding a user to MongoDB, see Add a User to a Database (page 69).
6
MongoDB stores all user information, including name (page 96), password (page 96), and the users
database (page 96), in the system.users (page 96) collection in the admin database.
Authentication Mechanisms
MongoDB supports multiple authentication mechanisms. MongoDBs default authentication method is a challenge
and response mechanism(MONGODB-CR) (page 7). MongoDBalso supports x509 certicate authentication (page 7),
LDAP proxy authentication (page 8), and Kerberos authentication (page 7).
This section introduces the mechanisms available in MongoDB.
To specify the authentication mechanism to use, see authenticationMechanisms.
MONGODB-CR Authentication
MONGODB-CR is a challenge-response mechanism that authenticates users through passwords. MONGODB-CR is the
default mechanism.
When you use MONGODB-CR authentication, MONGODB-CR veries the user against the users name (page 96),
password (page 96) and database (page 96). The users database is the database where the user was created, and
the users database and the users name together serves to identify the user.
Using key files, you can also use MONGODB-CR authentication for the internal member authentication (page 8)
of replica set members and sharded cluster members. The contents of the key les serve as the shared password for
the members. You must store the key le on each mongod or mongos instance for that replica set or sharded cluster.
The content of the key le is arbitrary but must be the same on all mongod and mongos instances that connect to
each other.
See Generate a Key File (page 62) for instructions on generating a key le and turning on key le authentication for
members.
x.509 Certicate Authentication
New in version 2.6.
MongoDB supports x.509 certicate authentication for use with a secure SSL connection (page 28).
To authenticate to servers, clients can use x.509 certicates instead of usernames and passwords. See Client x.509
Certicate (page 45) for more information.
For membership authentication, members of sharded clusters and replica sets can use x.509 certicates instead of key
les. See Use x.509 Certicate for Membership Authentication (page 47) for more information.
Kerberos Authentication
MongoDB Enterprise
7
supports authentication using a Kerberos service. Kerberos is an industry standard authentica-
tion protocol for large client/server systems.
To use MongoDB with Kerberos, you must have a properly congured Kerberos deployment, congured Kerberos
service principals (page 16) for MongoDB, and added Kerberos user principal (page 16) to MongoDB.
See Kerberos Authentication (page 16) for more information on Kerberos and MongoDB. To congure MongoDB to
use Kerberos authentication, see Congure MongoDB with Kerberos Authentication on Linux (page 56) and Congure
MongoDB with Kerberos Authentication on Windows (page 59).
7
http://www.mongodb.com/products/mongodb-enterprise
7
LDAP Proxy Authority Authentication
MongoDB Enterprise
8
supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) ser-
vice. See Authenticate Using SASL and LDAP with OpenLDAP (page 53) and Authenticate Using SASL and LDAP
with ActiveDirectory (page 50).
MongoDBEnterprise for Windows does not include LDAP support for authentication. However, MongoDBEnterprise
for Linux supports using LDAP authentication with an ActiveDirectory server.
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4
and version 2.6 shards.
Authentication Behavior
Client Authentication
Clients can authenticate using the challenge and response (page 7), x.509 (page 7), LDAP Proxy (page 8) and Kerberos
(page 7) mechanisms.
Each client connection should authenticate as exactly one user. If a client authenticates to a database as one user and
later authenticates to the same database as a different user, the second authentication invalidates the rst. While clients
can authenticate as multiple users if the users are dened on different databases, we recommend authenticating as one
user at a time, providing the user with appropriate privileges on the databases required by the user.
See Authenticate to a MongoDB Instance or Cluster (page 61) for more information.
Authentication Between MongoDB Instances
You can authenticate members of replica sets and sharded clusters. To authenticate members of a single MongoDB
deployment to each other, MongoDB can use the keyFile and x.509 (page 7) mechanisms. Using keyFile au-
thentication for members also enables authorization.
Always run replica sets and sharded clusters in a trusted networking environment. Ensure that the network permits
only trusted trafc to reach each mongod and mongos instance.
Use your environments rewall and network routing to ensure that trafc only from clients and other members can
reach your mongod and mongos instances. If needed, use virtual private networks (VPNs) to ensure secure connec-
tions over wide area networks (WANs).
Always ensure that:
Your network conguration will allow every member of the replica set or sharded cluster to contact every other
member.
If you use MongoDBs authentication system to limit access to your infrastructure, ensure that you congure a
keyFile on all members to permit authentication.
See Generate a Key File (page 62) for instructions on generating a key le and turning on key le authentication for
members. For an example of using key les for sharded cluster authentication, see Enable Authentication in a Sharded
Cluster (page 43).
8
http://www.mongodb.com/products/mongodb-enterprise
8
Authentication on Sharded Clusters
In sharded clusters, applications authenticate to directly to mongos instances, using credentials stored in the admin
database of the cong servers. The shards in the sharded cluster also have credentials, and clients can authenticate
directly to the shards to perform maintenance directly on the shards. In general, applications and clients should connect
to the sharded cluster through the mongos.
Changed in version 2.6: Previously, the credentials for authenticating to a database on a cluster resided on the primary
shard for that database.
Some maintenance operations, such as cleanupOrphaned, compact, rs.reconfig(), require direct connec-
tions to specic shards in a sharded cluster. To perform these operations with authentication enabled, you must connect
directly to the shard and authenticate as a shard local administrative user. To create a shard local administrative user,
connect directly to the shard and create the user. MongoDB stores shard local users in the admin database of the shard
itself. These shard local users are completely independent from the users added to the sharded cluster via mongos.
Shard local users are local to the shard and are inaccessible by mongos. Direct connections to a shard should only be
for shard-specic maintenance and conguration.
Localhost Exception
The localhost exception allows you to enable authorization before creating the rst user in the system. When active,
the localhost exception allows all connections from the localhost interface to have full access to that instance. The
exception applies only when there are no users created in the MongoDB instance.
If you use the localhost exception when deploying a new MongoDB system, the rst user you create must be
in the admin database with privileges to create other users, such as a user with the userAdmin (page 88) or
userAdminAnyDatabase (page 92) role. See Enable Client Access Control (page 41) and Create a User Ad-
ministrator (page 67) for more information.
In the case of a sharded cluster, the localhost exception can apply to the cluster as a whole or separately to each shard.
The localhost exception can apply to the cluster as a whole if there are no user information stored on the cong servers
and clients access via mongos instances.
The localhost exception can apply separately to each shard if there is no user information stored on the shard itself and
clients connect to the shard directly.
To prevent unauthorized access to a clusters shards, you must either create an administrator on each shard
or disable the localhost exception. To disable the localhost exception, use setParameter to set the
enableLocalhostAuthBypass parameter to 0 during startup.
2.2 Authorization
MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is granted
one or more roles (page 10) that determine the users access to database resources and operations. Outside of role
assignments, the user has no access to the system.
MongoDB does not enable authorization by default. You can enable authorization using the --auth or
the --keyFile options, or if using a conguration le, with the security.authorization or the
security.keyFile settings.
MongoDB provides built-in roles (page 86), each with a dedicated purpose for a common use case. Examples include
the read (page 86), readWrite (page 86), dbAdmin (page 87), and root (page 93) roles.
Administrators also can create new roles and privileges to cater to operational needs. Administrators can assign
privileges scoped as granularly as the collection level.
9
When granted a role, a user receives all the privileges of that role. A user can have several roles concurrently, in which
case the user receives the union of all the privileges of the respective roles.
Roles
A role consists of privileges that pair resources with allowed operations. Each privilege is dened directly in the role
or inherited from another role.
A roles privileges apply to the database where the role is created. A role created on the admin database can include
privileges that apply to all databases or to the cluster (page 98).
A user assigned a role receives all the privileges of that role. The user can have multiple roles and can have different
roles on different databases.
Roles always grant privileges and never limit access. For example, if a user has both read (page 86) and
readWriteAnyDatabase (page 92) roles on a database, the greater access prevails.
Privileges
A privilege consists of a specied resource and the actions permitted on the resource.
A privilege resource (page 97) is either a database, collection, set of collections, or the cluster. If the cluster, the
afliated actions affect the state of the system rather than a specic database or collection.
An action (page 99) is a command or method the user is allowed to perform on the resource. A resource can have
multiple allowed actions. For available actions see Privilege Actions (page 99).
For example, a privilege that includes the update (page 99) action allows a user to modify existing documents on
the resource. To additionally grant the user permission to create documents on the resource, the administrator would
add the insert (page 99) action to the privilege.
For privilege syntax, see admin.system.roles.privileges (page 94).
Inherited Privileges
A role can include one or more existing roles in its denition, in which case the role inherits all the privileges of the
included roles.
A role can inherit privileges from other roles in its database. A role created on the admin database can inherit
privileges from roles in any database.
User-Dened Roles
New in version 2.6.
User administrators can create custom roles to ensure collection-level and command-level granularity and to adhere to
the policy of least privilege. Administrators create and edit roles using the role management commands.
MongoDBscopes a user-dened role to the database in which it is created and uniquely identies the role by the pairing
of its name and its database. MongoDB stores the roles in the admin databases system.roles (page 93) collection. Do
not access this collection directly but instead use the role management commands to view and edit custom roles.
10
Collection-Level Access Control
By creating a role with privileges (page 10) that are scoped to a specic collection in a particular database, adminis-
trators can implement collection-level access control.
See Collection-Level Access Control (page 11) for more information.
Users
MongoDB stores user credentials in the protected admin.system.users. Use the user management methods to
view and edit user credentials.
Role Assignment to Users
User administrators create the users that access the systems databases. MongoDBs user management commands let
administrators create users and assign them roles.
MongoDBscopes a user to the database in which the user is created. MongoDBstores all user denitions in the admin
database, no matter which database the user is scoped to. MongoDB stores users in the admin databases system.users
collection (page 96). Do not access this collection directly but instead use the user management commands.
The rst role assigned in a database should be either userAdmin (page 88) or userAdminAnyDatabase
(page 92). This user can then create all other users in the system. See Create a User Administrator (page 67).
Protect the User and Role Collections
MongoDB stores role and user data in the protected admin.system.roles and admin.system.users col-
lections, which are only accessible using the user management methods.
If you disable access control, do not modify the admin.system.roles and admin.system.users collections
using normal insert() and update() operations.
Additional Information
See the reference section for documentation of all built-in-roles (page 86) and all available privilege actions (page 99).
Also consider the reference for the form of the resource documents (page 97).
To create users see the Create a User Administrator (page 67) and Add a User to a Database (page 69) tutorials.
2.3 Collection-Level Access Control
Collection-level access control allows administrators to grant users privileges that are scoped to specic collections.
Administrators can implement collection-level access control through user-dened roles (page 10). By creating a role
with privileges (page 10) that are scoped to a specic collection in a particular database, administrators can provision
users with roles that grant privileges on a collection level.
11
Privileges and Scope
A privilege consists of actions (page 99) and the resources (page 97) upon which the actions are permissible; i.e. the
resources dene the scope of the actions for that privilege.
By specifying both the database and the collection in the resource document (page 97) for a privilege, administrator
can limit the privilege actions just to a specic collection in a specic database. Each privilege action in a role can be
scoped to a different collection.
For example, a user dened role can contain the following privileges:
privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]
The rst privilege scopes its actions to the inventory collection of the products database. The second privilege
scopes its actions to the orders collection of the products database.
Additional Information
For more information on user-dened roles and MongoDB authorization model, see Authorization (page 9). For a
tutorial on creating user-dened roles, see Create a Role (page 72).
2.4 Network Exposure and Security
By default, MongoDB programs (i.e. mongos and mongod) will bind to all available network interfaces (i.e. IP
addresses) on a system.
This page outlines various runtime options that allow you to limit access to MongoDB programs.
Conguration Options
You can limit the network exposure with the following mongod and mongos conguration options: enabled,
net.http.RESTInterfaceEnabled, bindIp, and port. You can use a configuration file to specify
these settings.
nohttpinterface
The enabled setting for mongod and mongos instances disables the home status page.
Changed in version 2.6: The mongod and mongos instances run with the http interface disabled by default.
The status interface is read-only by default, and the default port for the status page is 28017. Authentication does not
control or affect access to this interface.
Important: Disable this interface for production deployments. If you enable this interface, you should only allow
trusted clients to access this port. See Firewalls (page 13).
12
rest
The net.http.RESTInterfaceEnabled setting for mongod enables a fully interactive administrative REST
interface, which is disabled by default. The net.http.RESTInterfaceEnabled conguration makes the http
status interface
9
, which is read-only by default, fully interactive. Use the net.http.RESTInterfaceEnabled
setting with the enabled setting.
The REST interface does not support any authentication and you should always restrict access to this interface to only
allow trusted clients to connect to this port.
You may also enable this interface on the command line as mongod --rest --httpinterface.
Important: Disable this option for production deployments. If do you leave this interface enabled, you should only
allow trusted clients to access this port.
bind_ip
The bindIp setting for mongod and mongos instances limits the network interfaces on which MongoDB programs
will listen for incoming connections. You can also specify a number of interfaces by passing bindIp a comma
separated list of IP addresses. You can use the mongod --bind_ip and mongos --bind_ip option on the
command line at run time to limit the network accessibility of a MongoDB program.
Important: Make sure that your mongod and mongos instances are only accessible on trusted networks. If your
system has more than one network interface, bind MongoDB programs to the private or internal network interface.
port
The port setting for mongod and mongos instances changes the main port on which the mongod or mongos
instance listens for connections. The default port is 27017. Changing the port does not meaningfully reduce risk or
limit exposure. You may also specify this option on the command line as mongod --port or mongos --port.
Setting port also indirectly sets the port for the HTTP status interface, which is always available on the port numbered
1000 greater than the primary mongod port.
Only allow trusted clients to connect to the port for the mongod and mongos instances. See Firewalls (page 13).
See also conguration-security and Default MongoDB Port (page 104).
Firewalls
Firewalls allow administrators to lter and control access to a system by providing granular control over what network
communications. For administrators of MongoDB, the following capabilities are important: limiting incoming trafc
on a specic port to specic systems, and limiting incoming trafc from untrusted hosts.
On Linux systems, the iptables interface provides access to the underlying netfilter rewall. On Windows
systems, netsh command line interface provides access to the underlying Windows Firewall. For additional infor-
mation about rewall conguration, see Congure Linux iptables Firewall for MongoDB (page 21) and Congure
Windows netsh Firewall for MongoDB (page 25).
For best results and to minimize overall exposure, ensure that only trafc from trusted sources can reach mongod and
mongos instances and that the mongod and mongos instances can only connect to trusted outputs.
See also:
9
Starting in version 2.6, http interface is disabled by default.
13
For MongoDB deployments on Amazons web services, see the Amazon EC2
10
page, which addresses Amazons
Security Groups and other EC2-specic security features.
Virtual Private Networks
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted
network. Typically MongoDB users who use VPNs use SSL rather than IPSEC VPNs for performance issues.
Depending on conguration and implementation, VPNs provide for certicate validation and a choice of encryption
protocols, which requires a rigorous level of authentication and identication of all clients. Furthermore, because
VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can
prevent tampering and man-in-the-middle attacks.
2.5 Security and MongoDB API Interfaces
The following section contains strategies to limit risks related to MongoDBs available interfaces including JavaScript,
HTTP, and REST interfaces.
JavaScript and the Security of the mongo Shell
The following JavaScript evaluation behaviors of the mongo shell represents risk exposures.
JavaScript Expression or JavaScript File
The mongo program can evaluate JavaScript expressions using the command line --eval option. Also, the mongo
program can evaluate a JavaScript le (.js) passed directly to it (e.g. mongo someFile.js).
Because the mongo program evaluates the JavaScript directly, inputs should only come from trusted sources.
.mongorc.js File
If a .mongorc.js le exists
11
, the mongo shell will evaluate a .mongorc.js le before starting. You can disable
this behavior by passing the mongo --norc option.
HTTP Status Interface
The HTTP status interface provides a web-based interface that includes a variety of operational data, logs, and status
reports regarding the mongod or mongos instance. The HTTP interface is always available on the port numbered
1000 greater than the primary mongod port. By default, the HTTP interface port is 28017, but is indirectly set using
the port option which allows you to congure the primary mongod port.
Without the net.http.RESTInterfaceEnabled setting, this interface is entirely read-only, and limited in
scope; nevertheless, this interface may represent an exposure. To disable the HTTP interface, set the enabled run
time option or the --nohttpinterface command line option. See also Conguration Options (page 12).
10
http://docs.mongodb.org/ecosystem/platforms/amazon-ec2
11
On Linux and Unix systems, mongo reads the .mongorc.js le from $HOME/.mongorc.js (i.e. ~/.mongorc.js). On Windows,
mongo.exe reads the .mongorc.js le from %HOME%.mongorc.js or %HOMEDRIVE%%HOMEPATH%.mongorc.js.
14
REST API
The REST API to MongoDB provides additional information and write access on top of the HTTP Status interface.
While the REST API does not provide any support for insert, update, or remove operations, it does provide adminis-
trative access, and its accessibility represents a vulnerability in a secure environment. The REST interface is disabled
by default, and is not recommended for production use.
If you must use the REST API, please control and limit access to the REST API. The REST API does not include any
support for authentication, even when running with authorization enabled.
See the following documents for instructions on restricting access to the REST API interface:
Congure Linux iptables Firewall for MongoDB (page 21)
Congure Windows netsh Firewall for MongoDB (page 25)
2.6 Auditing
New in version 2.6.
MongoDB Enterprise includes an auditing capability for mongod and mongos instances. The auditing facility allows
administrators and users to track system activity for deployments with multiple users and applications. The auditing
facility can write audit events to the console, the syslog, a JSON le, or a BSON le. For details on the audit log
messages, see System Event Audit Messages (page 104).
Audit Events and Filter
The auditing system can record the following operations:
schema (DDL),
replica set,
authentication and authorization, and
general operations.
See Event Actions, Details, and Results (page 105) for the specic actions recorded.
By default, the auditing system records all these operations; however, you can congure the --auditFilter option
to restrict the events captured.
See Congure System Events Auditing (page 81) to enable and congure auditing for MongoDB Enterprise. To set up
lters, see Filter Events (page 83).
Audit Guarantee
The auditing system writes every audit event
12
to an in-memory buffer of audit events. MongoDB writes this buffer to
disk periodically. For events collected from any single connection, the events have a total order: if MongoDB writes
one event to disk, the system guarantees that it has written all prior events for that connection to disk.
If an audit event entry corresponds to an operation that affects the durable state of the database, such as a modication
to data, MongoDB will always write the audit event to disk before writing to the journal for that entry.
That is, before adding an operation to the journal, MongoDB writes all audit events on the connection that triggered
the operation, up to and including the entry for the operation.
These auditing guarantees require that MongoDB runs with the journaling enabled.
12
Audit conguration can include a lter (page 83) to limit events to audit.
15
Warning: MongoDB may lose events if the server terminates before it commits the events to the audit log.
The client may receive conrmation of the event before MongoDB commits to the audit log. For example, while
auditing an aggregation operation, the server might crash after returning the result but before the audit log ushes.
2.7 Kerberos Authentication
New in version 2.4.
Overview
MongoDB Enterprise provides support for Kerberos authentication of MongoDB clients to mongod and mongos.
Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos allows MongoDB
and applications to take advantage of existing authentication infrastructure and processes.
Kerberos Components and MongoDB
Principals
In a Kerberos-based system, every participant in the authenticated communication is known as a principal, and every
principal must have a unique name.
Principals belong to administrative units called realms. For each realm, the Kerberos Key Distribution Center (KDC)
maintains a database of the realms principal and the principals associated secret keys.
For a client-server authentication, the client requests from the KDC a ticket for access to a specic asset. KDC
uses the clients secret and the servers secret to construct the ticket which allows the client and server to mutually
authenticate each other, while keeping the secrets hidden.
For the conguration of MongoDB for Kerberos support, two kinds of principal names are of interest: user principals
(page 16) and service principals (page 16).
User Principal To authenticate using Kerberos, you must add the Kerberos user principals to MongoDB to the
$external database. User principal names have the form:
<username>@<KERBEROS REALM>
For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB in the
$external database.
For examples of adding a user to MongoDB as well as authenticating as that user, see Congure MongoDB with Ker-
beros Authentication on Linux (page 56) and Congure MongoDB with Kerberos Authentication on Windows (page 59).
See also:
http://docs.mongodb.org/manualreference/command/nav-user-management for general in-
formation regarding creating and managing users in MongoDB.
Service Principal Every MongoDB mongod and mongos instance (or mongod.exe or mongos.exe on Win-
dows) must have an associated service principal. Service principal names have the form:
<service>/<fully qualified domain name>@<KERBEROS REALM>
16
For MongoDB, the <service> defaults to mongodb. For example, if m1.example.com is a MongoDB server,
and example.com maintains the EXAMPLE.COM Kerberos realm, then m1 should have the service principal name
mongodb/[email protected].
To specify a different value for <service>, use serviceName during the start up of mongod or mongos (or
mongod.exe or mongos.exe). mongo shell or other clients may also specify a different service principal name
using serviceName.
Service principal names must be reachable over the network using the fully qualied domain name (FQDN) part of its
service principal name.
By default, Kerberos attempts to identify hosts using the /etc/kerb5.conf le before using DNS to resolve hosts.
On Windows, if running MongoDB as a service, see Assign Service Principal Name to MongoDB Windows Service
(page 60).
Linux Keytab Files
Linux systems can store Kerberos authentication keys for a service principal (page 16) in keytab les. Each Kerberized
mongod and mongos instance running on Linux must have access to a keytab le containing keys for its service
principal (page 16).
To keep keytab les secure, use le permissions that restrict access to only the user that runs the mongod or mongos
process.
Tickets
On Linux, MongoDB clients can use Kerbeross kinit program to initialize a credential cache for authenticating the
user principal to servers.
Windows Active Directory
Unlike on Linux systems, mongod and mongos instances running on Windows do not require access to keytab
les. Instead, the mongod and mongos instances read their server credentials from a credential store specic to the
operating system.
However, from the Windows Active Directory, you can export a keytab le for use on Linux systems. See Ktpass
13
for more information.
Authenticate With Kerberos
To congure MongoDB for Kerberos support and authenticate, see Congure MongoDB with Kerberos Authentication
on Linux (page 56) and Congure MongoDB with Kerberos Authentication on Windows (page 59).
Operational Considerations
The HTTP Console
The MongoDB HTTP Console
14
interface does not support Kerberos authentication.
13
http://technet.microsoft.com/en-us/library/cc753771.aspx
14
http://docs.mongodb.org/ecosystem/tools/http-interfaces/#http-console
17
DNS
Each host that runs a mongod or mongos instance must have both A and PTR DNS records to provide forward and
reverse lookup.
Without A and PTR DNS records, the host cannot resolve the components of the Kerberos domain or the Key Distri-
bution Center (KDC).
System Time Synchronization
To successfully authenticate, the system time for each mongod and mongos instance must be within 5 minutes of the
system time of the other hosts in the Kerberos infrastructure.
Kerberized MongoDB Environments
Driver Support
The following MongoDB drivers support Kerberos authentication:
Java
15
C#
16
C++
17
Python
18
Use with Additional MongoDB Authentication Mechanism
Although MongoDB supports the use of Kerberos authentication with other authentication mechanisms, only add the
other mechanisms as necessary. See the Incorporate Additional Authentication Mechanisms sec-
tion in Congure MongoDB with Kerberos Authentication on Linux (page 56) and Congure MongoDB with Kerberos
Authentication on Windows (page 59) for details.
3 Security Tutorials
The following tutorials provide instructions for enabling and using the security features available in MongoDB.
Security Checklist (page 19) A high level overview of global security consideration for administrators of MongoDB
deployments. Use this checklist if you are new to deploying MongoDB in production and want to implement
high quality security practices.
Network Security Tutorials (page 21) Ensure that the underlying network conguration supports a secure operating
environment for MongoDB deployments, and appropriately limits access to MongoDB deployments.
Congure Linux iptables Firewall for MongoDB (page 21) Basic rewall conguration patterns and exam-
ples for iptables on Linux systems.
Congure Windows netsh Firewall for MongoDB (page 25) Basic rewall conguration patterns and exam-
ples for netsh on Windows systems.
15
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/
16
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-csharp-driver/
17
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-cpp-driver/
18
http://api.mongodb.org/python/current/examples/authentication.html
18
Congure mongod and mongos for SSL (page 28) SSL allows MongoDB clients to support encrypted con-
nections to mongod instances.
Continue reading from Network Security Tutorials (page 21) for more information on running MongoDB in
secure environments.
Security Deployment Tutorials (page 37) These tutorials describe procedures for deploying MongoDB using authen-
tication and authorization.
Access Control Tutorials (page 40) These tutorials describe procedures relevant for the conguration, operation, and
maintenance of MongoDBs access control system.
Enable Client Access Control (page 41) Describes the process for enabling authentication for MongoDB de-
ployments.
Use x.509 Certicates to Authenticate Clients (page 45) Use x.509 for client authentication.
Use x.509 Certicate for Membership Authentication (page 47) Use x.509 for internal member authentication
for replica sets and sharded clusters.
Congure MongoDB with Kerberos Authentication on Linux (page 56) For MongoDB Enterprise Linux, de-
scribes the process to enable Kerberos-based authentication for MongoDB deployments.
Continue reading from Access Control Tutorials (page 40) for additional tutorials on conguring MongoDBs
authentication systems.
Enable Authentication after Creating the User Administrator (page 44) Describes an alternative process for
enabling authentication for MongoDB deployments.
User and Role Management Tutorials (page 66) MongoDBs access control system provides a exible role-based
access control system that you can use to limit access to MongoDB deployments. The tutorials in this section
describe the conguration an setup of the authorization system.
Add a User to a Database (page 69) Create non-administrator users using MongoDBs role-based authentica-
tion system.
Create a Role (page 72) Create custom role.
Modify a Users Access (page 76) Modify the actions available to a user on specic database resources.
View Roles (page 78) View a roles privileges.
Continue reading from User and Role Management Tutorials (page 66) for additional tutorials on managing
users and privileges in MongoDBs authorization system.
Congure System Events Auditing (page 81) Enable and congure MongoDB Enterprise system event auditing fea-
ture.
Create a Vulnerability Report (page 84) Report a vulnerability in MongoDB.
3.1 Security Checklist
This documents provides a list of security measures that you should implement to protect your MongoDB installation.
Require Authentication
Enable MongoDB authentication and specify the authentication mechanism. You can use the MongoDB authentica-
tion mechanism or an existing external framework. Authentication requires that all clients and servers provide valid
credentials before they can connect to the system. In clustered deployments, enable authentication for each MongoDB
server.
19
See Authentication (page 6), Enable Client Access Control (page 41), and Enable Authentication in a Sharded Cluster
(page 43).
Congure Role-Based Access Control
Create roles that dene the exact access a set of users needs. Follow a principle of least privilege. Then create users
and assign them only the roles they need to perform their operations. A user can be a person or a client application.
Create a user administrator rst, then create additional users. Create a unique MongoDB user for each person and
application that accesses the system.
See Authorization (page 9), Create a Role (page 72), Create a User Administrator (page 67), and Add a User to a
Database (page 69).
Encrypt Communication
Congure MongoDB to use SSL for all incoming and outgoing connections. Use SSL to encrypt communication
between mongod and mongos components of a MongoDB client, as well as between all applications and MongoDB.
See Congure mongod and mongos for SSL (page 28).
Limit Network Exposure
Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances
listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which
MongoDB instances are available.
See the bindIp setting, and see Congure Linux iptables Firewall for MongoDB (page 21) and Congure Windows
netsh Firewall for MongoDB (page 25).
Audit System Activity
Track access and changes to database congurations and data. MongoDB Enterprise
19
includes a system auditing
facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit
records permit forensic analysis and allow administrators to verify proper controls.
See Auditing (page 15) and Congure System Events Auditing (page 81).
Encrypt and Protect Data
Encrypt MongoDB data on each host using le-system, device, or physical encryption. Protect MongoDB data using
le-system permissions. MongoDB data includes data les, conguration les, auditing logs, and key les.
Run MongoDB with a Dedicated User
Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to
access data but no unnecessary permissions.
See http://docs.mongodb.org/manualinstallation for more information on running MongoDB.
19
http://www.mongodb.com/products/mongodb-enterprise
20
Run MongoDB with Secure Conguration Options
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, group, eval,
and $where. If you do not use these operations, disable server-side scripting by using the --noscripting option
on the command line.
Use only the MongoDB wire protocol on production deployments. Do not enable the following, all of which enable
the web server interface: enabled, net.http.JSONPEnabled, and net.http.RESTInterfaceEnabled.
Leave these disabled, unless required for backwards compatibility.
Keep input validation enabled. MongoDB enables input validation by default through the wireObjectCheck
setting. This ensures that all documents stored by the mongod instance are valid BSON.
Consider Security Standards Compliance
For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architec-
ture
20
to learn more about how you can use the key security capabilities to build compliant application infrastructure.
Contact MongoDB for Further Guidance
MongoDB Inc. provides a Security Technical Implementation Guide (STIG) upon request. Please request a copy
21
for
more information.
3.2 Network Security Tutorials
The following tutorials provide information on handling network security for MongoDB.
Congure Linux iptables Firewall for MongoDB (page 21) Basic rewall conguration patterns and examples for
iptables on Linux systems.
Congure Windows netsh Firewall for MongoDB (page 25) Basic rewall conguration patterns and examples for
netsh on Windows systems.
Congure mongod and mongos for SSL (page 28) SSL allows MongoDB clients to support encrypted connections
to mongod instances.
SSL Conguration for Clients (page 31) Congure clients to connect to MongoDB instances that use SSL.
Upgrade a Cluster to Use SSL (page 35) Rolling upgrade process to use SSL.
Congure MongoDB for FIPS (page 36) Congure for Federal Information Processing Standard (FIPS).
Congure Linux iptables Firewall for MongoDB
On contemporary Linux systems, the iptables program provides methods for managing the Linux Kernels
netfilter or network packet ltering capabilities. These rewall rules make it possible for administrators to
control what hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a
system.
This document outlines basic rewall congurations for iptables rewalls on Linux. Use these approaches as a
starting point for your larger networking organization. For a detailed overview of security practices and risk manage-
ment for MongoDB, see Security Concepts (page 6).
See also:
20
http://info.mongodb.com/rs/mongodb/images/MongoDB_Security_Architecture_WP.pdf
21
http://www.mongodb.com/lp/contact/stig-requests
21
For MongoDB deployments on Amazons web services, see the Amazon EC2
22
page, which addresses Amazons
Security Groups and other EC2-specic security features.
Overview
Rules in iptables congurations fall into chains, which describe the process for ltering and processing specic
streams of trafc. Chains have an order, and packets must pass through earlier rules in a chain to reach later rules.
This document addresses only the following two chains:
INPUT Controls all incoming trafc.
OUTPUT Controls all outgoing trafc.
Given the default ports (page 12) of all MongoDB processes, you must congure networking rules that permit only
required communication between your application and the appropriate mongod and mongos instances.
Be aware that, by default, the default policy of iptables is to allow all connections and trafc unless explicitly
disabled. The conguration changes outlined in this document will create rules that explicitly allow trafc from
specic addresses and on specic ports, using a default policy that drops all trafc that is not explicitly allowed. When
you have properly congured your iptables rules to allow only the trafc that you want to permit, you can Change
Default Policy to DROP (page 24).
Patterns
This section contains a number of patterns and examples for conguring iptables for use with MongoDB deploy-
ments. If you have congured different ports using the port conguration setting, you will need to modify the rules
accordingly.
Trafc to and from mongod Instances This pattern is applicable to all mongod instances running as standalone
instances or as part of a replica set.
The goal of this pattern is to explicitly allow trafc to the mongod instance from the application server. In the
following examples, replace <ip-address> with the IP address of the application server:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
The rst rule allows all incoming trafc from<ip-address> on port 27017, which allows the application server to
connect to the mongod instance. The second rule, allows outgoing trafc from the mongod to reach the application
server.
Optional
If you have only one application server, you can replace <ip-address> with either the IP address itself, such as:
198.51.100.55. You can also express this using CIDR notation as 198.51.100.55/32. If you want to permit
a larger block of possible IP addresses you can allow trafc from a http://docs.mongodb.org/manual24
using one of the following specications for the <ip-address>, as follows:
10.10.10.10/24
10.10.10.10/255.255.255.0
22
http://docs.mongodb.org/ecosystem/platforms/amazon-ec2
22
Trafc to and from mongos Instances mongos instances provide query routing for sharded clusters. Clients
connect to mongos instances, which behave from the clients perspective as mongod instances. In turn, the mongos
connects to all mongod instances that are components of the sharded cluster.
Use the same iptables command to allow trafc to and from these instances as you would from the mongod
instances that are members of the replica set. Take the conguration outlined in the Trafc to and from mongod
Instances (page 22) section as an example.
Trafc to and from a MongoDB Cong Server Cong servers, host the cong database that stores metadata
for sharded clusters. Each production cluster has three cong servers, initiated using the mongod --configsvr
option.
23
Cong servers listen for connections on port 27019. As a result, add the following iptables rules to the
cong server to allow incoming and outgoing connection on port 27019, for connection to the other cong servers.
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27019 -m state --state ESTABLISHED -j ACCEPT
Replace <ip-address> with the address or address space of all the mongod that provide cong servers.
Additionally, cong servers need to allow incoming connections from all of the mongos instances in the cluster and
all mongod instances in the cluster. Add rules that resemble the following:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT
Replace <ip-address> with the address of the mongos instances and the shard mongod instances.
Trafc to and from a MongoDB Shard Server For shard servers, running as mongod --shardsvr
24
Because
the default port number is 27018 when running with the shardsvr value for the clusterRole setting, you must
congure the following iptables rules to allow trafc to and from each shard:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27018 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT
Replace the <ip-address> specication with the IP address of all mongod. This allows you to permit incoming
and outgoing trafc between all shards including constituent replica set members, to:
all mongod instances in the shards replica sets.
all mongod instances in other shards.
25
Furthermore, shards need to be able make outgoing connections to:
all mongos instances.
all mongod instances in the cong servers.
Create a rule that resembles the following, and replace the <ip-address> with the address of the cong servers
and the mongos instances:
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT
Provide Access For Monitoring Systems
1. The mongostat diagnostic tool, when running with the --discover needs to be able to reach all compo-
nents of a cluster, including the cong servers, the shard servers, and the mongos instances.
23
You also can run a cong server by using the configsvr value for the clusterRole setting in a conguration le.
24
You can also specify the shard server option with the shardsvr value for the clusterRole setting in the conguration le. Shard members
are also often conventional replica sets using the default port.
25
All shards in a cluster need to be able to communicate with all other shards to facilitate chunk and balancing operations.
23
2. If your monitoring system needs access the HTTP interface, insert the following rule to the chain:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 28017 -m state --state NEW,ESTABLISHED -j ACCEPT
Replace <ip-address> with the address of the instance that needs access to the HTTP or REST interface.
For all deployments, you should restrict access to this port to only the monitoring instance.
Optional
For cong server mongod instances running with the shardsvr value for the clusterRole setting, the
rule would resemble the following:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 28018 -m state --state NEW,ESTABLISHED -j ACCEPT
For cong server mongod instances running with the configsvr value for the clusterRole setting, the
rule would resemble the following:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 28019 -m state --state NEW,ESTABLISHED -j ACCEPT
Change Default Policy to DROP
The default policy for iptables chains is to allowall trafc. After completing all iptables conguration changes,
you must change the default policy to DROP so that all trafc that isnt explicitly allowed as above will not be able to
reach components of the MongoDB deployment. Issue the following commands to change this policy:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Manage and Maintain iptables Conguration
This section contains a number of basic operations for managing and using iptables. There are various front end
tools that automate some aspects of iptables conguration, but at the core all iptables front ends provide the
same basic functionality:
Make all iptables Rules Persistent By default all iptables rules are only stored in memory. When your
system restarts, your rewall rules will revert to their defaults. When you have tested a rule set and have guaranteed
that it effectively controls trafc you can use the following operations to you should make the rule set persistent.
On Red Hat Enterprise Linux, Fedora Linux, and related distributions you can issue the following command:
service iptables save
On Debian, Ubuntu, and related distributions, you can use the following command to dump the iptables rules to
the /etc/iptables.conf le:
iptables-save > /etc/iptables.conf
Run the following operation to restore the network rules:
iptables-restore < /etc/iptables.conf
Place this command in your rc.local le, or in the /etc/network/if-up.d/iptables le with other
similar operations.
24
List all iptables Rules To list all of currently applied iptables rules, use the following operation at the system
shell.
iptables --L
Flush all iptables Rules If you make a conguration mistake when entering iptables rules or simply need to
revert to the default rule set, you can use the following operation at the system shell to ush all rules:
iptables --F
If youve already made your iptables rules persistent, you will need to repeat the appropriate procedure in the
Make all iptables Rules Persistent (page 24) section.
Congure Windows netsh Firewall for MongoDB
On Windows Server systems, the netsh program provides methods for managing the Windows Firewall. These
rewall rules make it possible for administrators to control what hosts can connect to the system, and limit risk
exposure by limiting the hosts that can connect to a system.
This document outlines basic Windows Firewall congurations. Use these approaches as a starting point for your
larger networking organization. For a detailed over view of security practices and risk management for MongoDB, see
Security Concepts (page 6).
See also:
Windows Firewall
26
documentation from Microsoft.
Overview
Windows Firewall processes rules in an ordered determined by rule type, and parsed in the following order:
1. Windows Service Hardening
2. Connection security rules
3. Authenticated Bypass Rules
4. Block Rules
5. Allow Rules
6. Default Rules
By default, the policy in Windows Firewall allows all outbound connections and blocks all incoming connections.
Given the default ports (page 12) of all MongoDB processes, you must congure networking rules that permit only
required communication between your application and the appropriate mongod.exe and mongos.exe instances.
The conguration changes outlined in this document will create rules which explicitly allow trafc from specic
addresses and on specic ports, using a default policy that drops all trafc that is not explicitly allowed.
You can congure the Windows Firewall with using the netsh command line tool or through a windows application.
On Windows Server 2008 this application is Windows Firewall With Advanced Security in Administrative Tools. On
previous versions of Windows Server, access the Windows Firewall application in the System and Security control
panel.
The procedures in this document use the netsh command line tool.
26
http://technet.microsoft.com/en-us/network/bb545423.aspx
25
Patterns
This section contains a number of patterns and examples for conguring Windows Firewall for use with MongoDB
deployments. If you have congured different ports using the port conguration setting, you will need to modify the
rules accordingly.
Trafc to and from mongod.exe Instances This pattern is applicable to all mongod.exe instances running as
standalone instances or as part of a replica set. The goal of this pattern is to explicitly allowtrafc to the mongod.exe
instance from the application server.
netsh advfirewall firewall add rule name="Open mongod port 27017" dir=in action=allow protocol=TCP localport=27017
This rule allows all incoming trafc to port 27017, which allows the application server to connect to the
mongod.exe instance.
Windows Firewall also allows enabling network access for an entire application rather than to a specic port, as in the
following example:
netsh advfirewall firewall add rule name="Allowing mongod" dir=in action=allow program=" C:\mongodb\bin\mongod.exe"
You can allow all access for a mongos.exe server, with the following invocation:
netsh advfirewall firewall add rule name="Allowing mongos" dir=in action=allow program=" C:\mongodb\bin\mongos.exe"
Trafc to and from mongos.exe Instances mongos.exe instances provide query routing for sharded clusters.
Clients connect to mongos.exe instances, which behave from the clients perspective as mongod.exe instances.
In turn, the mongos.exe connects to all mongod.exe instances that are components of the sharded cluster.
Use the same Windows Firewall command to allow trafc to and from these instances as you would from the
mongod.exe instances that are members of the replica set.
netsh advfirewall firewall add rule name="Open mongod shard port 27018" dir=in action=allow protocol=TCP localport=27018
Trafc to and from a MongoDB Cong Server Conguration servers, host the cong database that stores meta-
data for sharded clusters. Each production cluster has three conguration servers, initiated using the mongod
--configsvr option.
27
Conguration servers listen for connections on port 27019. As a result, add the fol-
lowing Windows Firewall rules to the cong server to allow incoming and outgoing connection on port 27019, for
connection to the other cong servers.
netsh advfirewall firewall add rule name="Open mongod config svr port 27019" dir=in action=allow protocol=TCP localport=27019
Additionally, cong servers need to allow incoming connections from all of the mongos.exe instances in the cluster
and all mongod.exe instances in the cluster. Add rules that resemble the following:
netsh advfirewall firewall add rule name="Open mongod config svr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27019
Replace <ip-address> with the addresses of the mongos.exe instances and the shard mongod.exe instances.
Trafc to and from a MongoDB Shard Server For shard servers, running as mongod --shardsvr
28
Because
the default port number is 27018 when running with the shardsvr value for the clusterRole setting, you must
congure the following Windows Firewall rules to allow trafc to and from each shard:
27
You also can run a cong server by using the configsrv value for the clusterRole setting in a conguration le.
28
You can also specify the shard server option with the shardsvr value for the clusterRole setting in the conguration le. Shard members
are also often conventional replica sets using the default port.
26
netsh advfirewall firewall add rule name="Open mongod shardsvr inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=27018
netsh advfirewall firewall add rule name="Open mongod shardsvr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
Replace the <ip-address> specication with the IP address of all mongod.exe instances. This allows you to
permit incoming and outgoing trafc between all shards including constituent replica set members to:
all mongod.exe instances in the shards replica sets.
all mongod.exe instances in other shards.
29
Furthermore, shards need to be able make outgoing connections to:
all mongos.exe instances.
all mongod.exe instances in the cong servers.
Create a rule that resembles the following, and replace the <ip-address> with the address of the cong servers
and the mongos.exe instances:
netsh advfirewall firewall add rule name="Open mongod config svr outbound" dir=out action=allow protocol=TCP remoteip=<ip-address> localport=27018
Provide Access For Monitoring Systems
1. The mongostat diagnostic tool, when running with the --discover needs to be able to reach all compo-
nents of a cluster, including the cong servers, the shard servers, and the mongos.exe instances.
2. If your monitoring system needs access the HTTP interface, insert the following rule to the chain:
netsh advfirewall firewall add rule name="Open mongod HTTP monitoring inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=28017
Replace <ip-address> with the address of the instance that needs access to the HTTP or REST interface.
For all deployments, you should restrict access to this port to only the monitoring instance.
Optional
For cong server mongod instances running with the shardsvr value for the clusterRole setting, the
rule would resemble the following:
netsh advfirewall firewall add rule name="Open mongos HTTP monitoring inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=28018
For cong server mongod instances running with the configsvr value for the clusterRole setting, the
rule would resemble the following:
netsh advfirewall firewall add rule name="Open mongod configsvr HTTP monitoring inbound" dir=in action=allow protocol=TCP remoteip=<ip-address> localport=28019
Manage and Maintain Windows Firewall Congurations
This section contains a number of basic operations for managing and using netsh. While you can use the GUI front
ends to manage the Windows Firewall, all core functionality is accessible is accessible from netsh.
Delete all Windows Firewall Rules To delete the rewall rule allowing mongod.exe trafc:
netsh advfirewall firewall delete rule name="Open mongod port 27017" protocol=tcp localport=27017
netsh advfirewall firewall delete rule name="Open mongod shard port 27018" protocol=tcp localport=27018
29
All shards in a cluster need to be able to communicate with all other shards to facilitate chunk and balancing operations.
27
List All Windows Firewall Rules To return a list of all Windows Firewall rules:
netsh advfirewall firewall show rule name=all
Reset Windows Firewall To reset the Windows Firewall rules:
netsh advfirewall reset
Backup and Restore Windows Firewall Rules To simplify administration of larger collection of systems, you can
export or import rewall systems from different servers) rules very easily on Windows:
Export all rewall rules with the following command:
netsh advfirewall export "C:\temp\MongoDBfw.wfw"
Replace "C:\temp\MongoDBfw.wfw" with a path of your choosing. You can use a command in the following
form to import a le created using this operation:
netsh advfirewall import "C:\temp\MongoDBfw.wfw"
Congure mongod and mongos for SSL
This document helps you to congure MongoDB to support SSL. MongoDB clients can use SSL to encrypt connec-
tions to mongod and mongos instances.
Note: The default distribution of MongoDB
30
does not contain support for SSL. To use SSL, you must either build
MongoDB locally passing the --ssl option to scons or use MongoDB Enterprise
31
.
These instructions assume that you have already installed a build of MongoDB that includes SSL support and that your
client driver supports SSL. For instructions on upgrading a cluster currently not using SSL to using SSL, see Upgrade
a Cluster to Use SSL (page 35).
Changed in version 2.6: MongoDBs SSL encryption only allows use of strong SSL ciphers with a minimum of
128-bit key length for all connections. MongoDB Enterprise for Windows includes support for SSL.
See also:
SSL Conguration for Clients (page 31) to learn about SSL support for Python, Java, Ruby, and other clients.
.pem File
Before you can use SSL, you must have a .pem le containing a public key certicate and its associated private key.
MongoDB can use any valid SSL certicate issued by a certicate authority, or a self-signed certicate. If you use a
self-signed certicate, although the communications channel will be encrypted, there will be no validation of server
identity. Although such a situation will prevent eavesdropping on the connection, it leaves you vulnerable to a man-in-
the-middle attack. Using a certicate signed by a trusted certicate authority will permit MongoDB drivers to verify
the servers identity.
In general, avoid using self-signed certicates unless the network is trusted.
Additionally, with regards to authentication among replica set/sharded cluster members (page 8), in order to minimize
exposure of the private key and allow hostname validation, it is advisable to use different certicates on different
servers.
30
http://www.mongodb.org/downloads
31
http://www.mongodb.com/products/mongodb-enterprise
28
For testing purposes, you can generate a self-signed certicate and private key on a Unix system with a command that
resembles the following:
cd /etc/ssl/
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
This operation generates a new, self-signed certicate with no passphrase that is valid for 365 days. Once you have
the certicate, concatenate the certicate and private key to a .pem le, as in the following example:
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
See also:
Use x.509 Certicates to Authenticate Clients (page 45)
Set Up mongod and mongos with SSL Certicate and Key
To use SSL in your MongoDB deployment, include the following run-time options with mongod and mongos:
net.ssl.mode set to requireSSL. This setting restricts each server to use only SSL encrypted connections.
You can also specify either the value allowSSL or preferSSL to set up the use of mixed SSL modes on a
port. See net.ssl.mode for details.
PEMKeyfile with the .pem le that contains the SSL certicate and key.
Consider the following syntax for mongod:
mongod --sslMode requireSSL --sslPEMKeyFile <pem>
For example, given an SSL certicate located at /etc/ssl/mongodb.pem, congure mongod to use SSL encryp-
tion for all connections with the following command:
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
Note:
Specify <pem> with the full path name to the certicate.
If the private key portion of the <pem> is encrypted, specify the passphrase. See SSL Certicate Passphrase
(page 31).
You may also specify these options in the configuration file, as in the following example:
sslMode = requireSSL
sslPEMKeyFile = /etc/ssl/mongodb.pem
To connect, to mongod and mongos instances using SSL, the mongo shell and MongoDB tools must include the
--ssl option. See SSL Conguration for Clients (page 31) for more information on connecting to mongod and
mongos running with SSL.
See also:
Upgrade a Cluster to Use SSL (page 35)
Set Up mongod and mongos with Certicate Validation
To set up mongod or mongos for SSL encryption using an SSL certicate signed by a certicate authority, include
the following run-time options during startup:
29
net.ssl.mode set to requireSSL. This setting restricts each server to use only SSL encrypted connections.
You can also specify either the value allowSSL or preferSSL to set up the use of mixed SSL modes on a
port. See net.ssl.mode for details.
PEMKeyfile with the name of the .pem le that contains the signed SSL certicate and key.
CAFile with the name of the .pem le that contains the root certicate chain from the Certicate Authority.
Consider the following syntax for mongod:
mongod --sslMode requireSSL --sslPEMKeyFile <pem> --sslCAFile <ca>
For example, given a signed SSL certicate located at /etc/ssl/mongodb.pem and the certicate authority le
at /etc/ssl/ca.pem, you can congure mongod for SSL encryption as follows:
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
Note:
Specify the <pem> le and the <ca> le with either the full path name or the relative path name.
If the <pem> is encrypted, specify the passphrase. See SSL Certicate Passphrase (page 31).
You may also specify these options in the configuration file, as in the following example:
sslMode = requireSSL
sslPEMKeyFile = /etc/ssl/mongodb.pem
sslCAFile = /etc/ssl/ca.pem
To connect, to mongod and mongos instances using SSL, the mongo tools must include the both the --ssl and
--sslPEMKeyFile option. See SSL Conguration for Clients (page 31) for more information on connecting to
mongod and mongos running with SSL.
See also:
Upgrade a Cluster to Use SSL (page 35)
Block Revoked Certicates for Clients To prevent clients with revoked certicates from connecting, include the
sslCRLFile to specify a .pem le that contains revoked certicates.
For example, the following mongod with SSL conguration includes the sslCRLFile setting:
mongod --sslMode requireSSL --sslCRLFile /etc/ssl/ca-crl.pem --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
Clients with revoked certicates in the /etc/ssl/ca-crl.pem will not be able to connect to this mongod in-
stance.
Validate Only if a Client Presents a Certicate In most cases it is important to ensure that clients present valid
certicates. However, if you have clients that cannot present a client certicate, or are transitioning to using a certicate
authority you may only want to validate certicates from clients that present a certicate.
If you want to bypass validation for clients that dont present certicates, include the
weakCertificateValidation run-time option with mongod and mongos. If the client does not present a
certicate, no validation occurs. These connections, though not validated, are still encrypted using SSL.
For example, consider the following mongod with an SSL conguration that includes the
weakCertificateValidation setting:
mongod --sslMode requireSSL --sslWeakCertificateValidation --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
30
Then, clients can connect either with the option --ssl and no certicate or with the option --ssl and a valid
certicate. See SSL Conguration for Clients (page 31) for more information on SSL connections for clients.
Note: If the client presents a certicate, the certicate must be a valid certicate.
All connections, including those that have not presented certicates are encrypted using SSL.
SSL Certicate Passphrase
The PEM les for PEMKeyfile and ClusterFile may be encrypted. With encrypted PEM les, you must specify
the passphrase at startup with a command-line or a conguration le option or enter the passphrase when prompted.
Changed in version 2.6: In previous versions, you can only specify the passphrase with a command-line or a congu-
ration le option.
To specify the passphrase in clear text on the command line or in a conguration le, use the PEMKeyPassword
and/or the ClusterPassword option.
To have MongoDB prompt for the passphrase at the start of mongod or mongos and avoid specifying the passphrase
in clear text, omit the PEMKeyPassword and/or the ClusterPassword option. MongoDB will prompt for each
passphrase as necessary.
Important: The passphrase prompt option is available if you run the MongoDB instance in the foreground with
a connected terminal. If you run mongod or mongos in a non-interactive session (e.g. without a terminal or as a
service on Windows), you cannot use the passphrase prompt option.
Run in FIPS Mode
See Congure MongoDB for FIPS (page 36) for more details.
SSL Conguration for Clients
Clients must have support for SSL to work with a mongod or a mongos instance that has SSL support enabled. The
current versions of the Python, Java, Ruby, Node.js, .NET, and C++ drivers have support for SSL, with full support
coming in future releases of other drivers.
See also:
Congure mongod and mongos for SSL (page 28).
mongo Shell SSL Conguration
For SSL connections, you must use the mongo shell built with SSL support or distributed with MongoDB Enterprise.
To support SSL, mongo has the following settings:
--ssl
--sslPEMKeyFile with the name of the .pem le that contains the SSL certicate and key.
--sslCAFile with the name of the .pem le that contains the certicate from the Certicate Authority (CA).
31
Warning: If the mongo shell or any other tool that connects to mongos or mongod is run without
--sslCAFile, it will not attempt to validate server certicates. This results in vulnerability to expired
mongod and mongos certicates as well as to foreign processes posing as valid mongod or mongos
instances. Ensure that you always specify the CA le against which server certicates should be validated
in cases where intrusion is a possibility.
--sslPEMKeyPassword option if the client certicate-key le is encrypted.
Connect to MongoDB Instance with SSL Encryption To connect to a mongod or mongos instance that requires
only a SSL encryption mode (page 29), start mongo shell with --ssl, as in the following:
mongo --ssl
Connect to MongoDB Instance that Requires Client Certicates To connect to a mongod or mongos that re-
quires CA-signed client certicates (page 29), start the mongo shell with --ssl and the --sslPEMKeyFile option
to specify the signed certicate-key le, as in the following:
mongo --ssl --sslPEMKeyFile /etc/ssl/client.pem
Connect to MongoDB Instance that Validates when Presented with a Certicate To connect to a mongod or
mongos instance that only requires valid certicates when the client presents a certicate (page 30), start mongo
shell either with the --ssl ssl and no certicate or with the --ssl ssl and a valid signed certicate.
For example, if mongod is running with weak certicate validation, both of the following mongo shell clients can
connect to that mongod:
mongo --ssl
mongo --ssl --sslPEMKeyFile /etc/ssl/client.pem
Important: If the client presents a certicate, the certicate must be valid.
MMS Monitoring Agent
The Monitoring agent will also have to connect via SSL in order to gather its stats. Because the agent already utilizes
SSL for its communications to the MMS servers, this is just a matter of enabling SSL support in MMS itself on a per
host basis.
Use the Edit host button (i.e. the pencil) on the Hosts page in the MMS console to enable SSL.
Please see the MMS documentation
32
for more information about MMS conguration.
PyMongo
Add the ssl=True parameter to a PyMongo MongoClient
33
to create a MongoDB connection to an SSL Mon-
goDB instance:
from pymongo import MongoClient
c = MongoClient(host="mongodb.example.net", port=27017, ssl=True)
32
http://mms.mongodb.com/help
33
http://api.mongodb.org/python/current/api/pymongo/mongo_client.html#pymongo.mongo_client.MongoClient
32
To connect to a replica set, use the following operation:
from pymongo import MongoReplicaSetClient
c = MongoReplicaSetClient("mongodb.example.net:27017",
replicaSet="mysetname", ssl=True)
PyMongo also supports an ssl=true option for the MongoDB URI:
mongodb://mongodb.example.net:27017/?ssl=true
For more details, see the Python MongoDB Driver page
34
.
Java
Consider the following example SSLApp.java class le:
import com.mongodb.
*
;
import javax.net.ssl.SSLSocketFactory;
public class SSLApp {
public static void main(String args[]) throws Exception {
MongoClientOptions o = new MongoClientOptions.Builder()
.socketFactory(SSLSocketFactory.getDefault())
.build();
MongoClient m = new MongoClient("localhost", o);
DB db = m.getDB( "test" );
DBCollection c = db.getCollection( "foo" );
System.out.println( c.findOne() );
}
}
For more details, see the Java MongoDB Driver page
35
.
Ruby
The recent versions of the Ruby driver have support for connections to SSL servers. Install the latest version of the
driver with the following command:
gem install mongo
Then connect to a standalone instance, using the following form:
require 'rubygems'
require 'mongo'
connection = MongoClient.new('localhost', 27017, :ssl => true)
Replace connection with the following if youre connecting to a replica set:
34
http://docs.mongodb.org/ecosystem/drivers/python
35
http://docs.mongodb.org/ecosystem/drivers/java
33
connection = MongoReplicaSetClient.new(['localhost:27017'],
['localhost:27018'],
:ssl => true)
Here, mongod instance run on localhost:27017 and localhost:27018.
For more details, see the Ruby MongoDB Driver page
36
.
Node.JS (node-mongodb-native)
In the node-mongodb-native
37
driver, use the following invocation to connect to a mongod or mongos instance via
SSL:
var db1 = new Db(MONGODB, new Server("127.0.0.1", 27017,
{ auto_reconnect: false, poolSize:4, ssl:true } );
To connect to a replica set via SSL, use the following form:
var replSet = new ReplSetServers( [
new Server( RS.host, RS.ports[1], { auto_reconnect: true } ),
new Server( RS.host, RS.ports[0], { auto_reconnect: true } ),
],
{rs_name:RS.name, ssl:true}
);
For more details, see the Node.JS MongoDB Driver page
38
.
.NET
As of release 1.6, the .NET driver supports SSL connections with mongod and mongos instances. To connect using
SSL, you must add an option to the connection string, specifying ssl=true as follows:
var connectionString = "mongodb://localhost/?ssl=true";
var server = MongoServer.Create(connectionString);
The .NET driver will validate the certicate against the local trusted certicate store, in addition to providing en-
cryption of the server. This behavior may produce issues during testing if the server uses a self-signed certicate. If
you encounter this issue, add the sslverifycertificate=false option to the connection string to prevent the
.NET driver from validating the certicate, as follows:
var connectionString = "mongodb://localhost/?ssl=true&sslverifycertificate=false";
var server = MongoServer.Create(connectionString);
For more details, see the .NET MongoDB Driver page
39
.
MongoDB Tools
Changed in version 2.6.
Various MongoDB utility programs supports SSL. These tools include:
mongodump
36
http://docs.mongodb.org/ecosystem/drivers/ruby
37
https://github.com/mongodb/node-mongodb-native
38
http://docs.mongodb.org/ecosystem/drivers/node-js
39
http://docs.mongodb.org/ecosystem/drivers/csharp
34
mongoexport
mongofiles
mongoimport
mongooplog
mongorestore
mongostat
mongotop
To use SSL connections with these tools, use the same SSL options as the mongo shell. See mongo Shell SSL
Conguration (page 31).
Upgrade a Cluster to Use SSL
Note: The default distribution of MongoDB
40
does not contain support for SSL. To use SSL you can either compile
MongoDB with SSL support or use MongoDB Enterprise. See Congure mongod and mongos for SSL (page 28) for
more information about SSL and MongoDB.
Changed in version 2.6.
The MongoDB server supports listening for both SSL encrypted and unencrypted connections on the same TCP port.
This allows upgrades of MongoDB clusters to use SSL encrypted connections. To upgrade from a MongoDB cluster
using no SSL encryption to one using only SSL encryption, use the following rolling upgrade process:
1. For each node of a cluster, start the node with the option --sslMode set to allowSSL. The --sslMode
allowSSL setting allows the node to accept both SSL and non-SSL incoming connections. Its connections to
other servers do not use SSL. Include other SSL options (page 28) as well as any other options that are required
for your specic conguration. For example:
mongod --replSet <name> --sslMode allowSSL --sslPEMKeyFile <path to SSL Certificate and key PEM file> --sslCAFile <path to root CA PEM file>
Upgrade all nodes of the cluster to these settings.
Note: You may also specify these options in the configuration file, as in the following example:
sslMode = <disabled|allowSSL|preferSSL|requireSSL>
sslPEMKeyFile = <path to SSL certificate and key PEM file>
sslCAFile = <path to root CA PEM file>
2. Switch all clients to use SSL. See SSL Conguration for Clients (page 31).
3. For each node of a cluster, use the setParameter command to update the sslMode to preferSSL.
41
With preferSSL as its net.ssl.mode, the node accepts both SSL and non-SSL incoming connections,
and its connections to other servers use SSL. For example:
db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "preferSSL" } )
Upgrade all nodes of the cluster to these settings.
At this point, all connections should be using SSL.
40
http://www.mongodb.org/downloads
41
As an alternative to using the setParameter command, you can also restart the nodes with the appropriate SSL options and values.
35
4. For each node of the cluster, use the setParameter command to update the sslMode to requireSSL.
1
With requireSSL as its net.ssl.mode, the node will reject any non-SSL connections. For example:
db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "requireSSL" } )
5. After the upgrade of all nodes, edit the configuration file with the appropriate SSL settings to ensure
that upon subsequent restarts, the cluster uses SSL.
Congure MongoDB for FIPS
New in version 2.6.
Overview
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify
software modules and libraries that encrypt and decrypt data securely. You can congure MongoDB to run with a
FIPS 140-2 certied library for OpenSSL. Congure FIPS to run by default or as needed from the command line.
Prerequisites
Only the MongoDB Enterprise
42
version supports FIPS mode. Download and install MongoDB Enterprise
43
to use
FIPS mode.
Your system must have an OpenSSL library congured with the FIPS 140-2 module. At the command line, type
openssl version to conrm your OpenSSL software includes FIPS support.
For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as CentOS 6.x, the OpenSSL toolkit must be
at least openssl-1.0.1e-16.el6_5 to use FIPS mode. To upgrade the toolkit for these platforms, issue the
following command:
sudo yum update openssl
Some versions of Linux periodically execute a process to prelink dynamic libraries with pre-assigned addresses. This
process modies the OpenSSL libraries, specically libcrypto. The OpenSSL FIPS mode will subsequently fail
the signature check performed upon startup to ensure libcrypto has not been modied since compilation.
To congure the Linux prelink process to not prelink libcrypto:
sudo bash -c "echo '-b /usr/lib64/libcrypto.so.
*
' >>/etc/prelink.conf.d/openssl-prelink.conf"
Procedure
Congure MongoDBto use SSL See Congure mongod and mongos for SSL (page 28) for details about conguring
OpenSSL.
Run mongod or mongos instance in FIPS mode Perform these steps after you Congure mongod and mongos
for SSL (page 28).
42
http://www.mongodb.com/products/mongodb-enterprise
43
http://www.mongodb.com/products/mongodb-enterprise
36
Step 1: Change conguration le. To congure your mongod or mongos instance to use FIPS mode, shut down
the instance and update the conguration le with the following setting:
net:
ssl:
FIPSMode: true
Step 2: Start mongod or mongos instance with conguration le. For example, run this command to start the
mongod instance with its conguration le:
mongod --config /etc/mongodb.conf
For more information about conguration les, see http://docs.mongodb.org/manualreference/configuration-options.
Conrm FIPS mode is running Check the server log le for a message FIPS is active:
FIPS 140-2 mode activated
3.3 Security Deployment Tutorials
The following tutorials provide information in deploying MongoDB using authentication and authorization.
Deploy Replica Set and Congure Authentication and Authorization (page 37) Congure a replica set that has au-
thentication enabled.
Deploy Replica Set and Congure Authentication and Authorization
Overview
With authentication (page 6) enabled, MongoDB forces all clients to identify themselves before granting access to the
server. Authorization (page 9), in turn, allows administrators to dene and limit the resources and operations that a
user can access. Using authentication and authorization is a key part of a complete security strategy.
All MongoDB deployments support authentication. By default, MongoDB does not require authorization checking.
You can enforce authorization checking when deploying MongoDB, or on an existing deployment; however, you
cannot enable authorization checking on a running deployment without downtime.
This tutorial provides a procedure for creating a MongoDB replica set that uses the challenge-response authen-
tication mechanism. The tutorial includes creation of a minimal authorization system to support basic operations.
Considerations
Authentication In this procedure, you will congure MongoDB using the default challenge-response authentication
mechanism, using the keyFile to supply the password for inter-process authentication (page 8). The content of the
key le is the shared secret used for all internal authentication.
All deployments that enforce authorization checking should have one user administrator user that can create new users
and modify existing users. During this procedure you will create a user administrator that you will use to administer
this deployment.
37
Architecture In a production, deploy each member of the replica set to its own machine and if possible bind to the
standard MongoDB port of 27017. Use the bind_ip option to ensure that MongoDB listens for connections from
applications on congured addresses.
For a geographically distributed replica sets, ensure that the majority of the sets mongod instances reside in the
primary site.
See http://docs.mongodb.org/manualcore/replica-set-architectures for more information.
Connectivity Ensure that network trafc can pass between all members of the set and all clients in the network
securely and efciently. Consider the following:
Establish a virtual private network. Ensure that your network topology routes all trafc between members within
a single site over the local area network.
Congure access control to prevent connections from unknown clients to the replica set.
Congure networking and rewall rules so that incoming and outgoing packets are permitted only on the default
MongoDB port and only from within your deployment.
Finally ensure that each member of a replica set is accessible by way of resolvable DNS or hostnames. You should
either congure your DNS names appropriately or set up your systems /etc/hosts le to reect this conguration.
Conguration Specify the run time conguration on each system in a configuration file stored in
/etc/mongodb.conf or a related location. Create the directory where MongoDB stores data les before de-
ploying MongoDB.
For more information about the run time options used above and other conguration options, see
http://docs.mongodb.org/manualreference/configuration-options.
Procedure
This procedure deploys a replica set in which all members use the same key le.
Step 1: Start one member of the replica set. This mongod should not enable auth.
Step 2: Create administrative users. The following operations will create two users: a user administrator that will
be able to create and modify users (siteUserAdmin), and a root (page 93) user (siteRootAdmin) that you
will use to complete the remainder of the tutorial:
use admin
db.createUser( {
user: "siteUserAdmin",
pwd: "<password>",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
});
db.createUser( {
user: "siteRootAdmin",
pwd: "<password>",
roles: [ { role: "root", db: "admin" } ]
});
Step 3: Stop the mongod instance.
38
Step 4: Create the key le to be used by each member of the replica set. Create the key le your deployment will
use to authenticate servers to each other.
To generate pseudo-random data to use for a keyfile, issue the following openssl command:
openssl rand -base64 741 > mongodb-keyfile
chmod 600 mongodb-keyfile
You may generate a key le using any method you choose. Always ensure that the password stored in the key le is
both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.
Step 5: Copy the key le to each member of the replica set. Copy the mongodb-keyfile to all hosts where
components of a MongoDB deployment run. Set the permissions of these les to 600 so that only the owner of the
le can read or write this le to prevent other users on the system from accessing the shared secret.
Step 6: Start each member of the replica set with the appropriate options. For each member, start a mongod
and specify the key le and the name of the replica set. Also specify other parameters as needed for your deployment.
For replication-specic parameters, see cli-mongod-replica-set required by your deployment.
If your application connects to more than one replica set, each set should have a distinct name. Some drivers group
replica set connections by replica set name.
The following example species parameters through the --keyFile and --replSet command-line options:
mongod --keyFile /mysecretdirectory/mongodb-keyfile --replSet "rs0"
The following example species parameters through a conguration le:
mongod --config $HOME/.mongodb/config
In production deployments, you can congure a control script to manage this process. Control scripts are beyond the
scope of this document.
Step 7: Connect to the member of the replica set where you created the administrative users. Connect to
the replica set member you started and authenticate as the siteRootAdmin user. From the mongo shell, use the
following operation to authenticate:
use admin
db.auth("siteRootAdmin", "<password>");
Step 8: Initiate the replica set. Use rs.initiate():
rs.initiate()
MongoDB initiates a set that consists of the current member and that uses the default replica set conguration.
Step 9: Verify the initial replica set conguration. Use rs.conf() to display the replica set
configuration object:
rs.conf()
The replica set conguration object resembles the following:
39
{
"_id" : "rs0",
"version" : 1,
"members" : [
{
"_id" : 1,
"host" : "mongodb0.example.net:27017"
}
]
}
Step 10: Add the remaining members to the replica set. Add the remaining members with the rs.add()
method.
The following example adds two members:
rs.add("mongodb1.example.net")
rs.add("mongodb2.example.net")
When complete, you have a fully functional replica set. The new replica set will elect a primary.
Step 11: Check the status of the replica set. Use the rs.status() operation:
rs.status()
Step 12: Create additional users to address operational requirements. You can use built-in roles (page 86) to
create common types of database users, such as the dbOwner (page 88) role to create a database administrator, the
readWrite (page 86) role to create a user who can update data, or the read (page 86) role to create user who can
search data but no more. You also can dene custom roles (page 10).
For example, the following creates a database administrator for the products database:
use products
db.createUser(
{
user: "productsDBAdmin",
pwd: "password",
roles:
[
{
role: "dbOwner",
db: "products"
}
]
}
)
For an overview of roles and privileges, see Authorization (page 9). For more information on adding users, see Add a
User to a Database (page 69).
3.4 Access Control Tutorials
The following tutorials provide instructions for MongoDBs authentication and authorization related features.
40
Enable Client Access Control (page 41) Describes the process for enabling authentication for MongoDB deploy-
ments.
Enable Authentication in a Sharded Cluster (page 43) Control access to a sharded cluster through a key le and the
keyFile setting on each of the clusters components.
Enable Authentication after Creating the User Administrator (page 44) Describes an alternative process for en-
abling authentication for MongoDB deployments.
Use x.509 Certicates to Authenticate Clients (page 45) Use x.509 for client authentication.
Use x.509 Certicate for Membership Authentication (page 47) Use x.509 for internal member authentication for
replica sets and sharded clusters.
Authenticate Using SASL and LDAP with ActiveDirectory (page 50) Describes the process for authentication using
SASL/LDAP with ActiveDirectory.
Authenticate Using SASL and LDAP with OpenLDAP (page 53) Describes the process for authentication using
SASL/LDAP with OpenLDAP.
Congure MongoDB with Kerberos Authentication on Linux (page 56) For MongoDB Enterprise Linux, describes
the process to enable Kerberos-based authentication for MongoDB deployments.
Congure MongoDB with Kerberos Authentication on Windows (page 59) For MongoDB Enterprise for Windows,
describes the process to enable Kerberos-based authentication for MongoDB deployments.
Authenticate to a MongoDB Instance or Cluster (page 61) Describes the process for authenticating to MongoDB
systems using the mongo shell.
Generate a Key File (page 62) Use key le to allow the components of MongoDB sharded cluster or replica set to
mutually authenticate.
Troubleshoot Kerberos Authentication on Linux (page 62) Steps to troubleshoot Kerberos-based authentication for
MongoDB deployments.
Implement Field Level Redaction (page 64) Describes the process to set up and access document content that can
have different access levels for the same data.
Enable Client Access Control
Overview
Enabling access control on a MongoDB instance restricts access to the instance by requiring that users identify them-
selves when connecting. In this procedure, you enable access control and then create the instances rst user, which
must be a user administrator. The user administrator grants further access to the instance by creating additional users.
Considerations
If you create the user administrator before enabling access control, MongoDBdisables the localhost exception (page 9).
In that case, you must use the Enable Authentication after Creating the User Administrator (page 44) procedure to
enable access control.
This procedure uses the localhost exception (page 9) to allow you to create the rst user after enabling authentication.
See Localhost Exception (page 9) and Authentication (page 6) for more information.
41
Procedure
Step 1: Start the MongoDB instance with authentication enabled. Start the mongod or mongos instance with
the authorization or keyFile setting. Use authorization on a standalone instance. Use keyFile on an
instance in a replica set or sharded cluster.
For example, to start a mongod with authentication enabled and a key le stored in
http://docs.mongodb.org/manualprivate/var, rst set the following option in the mongods
conguration le:
security:
keyFile: /private/var/key.pem
Then start the mongod and specify the cong le. For example:
mongod --config /etc/mongodb/mongodb.conf
After you enable authentication, only the user administrator can connect to the MongoDB instance. The user admin-
istrator must log in and grant further access to the instance by creating additional users.
Step 2: Connect to the MongoDB instance via the localhost exception. Connect to the MongoDB instance from
a client running on the same system. This access is made possible by the localhost exception (page 9).
Step 3: Create the system user administrator. Add the user with the userAdminAnyDatabase (page 92) role,
and only that role.
The following example creates the user siteUserAdmin user on the admin database:
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
After you create the user administrator, the localhost exception (page 9) is no longer available.
Step 4: Create additional users. Login in with the user administrators credentials and create additional users. See
Add a User to a Database (page 69).
Next Steps
If you need to disable access control for any reason, restart the process without the authorization or keyFile
setting.
42
Enable Authentication in a Sharded Cluster
New in version 2.0: Support for authentication with sharded clusters.
Overview
When authentication is enabled on a sharded cluster every client that accesses the cluster must provide credentials.
This includes MongoDB instances that access each other within the cluster.
To enable authentication on a sharded cluster, you must enable authentication individually on each component of the
cluster. This means enabling authentication on each mongos and each mongod, including each cong server, and all
members of a shards replica set.
Authentication requires an authentication mechanism and, in most cases, a key file. The content of the key le
must be the same on all cluster members.
Procedure
Step 1: Create a key le. Create the key le your deployment will use to authenticate servers to each other.
To generate pseudo-random data to use for a keyfile, issue the following openssl command:
openssl rand -base64 741 > mongodb-keyfile
chmod 600 mongodb-keyfile
You may generate a key le using any method you choose. Always ensure that the password stored in the key le is
both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.
Step 2: Enable authentication on each component in the cluster. On each mongos and mongod in the cluster,
including all cong servers and shards, specify the key le using one of the following approaches:
Specify the key le in the conguration le. In the conguration le, set the keyFile option to the key les path
and then start the component, as in the following example:
security:
keyFile: /srv/mongodb/keyfile
Specify the key le at runtime. When starting the component, set the --keyFile option, which is an option
for both mongos instances and mongod instances. Set the --keyFile to the key les path. The keyFile
setting implies the authorization setting, which means in most cases you do not need to set authorization
explicitly.
Step 3: Add users. While connected to a mongos, add the rst administrative user and then add subsequent users.
See Create a User Administrator (page 67).
Related Documents
Authentication (page 6)
Security (page 3)
Use x.509 Certicate for Membership Authentication (page 47)
43
Enable Authentication after Creating the User Administrator
Overview
Enabling authentication on a MongoDB instance restricts access to the instance by requiring that users identify them-
selves when connecting. In this procedure, you will create the instances rst user, which must be a user administrator
and then enable authentication. Then, you can authenticate as the user administrator to create additional users and
grant additional access to the instance.
This procedures outlines how enable authentication after creating the user administrator. The approach requires a
restart. To enable authentication without restarting, see Enable Client Access Control (page 41).
Considerations
This document outlines a procedure for enabling authentication for MongoDB instance where you create the rst
user on an existing MongoDB system that does not require authentication before restarting the instance and requiring
authentication. You can use the localhost exception (page 9) to gain access to a system with no users and authentication
enabled. See Enable Client Access Control (page 41) for the description of that procedure.
Procedure
Step 1: Start the MongoDB instance without authentication. Start the mongod or mongos instance without the
authorization or keyFile setting. For example:
mongod --port 27017 --dbpath /data/db1
For details on starting a mongod or mongos, see http://docs.mongodb.org/manualtutorial/manage-mongodb-processes
or http://docs.mongodb.org/manualtutorial/deploy-shard-cluster.
Step 2: Create the system user administrator. Add the user with the userAdminAnyDatabase (page 92) role,
and only that role.
The following example creates the user siteUserAdmin user on the admin database:
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Step 3: Re-start the MongoDB instance with authentication enabled. Re-start the mongod or mongos instance
with the authorization or keyFile setting. Use authorization on a standalone instance. Use keyFile
on an instance in a replica set or sharded cluster.
44
The following example enables authentication on a standalone mongod using the authorization command-line
option:
mongod --auth --config /etc/mongodb/mongodb.conf
Step 4: Create additional users. Log in with the user administrators credentials and create additional users. See
Add a User to a Database (page 69).
Next Steps
If you need to disable authentication for any reason, restart the process without the authorization or keyFile
option.
Use x.509 Certicates to Authenticate Clients
New in version 2.6.
MongoDB supports x.509 certicate authentication for use with a secure SSL connection (page 28). The x.509 client
authentication allows clients to authenticate to servers with certicates (page 45) rather than with a username and
password.
To use x.509 authentication for the internal authentication of replica set/sharded cluster members, see Use x.509
Certicate for Membership Authentication (page 47).
Client x.509 Certicate
The client certicate must have the following properties:
A single Certicate Authority (CA) must issue the certicates for both the client and the server.
Client certicates must contain the following elds:
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
A client x.509 certicates subject, which contains the Distinguished Name (DN), must differ from that of a
Member x.509 Certicate (page 47) to prevent client certicates from identifying the client as a cluster member
and granting full permission on the system. Specically, the subjects must differ with regards to at least one of
the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).
Each unique MongoDB user must have a unique certicate.
Congure MongoDB Server
Use Command-line Options You can congure the MongoDB server from the command line, e.g.:
mongod --sslMode requireSSL --sslPEMKeyFile <path to SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file>
Warning: If the --sslCAFile option and its target le are not specied, x.509 client and member authenti-
cation will not function. mongod, and mongos in sharded systems, will not be able to verify the certicates of
processes connecting to it against the trusted certicate authority (CA) that issued them, breaking the certicate
chain.
As of version 2.6.4, mongod will not start with x.509 authentication enabled if the CA le is not specied.
45
Use Conguration File You may also specify these options in the configuration file.
Starting in MongoDB 2.6, you can specify the conguration for MongoDB in YAML format, e.g.:
net:
ssl:
mode: requireSSL
PEMKeyFile: <path to SSL certificate and key PEM file>
CAFile: <path to root CA PEM file>
For backwards compatibility, you can also specify the conguration using the older conguration le format
44
, e.g.:
sslMode = requireSSL
sslPEMKeyFile = <path to SSL certificate and key PEM file>
sslCAFile = <path to the root CA PEM file>
Include any additional options, SSL or otherwise, that are required for your specic conguration.
Add x.509 Certicate subject as a User
To authenticate with a client certicate, you must rst add the value of the subject from the client certicate as a
MongoDB user. Each unique x.509 client certicate corresponds to a single MongoDB user; i.e. you cannot use a
single client certicate to authenticate more than one MongoDB user.
1. You can retrieve the subject from the client certicate with the following command:
openssl x509 -in <pathToClient PEM> -inform PEM -subject -nameopt RFC2253
The command returns the subject string as well as certicate:
subject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
2. Add the value of the subject, omitting the spaces, from the certicate as a user.
For example, in the mongo shell, to add the user with both the readWrite role in the test database and the
userAdminAnyDatabase role which is dened only in the admin database:
db.getSiblingDB("$external").runCommand(
{
createUser: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
roles: [
{ role: 'readWrite', db: 'test' },
{ role: 'userAdminAnyDatabase', db: 'admin' }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)
In the above example, to add the user with the readWrite role in the test database, the role specication
document specied test in the db eld. To add userAdminAnyDatabase role for the user, the above
example specied admin in the db eld.
Note: Some roles are dened only in the admin database, including: clusterAdmin,
readAnyDatabase, readWriteAnyDatabase, dbAdminAnyDatabase, and
userAdminAnyDatabase. To add a user with these roles, specify admin in the db.
44
http://docs.mongodb.org/v2.4/reference/conguration
46
See Add a User to a Database (page 69) for details on adding a user with roles.
Authenticate with a x.509 Certicate
To authenticate with a client certicate, you must rst add a MongoDB user that corresponds to the client certicate.
See Add x.509 Certicate subject as a User (page 46).
To authenticate, use the db.auth() method in the $external database, specifying "MONGODB-X509" for the
mechanism eld, and the user that corresponds to the client certicate (page 46) for the user eld.
For example, if using the mongo shell,
1. Connect mongo shell to the mongod set up for SSL:
mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslCAFile <path to root CA PEM file>
2. To perform the authentication, use the db.auth() method in the $external database. For the mechanism
eld, specify "MONGODB-X509", and for the user eld, specify the user, or the subject, that corresponds
to the client certicate.
db.getSiblingDB("$external").auth(
{
mechanism: "MONGODB-X509",
user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
}
)
Use x.509 Certicate for Membership Authentication
New in version 2.6.
MongoDB supports x.509 certicate authentication for use with a secure SSL connection (page 28). Sharded cluster
members and replica set members can use x.509 certicates to verify their membership to the cluster or the replica set
instead of using keyles (page 6). The membership authentication is an internal process.
For client authentication with x.509, see Use x.509 Certicates to Authenticate Clients (page 45).
Member x.509 Certicate
The member certicate, used for internal authentication to verify membership to the sharded cluster or a replica set,
must have the following properties:
A single Certicate Authority (CA) must issue all the x.509 certicates for the members of a sharded cluster or
a replica set.
The Distinguished Name (DN), found in the member certicates subject, must specify a non-empty value
for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain
Component (DC).
The Organization attributes (Os), the Organizational Unit attributes (OUs), and the Domain Components (DCs)
must match those from the certicates for the other cluster members. To match, the certicate must match all
specications of these attributes, or even the non-specication of these attributes. The order of the attributes
does not matter.
In the following example, the two DNs contain matching specications for O, OU as well as the non-specication
of the DC attribute.
47
CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US
C=US, ST=CA, O=MongoDB, OU=Dept1, CN=host2
However, the following two DNs contain a mismatch for the OU attribute since one contains two OU specica-
tions and the other, only one specication.
CN=host1,OU=Dept1,OU=Sales,O=MongoDB
CN=host2,OU=Dept1,O=MongoDB
Either the Common Name (CN) or one of the Subject Alternative Name (SAN) entries must match the hostname
of the server, used by the other members of the cluster.
For example, the certicates for a cluster could have the following subjects:
subject= CN=<myhostname1>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname2>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname3>,OU=Dept1,O=MongoDB,ST=NY,C=US
It is possible to use a single x509 certicate for both member authentication and x.509 client authentication (page 45).
To do so, obtain a certicate with both clientAuth and serverAuth (i.e. TLS Web Client Authentication
and TLS Web Server Authentication) specied as Extended Key Usage (EKU) values, or simply do not specify any
EKU values. Provide this le as the the --sslPEMKeyFile and omit the --sslClusterFile option described
below.
Congure Replica Set/Sharded Cluster
Use Command-line Options To specify the x.509 certicate for internal cluster member authentication, append
the additional SSL options --clusterAuthMode and --sslClusterFile, as in the following example for a
member of a replica set:
mongod --replSet <name> --sslMode requireSSL --clusterAuthMode x509 --sslClusterFile <path to membership certificate and key PEM file> --sslPEMKeyFile <path to SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file>
Include any additional options, SSL or otherwise, that are required for your specic conguration. For instance, if
the membership key is encrypted, set the --sslClusterPassword to the passphrase to decrypt the key or have
MongoDB prompt for the passphrase. See SSL Certicate Passphrase (page 31) for details.
Warning: If the --sslCAFile option and its target le are not specied, x.509 client and member authenti-
cation will not function. mongod, and mongos in sharded systems, will not be able to verify the certicates of
processes connecting to it against the trusted certicate authority (CA) that issued them, breaking the certicate
chain.
As of version 2.6.4, mongod will not start with x.509 authentication enabled if the CA le is not specied.
Use Conguration File You may also specify these options in the configuration file.
YAML Formatted Conguration File Starting in MongoDB 2.6, you can specify the conguration for MongoDB
in YAML format, as in the following example:
security:
clusterAuthMode: x509
net:
ssl:
mode: requireSSL
PEMKeyFile: <path to SSL certificate and key PEM file>
48
CAFile: <path to root CA PEM file>
clusterFile: <path to x.509 membership certificate and key PEM file>
See security.clusterAuthMode, net.ssl.mode, net.ssl.PEMKeyFile, net.ssl.CAFile, and
net.ssl.clusterFile for more information on the settings.
v2.4 Conguration File For backwards compatibility, you can also specify the conguration using the v2.4 cong-
uration le format
45
, as in the following example:
sslMode = requireSSL
sslPEMKeyFile = <path to SSL certificate and key PEM file>
sslCAFile = <path to root CA PEM file>
clusterAuthMode = x509
sslClusterFile = <path to membership certificate and key PEM file>
Upgrade from Keyle Authentication to x.509 Authentication
To upgrade clusters that are currently using keyle authentication to x.509 authentication, use a rolling upgrade pro-
cess.
Clusters Currently Using SSL For clusters using SSL and keyle authentication, to upgrade to x.509 cluster au-
thentication, use the following rolling upgrade process:
1. For each node of a cluster, start the node with the option --clusterAuthMode set to sendKeyFile and
the option --sslClusterFile set to the appropriate path of the nodes certicate. Include other SSL options
(page 28) as well as any other options that are required for your specic conguration. For example:
mongod --replSet <name> --sslMode requireSSL --clusterAuthMode sendKeyFile --sslClusterFile <path to membership certificate and key PEM file> --sslPEMKeyFile <path to SSL Certificate and key PEM file> --sslCAFile <path to root CA PEM file>
With this setting, each node continues to use its keyle to authenticate itself as a member. However, each
node can now accept either a keyle or an x.509 certicate from other members to authenticate those members.
Upgrade all nodes of the cluster to this setting.
2. Then, for each node of a cluster, connect to the node and use the setParameter command to update the
clusterAuthMode to sendX509.
46
For example,
db.getSiblingDB('admin').runCommand( { setParameter: 1, clusterAuthMode: "sendX509" } )
With this setting, each node uses its x.509 certicate, specied with the --sslClusterFile option in the
previous step, to authenticate itself as a member. However, each node continues to accept either a keyle or an
x.509 certicate from other members to authenticate those members. Upgrade all nodes of the cluster to this
setting.
3. Optional but recommended. Finally, for each node of the cluster, connect to the node and use the
setParameter command to update the clusterAuthMode to x509 to only use the x.509 certicate for
authentication.
1
For example:
db.getSiblingDB('admin').runCommand( { setParameter: 1, clusterAuthMode: "x509" } )
4. After the upgrade of all nodes, edit the configuration file with the appropriate x.509 settings to ensure
that upon subsequent restarts, the cluster uses x.509 authentication.
See --clusterAuthMode for the various modes and their descriptions.
45
http://docs.mongodb.org/v2.4/reference/conguration
46
As an alternative to using the setParameter command, you can also restart the nodes with the appropriate SSL and x509 options and
values.
49
Clusters Currently Not Using SSL For clusters using keyle authentication but not SSL, to upgrade to x.509
authentication, use the following rolling upgrade process:
1. For each node of a cluster, start the node with the option --sslMode set to allowSSL, the option
--clusterAuthMode set to sendKeyFile and the option --sslClusterFile set to the appropri-
ate path of the nodes certicate. Include other SSL options (page 28) as well as any other options that are
required for your specic conguration. For example:
mongod --replSet <name> --sslMode allowSSL --clusterAuthMode sendKeyFile --sslClusterFile <path to membership certificate and key PEM file> --sslPEMKeyFile <path to SSL certificate and key PEM file> --sslCAFile <path to root CA PEM file>
The --sslMode allowSSL setting allows the node to accept both SSL and non-SSL incoming connections.
Its outgoing connections do not use SSL.
The --clusterAuthMode sendKeyFile setting allows each node continues to use its keyle to authen-
ticate itself as a member. However, each node can now accept either a keyle or an x.509 certicate from other
members to authenticate those members.
Upgrade all nodes of the cluster to these settings.
2. Then, for each node of a cluster, connect to the node and use the setParameter command to update the
sslMode to preferSSL and the clusterAuthMode to sendX509.
1
For example:
db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "preferSSL", clusterAuthMode: "sendX509" } )
With the sslMode set to preferSSL, the node accepts both SSL and non-SSL incoming connections, and its
outgoing connections use SSL.
With the clusterAuthMode set to sendX509, each node uses its x.509 certicate, specied with the
--sslClusterFile option in the previous step, to authenticate itself as a member. However, each node
continues to accept either a keyle or an x.509 certicate from other members to authenticate those members.
Upgrade all nodes of the cluster to these settings.
3. Optional but recommended. Finally, for each node of the cluster, connect to the node and use the
setParameter command to update the sslMode to requireSSL and the clusterAuthMode to x509.
1
For example:
db.getSiblingDB('admin').runCommand( { setParameter: 1, sslMode: "requireSSL", clusterAuthMode: "x509" } )
With the sslMode set to requireSSL, the node only uses SSL connections.
With the clusterAuthMode set to x509, the node only uses the x.509 certicate for authentication.
4. After the upgrade of all nodes, edit the configuration file with the appropriate SSL and x.509 settings
to ensure that upon subsequent restarts, the cluster uses x.509 authentication.
See --clusterAuthMode for the various modes and their descriptions.
Authenticate Using SASL and LDAP with ActiveDirectory
MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to congure
a MongoDB cluster to authenticate users by proxying authentication requests to a specied Lightweight Directory
Access Protocol (LDAP) service.
Considerations
MongoDBEnterprise for Windows does not include LDAP support for authentication. However, MongoDBEnterprise
for Linux supports using LDAP authentication with an ActiveDirectory server.
50
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version
2.4 and version 2.6 shards. See http://docs.mongodb.org/manualrelease-notes/2.6-upgrade for
upgrade instructions.
Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the
LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You
should use only a trusted channel such as a VPN, a connection encrypted with SSL, or a trusted wired network.
Congure saslauthd
LDAP support for user authentication requires proper conguration of the saslauthd daemon process as well as
the MongoDB server.
Step 1: Specify the mechanism. On systems that congure saslauthd with the
/etc/sysconfig/saslauthd le, such as Red Hat Enterprise Linux, Fedora, CentOS, and Amazon
Linux AMI, set the mechanism MECH to ldap:
MECH=ldap
On systems that congure saslauthd with the /etc/default/saslauthd le, such as Ubuntu, set the
MECHANISMS option to ldap:
MECHANISMS="ldap"
Step 2: Adjust caching behavior. On certain Linux distributions, saslauthd starts with the caching of authenti-
cation credentials enabled. Until restarted or until the cache expires, saslauthd will not contact the LDAP server
to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its
cache, even in the LDAP server is down or if the cached users credentials are revoked.
To set the expiration time (in seconds) for the authentication cache, see the -t option
47
of saslauthd.
Step 3: Congure LDAP Options with ActiveDirectory. If the saslauthd.conf le does not exist, create it.
The saslauthd.conf le usually resides in the /etc folder. If specifying a different le path, see the -O option
48
of saslauthd.
To use with ActiveDirectory, start saslauthd with the following conguration options set in the
saslauthd.conf le:
ldap_servers: <ldap uri>
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind
For the <ldap uri>, specify the uri of the ldap server. For example, ldap_servers:
ldaps://ad.example.net.
For more information on saslauthd conguration, see http://www.openldap.org/doc/admin24/guide.html#Conguringsaslauthd.
Step 4: Test the saslauthd conguration. Use testsaslauthd utility to test the saslauthd conguration.
For example:
47
http://www.linuxcommand.org/man_pages/saslauthd8.html
48
http://www.linuxcommand.org/man_pages/saslauthd8.html
51
testsaslauthd -u testuser -p testpassword -f /var/run/saslauthd/mux
Congure MongoDB
Step 1: Add user to MongoDB for authentication. Add the user to the $external database in MongoDB. To
specify the users privileges, assign roles (page 9) to the user.
For example, the following adds a user with read-only access to the records database.
db.getSiblingDB("$external").createUser(
{
user : <username>,
roles: [ { role: "read", db: "records" } ]
}
)
Add additional principals as needed. For more information about creating and managing users, see
http://docs.mongodb.org/manualreference/command/nav-user-management.
Step 2: Congure MongoDB server. To congure the MongoDB server to use the saslauthd instance for proxy
authentication, start the mongod with the following options:
--auth,
authenticationMechanisms parameter set to PLAIN, and
saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.
Congure the MongoDB server using either the command line option --setParameter or the configuration
file. Specify additional congurations as appropriate for your conguration.
If you use the authorization option to enforce authentication, you will need privileges to create a user.
Use specic saslauthd socket path. For socket path of /<some>/<path>/saslauthd, set the
saslauthdPath to /<some>/<path>/saslauthd/mux, as in the following command line example:
mongod --auth --setParameter saslauthdPath=/<some>/<path>/saslauthd/mux --setParameter authenticationMechanisms=PLAIN
Or if using a configuration file, specify the following parameters in the le:
auth=true
setParameter=saslauthdPath=/<some>/<path>/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
Use default Unix-domain socket path. To use the default Unix-domain socket path, set the saslauthdPath to
the empty string "", as in the following command line example:
mongod --auth --setParameter saslauthdPath="" --setParameter authenticationMechanisms=PLAIN
Or if using a configuration file, specify the following parameters in the le:
auth=true
setParameter=saslauthdPath=/<some>/<path>/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
52
Step 3: Authenticate the user in the mongo shell. To perform the authentication in the mongo shell, use the
db.auth() method in the $external database.
Specify the value "PLAIN" in the mechanism eld, the user and password in the user and pwd elds respectively,
and the value false in the digestPassword eld. You must specify false for digestPassword since the
server must receive an undigested password to forward on to saslauthd, as in the following example:
db.getSiblingDB("$external").auth(
{
mechanism: "PLAIN",
user: <username>,
pwd: <cleartext password>,
digestPassword: false
}
)
The server forwards the password in plain text. In general, use only on a trusted channel (VPN, SSL, trusted wired
network). See Considerations.
Authenticate Using SASL and LDAP with OpenLDAP
MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to congure
a MongoDB cluster to authenticate users by proxying authentication requests to a specied Lightweight Directory
Access Protocol (LDAP) service.
Considerations
MongoDBEnterprise for Windows does not include LDAP support for authentication. However, MongoDBEnterprise
for Linux supports using LDAP authentication with an ActiveDirectory server.
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version
2.4 and version 2.6 shards. See http://docs.mongodb.org/manualrelease-notes/2.6-upgrade for
upgrade instructions.
Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the
LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You
should use only a trusted channel such as a VPN, a connection encrypted with SSL, or a trusted wired network.
Congure saslauthd
LDAP support for user authentication requires proper conguration of the saslauthd daemon process as well as
the MongoDB server.
Step 1: Specify the mechanism. On systems that congure saslauthd with the
/etc/sysconfig/saslauthd le, such as Red Hat Enterprise Linux, Fedora, CentOS, and Amazon
Linux AMI, set the mechanism MECH to ldap:
MECH=ldap
On systems that congure saslauthd with the /etc/default/saslauthd le, such as Ubuntu, set the
MECHANISMS option to ldap:
MECHANISMS="ldap"
53
Step 2: Adjust caching behavior. On certain Linux distributions, saslauthd starts with the caching of authenti-
cation credentials enabled. Until restarted or until the cache expires, saslauthd will not contact the LDAP server
to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its
cache, even in the LDAP server is down or if the cached users credentials are revoked.
To set the expiration time (in seconds) for the authentication cache, see the -t option
49
of saslauthd.
Step 3: Congure LDAP Options with OpenLDAP. If the saslauthd.conf le does not exist, create it. The
saslauthd.conf le usually resides in the /etc folder. If specifying a different le path, see the -O option
50
of
saslauthd.
To connect to an OpenLDAP server, update the saslauthd.conf le with the following conguration options:
ldap_servers: <ldap uri>
ldap_search_base: <search base>
ldap_filter: <filter>
The ldap_servers species the uri of the LDAP server used for authentication. In general, for OpenLDAP installed
on the local machine, you can specify the value ldap://localhost:389 or if using LDAP over SSL, you can
specify the value ldaps://localhost:636.
The ldap_search_base species distinguished name to which the search is relative. The search includes the base
or objects below.
The ldap_filter species the search lter.
The values for these conguration options should correspond to the values specic for your test. For example, to lter
on email, specify ldap_filter: (mail=%n) instead.
OpenLDAP Example A sample saslauthd.conf le for OpenLDAP includes the following content:
ldap_servers: ldaps://ad.example.net
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (uid=%u)
To use this sample OpenLDAP conguration, create users with a uid attribute (login name) and place under the
Users organizational unit (ou) under the domain components (dc) example and com.
For more information on saslauthd conguration, see http://www.openldap.org/doc/admin24/guide.html#Conguringsaslauthd.
Step 4: Test the saslauthd conguration. Use testsaslauthd utility to test the saslauthd conguration.
For example:
testsaslauthd -u testuser -p testpassword -f /var/run/saslauthd/mux
Congure MongoDB
Step 1: Add user to MongoDB for authentication. Add the user to the $external database in MongoDB. To
specify the users privileges, assign roles (page 9) to the user.
For example, the following adds a user with read-only access to the records database.
49
http://www.linuxcommand.org/man_pages/saslauthd8.html
50
http://www.linuxcommand.org/man_pages/saslauthd8.html
54
db.getSiblingDB("$external").createUser(
{
user : <username>,
roles: [ { role: "read", db: "records" } ]
}
)
Add additional principals as needed. For more information about creating and managing users, see
http://docs.mongodb.org/manualreference/command/nav-user-management.
Step 2: Congure MongoDB server. To congure the MongoDB server to use the saslauthd instance for proxy
authentication, start the mongod with the following options:
--auth,
authenticationMechanisms parameter set to PLAIN, and
saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.
Congure the MongoDB server using either the command line option --setParameter or the configuration
file. Specify additional congurations as appropriate for your conguration.
If you use the authorization option to enforce authentication, you will need privileges to create a user.
Use specic saslauthd socket path. For socket path of /<some>/<path>/saslauthd, set the
saslauthdPath to /<some>/<path>/saslauthd/mux, as in the following command line example:
mongod --auth --setParameter saslauthdPath=/<some>/<path>/saslauthd/mux --setParameter authenticationMechanisms=PLAIN
Or if using a configuration file, specify the following parameters in the le:
auth=true
setParameter=saslauthdPath=/<some>/<path>/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
Use default Unix-domain socket path. To use the default Unix-domain socket path, set the saslauthdPath to
the empty string "", as in the following command line example:
mongod --auth --setParameter saslauthdPath="" --setParameter authenticationMechanisms=PLAIN
Or if using a configuration file, specify the following parameters in the le:
auth=true
setParameter=saslauthdPath=/<some>/<path>/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
Step 3: Authenticate the user in the mongo shell. To perform the authentication in the mongo shell, use the
db.auth() method in the $external database.
Specify the value "PLAIN" in the mechanism eld, the user and password in the user and pwd elds respectively,
and the value false in the digestPassword eld. You must specify false for digestPassword since the
server must receive an undigested password to forward on to saslauthd, as in the following example:
db.getSiblingDB("$external").auth(
{
mechanism: "PLAIN",
user: <username>,
55
pwd: <cleartext password>,
digestPassword: false
}
)
The server forwards the password in plain text. In general, use only on a trusted channel (VPN, SSL, trusted wired
network). See Considerations.
Congure MongoDB with Kerberos Authentication on Linux
New in version 2.4.
Overview
MongoDB Enterprise supports authentication using a Kerberos service (page 16). Kerberos is an industry standard
authentication protocol for large client/server system.
Prerequisites
Setting up and conguring a Kerberos deployment is beyond the scope of this document. This tutorial assumes
you have have congured a Kerberos service principal (page 16) for each mongod and mongos instance in your
MongoDB deployment, and you have a valid keytab le (page 17) for for each mongod and mongos instance.
To verify MongoDB Enterprise binaries:
mongod --version
In the output fromthis command, look for the string modules: subscription or modules: enterprise
to conrm your system has MongoDB Enterprise.
Procedure
The following procedure outlines the steps to add a Kerberos user principal to MongoDB, congure a standalone
mongod instance for Kerberos support, and connect using the mongo shell and authenticate the user principal.
Step 1: Start mongod without Kerberos. For the initial addition of Kerberos users, start mongod without Kerberos
support.
If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start mongod with
Kerberos support.
Step 2: Connect to mongod. Connect via the mongo shell to the mongod instance. If mongod has --auth
enabled, ensure you connect with the privileges required to create a user.
Step 3: Add Kerberos Principal(s) to MongoDB. Add a Kerberos principal, <username>@<KERBEROS
REALM> or <username>/<instance>@<KERBEROS REALM>, to MongoDB in the $external database.
Specify the Kerberos realm in all uppercase. The $external database allows mongod to consult an external source
(e.g. Kerberos) to authenticate. To specify the users privileges, assign roles (page 9) to the user.
The following example adds the Kerberos principal application/[email protected] with read-only
access to the records database:
56
use $external
db.createUser(
{
user: "application/[email protected]",
roles: [ { role: "read", db: "records" } ]
}
)
Add additional principals as needed. For every user you want to authenticate using Kerberos, you must
create a corresponding user in MongoDB. For more information about creating and managing users, see
http://docs.mongodb.org/manualreference/command/nav-user-management.
Step 4: Start mongod with Kerberos support. To start mongod with Kerberos support, set the environmental
variable KRB5_KTNAME to the path of the keytab le and the mongod parameter authenticationMechanisms
to GSSAPI in the following form:
env KRB5_KTNAME=<path to keytab file> \
mongod \
--setParameter authenticationMechanisms=GSSAPI
<additional mongod options>
For example, the following starts a standalone mongod instance with Kerberos support:
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \
/opt/mongodb/bin/mongod --auth \
--setParameter authenticationMechanisms=GSSAPI \
--dbpath /opt/mongodb/data
The path to your mongod as well as your keytab le (page 17) may differ. Modify or include additional mongod
options as required for your conguration. The keytab le (page 17) must be only accessible to the owner of the
mongod process.
With the ofcial .deb or .rpm packages, you can set the KRB5_KTNAME in a environment settings le. See
KRB5_KTNAME (page 57) for details.
Step 5: Connect mongo shell to mongod and authenticate. Connect the mongo shell client as the Kerberos prin-
cipal application/[email protected]. Before connecting, you must have used Kerbeross kinit
program to get credentials for application/[email protected].
You can connect and authenticate from the command line.
mongo --authenticationMechanism=GSSAPI --authenticationDatabase='$external' \
--username application/[email protected]
Or, alternatively, you can rst connect mongo to the mongod, and then from the mongo shell, use the db.auth()
method to authenticate in the $external database.
use $external
db.auth( { mechanism: "GSSAPI", user: "application/[email protected]" } )
Additional Considerations
KRB5_KTNAME If you installed MongoDB Enterprise using one of the ofcial .deb or .rpm packages, and you
use the included init/upstart scripts to control the mongod instance, you can set the KR5_KTNAME variable in the
default environment settings le instead of setting the variable each time.
57
For .rpm packages, the default environment settings le is /etc/sysconfig/mongod.
For .deb packages, the le is /etc/default/mongodb.
Set the KRB5_KTNAME value in a line that resembles the following:
export KRB5_KTNAME="<path to keytab>"
Congure mongos for Kerberos To start mongos with Kerberos support, set the environmental variable
KRB5_KTNAME to the path of its keytab le (page 17) and the mongos parameter authenticationMechanisms
to GSSAPI in the following form:
env KRB5_KTNAME=<path to keytab file> \
mongos \
--setParameter authenticationMechanisms=GSSAPI \
<additional mongos options>
For example, the following starts a mongos instance with Kerberos support:
env KRB5_KTNAME=/opt/mongodb/mongos.keytab \
mongos \
--setParameter authenticationMechanisms=GSSAPI \
--configdb shard0.example.net, shard1.example.net,shard2.example.net \
--keyFile /opt/mongodb/mongos.keyfile
The path to your mongos as well as your keytab le (page 17) may differ. The keytab le (page 17) must be only
accessible to the owner of the mongos process.
Modify or include any additional mongos options as required for your conguration. For example, instead of us-
ing --keyFile for internal authentication of sharded cluster members, you can use x.509 member authentication
(page 47) instead.
Use a Cong File To congure mongod or mongos for Kerberos support using a configuration file,
specify the authenticationMechanisms setting in the conguration le:
setParameter=authenticationMechanisms=GSSAPI
Modify or include any additional mongod options as required for your conguration.
For example, if http://docs.mongodb.org/manualopt/mongodb/mongod.conf contains the follow-
ing conguration settings for a standalone mongod:
auth = true
setParameter=authenticationMechanisms=GSSAPI
dbpath=/opt/mongodb/data
To start mongod with Kerberos support, use the following form:
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \
/opt/mongodb/bin/mongod --config /opt/mongodb/mongod.conf
The path to your mongod, keytab le (page 17), and conguration le may differ. The keytab le (page 17) must be
only accessible to the owner of the mongod process.
Troubleshoot Kerberos Setup for MongoDB If you encounter problems when starting mongod or mongos with
Kerberos authentication, see Troubleshoot Kerberos Authentication on Linux (page 62).
58
Incorporate Additional Authentication Mechanisms Kerberos authentication (GSSAPI) can work alongside
MongoDBs challenge/response authentication mechanism (MONGODB-CR), MongoDBs authentication mechanism
for LDAP (PLAIN), and MongoDBs authentication mechanism for x.509 (MONGODB-X509). Specify the mecha-
nisms, as follows:
--setParameter authenticationMechanisms=GSSAPI,MONGODB-CR
Only add the other mechanisms if in use. This parameter setting does not affect MongoDBs internal authentication of
cluster members.
Congure MongoDB with Kerberos Authentication on Windows
New in version 2.6.
Overview
MongoDB Enterprise supports authentication using a Kerberos service (page 16). Kerberos is an industry standard
authentication protocol for large client/server system. Kerberos allows MongoDB and applications to take advantage
of existing authentication infrastructure and processes.
Prerequisites
Setting up and conguring a Kerberos deployment is beyond the scope of this document. This tutorial assumes have
congured a Kerberos service principal (page 16) for each mongod.exe and mongos.exe instance.
Procedures
Step 1: Start mongod.exe without Kerberos. For the initial addition of Kerberos users, start mongod.exe
without Kerberos support.
If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start mongod.exe
with Kerberos support.
Step 2: Connect to mongod. Connect via the mongo.exe shell to the mongod.exe instance. If mongod.exe
has --auth enabled, ensure you connect with the privileges required to create a user.
Step 3: Add Kerberos Principal(s) to MongoDB. Add a Kerberos principal, <username>@<KERBEROS
REALM>, to MongoDB in the $external database. Specify the Kerberos realm in all uppercase. The $external
database allows mongod.exe to consult an external source (e.g. Kerberos) to authenticate. To specify the users
privileges, assign roles (page 9) to the user.
The following example adds the Kerberos principal [email protected] with read-only access to the
records database:
use $external
db.createUser(
{
user: "[email protected]",
roles: [ { role: "read", db: "records" } ]
}
)
59
Add additional principals as needed. For every user you want to authenticate using Kerberos, you must
create a corresponding user in MongoDB. For more information about creating and managing users, see
http://docs.mongodb.org/manualreference/command/nav-user-management.
Step 4: Start mongod.exe with Kerberos support. You must start mongod.exe as the service principal ac-
count (page 60).
To start mongod.exe with Kerberos support, set the mongod.exe parameter authenticationMechanisms
to GSSAPI:
mongod.exe --setParameter authenticationMechanisms=GSSAPI <additional mongod.exe options>
For example, the following starts a standalone mongod.exe instance with Kerberos support:
mongod.exe --auth --setParameter authenticationMechanisms=GSSAPI
Modify or include additional mongod.exe options as required for your conguration.
Step 5: Connect mongo.exe shell to mongod.exe and authenticate. Connect the mongo.exe shell client as
the Kerberos principal [email protected].
You can connect and authenticate from the command line.
mongo.exe --authenticationMechanism=GSSAPI --authenticationDatabase='$external' \
--username [email protected]
Or, alternatively, you can rst connect mongo.exe to the mongod.exe, and then from the mongo.exe shell, use
the db.auth() method to authenticate in the $external database.
use $external
db.auth( { mechanism: "GSSAPI", user: "[email protected]" } )
Additional Considerations
Congure mongos.exe for Kerberos To start mongos.exe with Kerberos support, set the mongos.exe pa-
rameter authenticationMechanisms to GSSAPI. You must start mongos.exe as the service principal ac-
count (page 60).:
mongos.exe --setParameter authenticationMechanisms=GSSAPI <additional mongos options>
For example, the following starts a mongos instance with Kerberos support:
mongos.exe --setParameter authenticationMechanisms=GSSAPI --configdb shard0.example.net, shard1.example.net,shard2.example.net --keyFile C:\<path>\mongos.keyfile
Modify or include any additional mongos.exe options as required for your conguration. For example, instead of
using --keyFile for for internal authentication of sharded cluster members, you can use x.509 member authentica-
tion (page 47) instead.
Assign Service Principal Name to MongoDB Windows Service Use setspn.exe to assign the service principal
name (SPN) to the account running the mongod.exe and the mongos.exe service:
setspn.exe -A <service>/<fully qualified domain name> <service account name>
For example, if mongod.exe runs as a service named mongodb on testserver.mongodb.com with the ser-
vice account name mongodtest, assign the SPN as follows:
60
setspn.exe -A mongodb/testserver.mongodb.com mongodtest
Incorporate Additional Authentication Mechanisms Kerberos authentication (GSSAPI) can work alongside
MongoDBs challenge/response authentication mechanism (MONGODB-CR), MongoDBs authentication mechanism
for LDAP (PLAIN), and MongoDBs authentication mechanism for x.509 (MONGODB-X509). Specify the mecha-
nisms, as follows:
--setParameter authenticationMechanisms=GSSAPI,MONGODB-CR
Only add the other mechanisms if in use. This parameter setting does not affect MongoDBs internal authentication of
cluster members.
Authenticate to a MongoDB Instance or Cluster
Overview
To authenticate to a running mongod or mongos instance, you must have user credentials for a resource on that
instance. When you authenticate to MongoDB, you authenticate either to a database or to a cluster. Your user privileges
determine the resource you can authenticate to.
You authenticate to a resource either by:
using the authentication options when connecting to the mongod or mongos instance, or
connecting rst and then authenticating to the resource with the authenticate command or the db.auth()
method.
This section describes both approaches.
In general, always use a trusted channel (VPN, SSL, trusted wired network) for connecting to a MongoDB instance.
Prerequisites
You must have user credentials on the database or cluster to which you are authenticating.
Procedures
Authenticate When First Connecting to MongoDB
Step 1: Specify your credentials when starting the mongo instance. When using mongo to connect to a mongod
or mongos, enter your username, password, and authenticationDatabase. For example:
mongo --username "prodManager" --password "cleartextPassword" --authenticationDatabase "products"
Step 2: Close the session when your work is complete. To close an authenticated session, use the logout com-
mand.:
db.runCommand( { logout: 1 } )
Authenticate After Connecting to MongoDB
61
Step 1: Connect to a MongoDB instance. Connect to a mongod or mongos instance.
Step 2: Switch to the database to which to authenticate.
use <database>
Step 3: Authenticate. Use either the authenticate command or the db.auth() method to provide your
username and password to the database. For example:
db.auth( "prodManager", "cleartextPassword" )
Step 4: Close the session when your work is complete. To close an authenticated session, use the logout com-
mand.:
db.runCommand( { logout: 1 } )
Generate a Key File
Overview
This section describes how to generate a key le to store authentication information. After generating a key le,
specify the key le using the keyFile option when starting a mongod or mongos instance.
A keys length must be between 6 and 1024 characters and may only contain characters in the base64 set. The key
le must not have group or world permissions on UNIX systems. Key le permissions are not checked on Windows
systems.
MongoDB strips whitespace characters (e.g. x0d, x09, and x20) for cross-platform convenience. As a result, the
following operations produce identical keys:
echo -e "my secret key" > key1
echo -e "my secret key\n" > key2
echo -e "my secret key" > key3
echo -e "my\r\nsecret\r\nkey\r\n" > key4
Procedure
Step 1: Create a key le. Create the key le your deployment will use to authenticate servers to each other.
To generate pseudo-random data to use for a keyfile, issue the following openssl command:
openssl rand -base64 741 > mongodb-keyfile
chmod 600 mongodb-keyfile
You may generate a key le using any method you choose. Always ensure that the password stored in the key le is
both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.
Step 2: Specify the key le when starting a MongoDB instance. Specify the path to the key le with the keyFile
option.
Troubleshoot Kerberos Authentication on Linux
New in version 2.4.
62
Kerberos Conguration Checklist
If you have difculty starting mongod or mongos with Kerberos (page 16) on Linux systems, ensure that:
The mongod and the mongos binaries are from MongoDB Enterprise.
To verify MongoDB Enterprise binaries:
mongod --version
In the output from this command, look for the string modules: subscription or modules:
enterprise to conrm your system has MongoDB Enterprise.
You are not using the HTTP Console
51
. MongoDB Enterprise does not support Kerberos authentication over the
HTTP Console interface.
Either the service principal name (SPN) in the keytab le (page 17) matches the SPNfor the mongod or mongos
instance, or the mongod or the mongos instance use the --setParameter saslHostName=<host
name> to match the name in the keytab le.
The canonical system hostname of the system that runs the mongod or mongos instance is a resolvable, fully
qualied domain for this host. You can test the system hostname resolution with the hostname -f command
at the system prompt.
Each host that runs a mongod or mongos instance has both the A and PTR DNS records to provide forward
and reverse lookup. The records allow the host to resolve the components of the Kerberos infrastructure.
Both the Kerberos Key Distribution Center (KDC) and the system running mongod instance or mongos must
be able to resolve each other using DNS. By default, Kerberos attempts to resolve hosts using the content of the
/etc/kerb5.conf before using DNS to resolve hosts.
The time synchronization of the systems running mongod or the mongos instances and the Kerberos infras-
tructure are within the maximum time skew (default is 5 minutes) of each other. Time differences greater than
the maximum time skew will prevent successful authentication.
Debug with More Verbose Logs
If you still encounter problems with Kerberos on Linux, you can start both mongod and mongo (or another client)
with the environment variable KRB5_TRACE set to different les to produce more verbose logging of the Kerberos
process to help further troubleshooting. For example, the following starts a standalone mongod with KRB5_TRACE
set:
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \
KRB5_TRACE=/opt/mongodb/log/mongodb-kerberos.log \
/opt/mongodb/bin/mongod --dbpath /opt/mongodb/data \
--fork --logpath /opt/mongodb/log/mongod.log \
--auth --setParameter authenticationMechanisms=GSSAPI
Common Error Messages
In some situations, MongoDB will return error messages from the GSSAPI interface if there is a problem with the
Kerberos service. Some common error messages are:
GSSAPI error in client while negotiating security context. This error occurs on the
client and reects insufcient credentials or a malicious attempt to authenticate.
51
http://docs.mongodb.org/ecosystem/tools/http-interface/#http-console
63
If you receive this error, ensure that you are using the correct credentials and the correct fully qualied domain
name when connecting to the host.
GSSAPI error acquiring credentials. This error occurs during the start of the mongod or mongos
and reects improper conguration of the system hostname or a missing or incorrectly congured keytab le.
If you encounter this problem, consider the items in the Kerberos Conguration Checklist (page 63), in particu-
lar, whether the SPN in the keytab le (page 17) matches the SPN for the mongod or mongos instance.
To determine whether the SPNs match:
1. Examine the keytab le, with the following command:
klist -k <keytab>
Replace <keytab> with the path to your keytab le.
2. Check the congured hostname for your system, with the following command:
hostname -f
Ensure that this name matches the name in the keytab le, or start mongod or mongos with the
--setParameter saslHostName=<hostname>.
See also:
Kerberos Authentication (page 16)
Congure MongoDB with Kerberos Authentication on Linux (page 56)
Congure MongoDB with Kerberos Authentication on Windows (page 59)
Implement Field Level Redaction
The $redact pipeline operator restricts the contents of the documents based on information stored in the documents
themselves.
To store the access criteria data, add a eld to the documents and subdocuments. To allow for multiple combinations
of access levels for the same data, consider setting the access eld to an array of arrays. Each array element contains
a required set that allows a user with that set to access the data.
Then, include the $redact stage in the db.collection.aggregate() operation to restrict contents of the
result set based on the access required to view the data.
For more information on the $redact pipeline operator, including its syntax and associated system variables as well
as additional examples, see $redact.
Procedure
For example, a forecasts collection contains documents of the following form where the tags eld determines
the access levels required to view the data:
{
_id: 1,
title: "123 Department Report",
tags: [ [ "G" ], [ "FDW" ] ],
year: 2014,
subsections: [
{
subtitle: "Section 1: Overview",
64
Figure 1: Diagram of security architecture with middleware and redaction.
tags: [ [ "SI", "G" ], [ "FDW" ] ],
content: "Section 1: This is the content of section 1."
},
{
subtitle: "Section 2: Analysis",
tags: [ [ "STLW" ] ],
content: "Section 2: This is the content of section 2."
},
{
subtitle: "Section 3: Budgeting",
tags: [ [ "TK" ], [ "FDW", "TGE" ] ],
content: {
text: "Section 3: This is the content of section3.",
tags: [ [ "HCS"], [ "FDW", "TGE", "BX" ] ]
}
}
]
}
For each document, the tags eld contains various access groupings necessary to view the data. For example, the
value [ [ "G" ], [ "FDW", "TGE" ] ] can specify that a user requires either access level ["G"] or both [
"FDW", "TGE" ] to view the data.
Consider a user who only has access to view information tagged with either "FDW" or "TGE". To run a query on all
documents with year 2014 for this user, include a $redact stage as in the following:
65
var userAccess = [ "FDW", "TGE" ];
db.forecasts.aggregate(
[
{ $match: { year: 2014 } },
{ $redact:
{
$cond: {
if: { $anyElementTrue:
{
$map: {
input: "$tags" ,
as: "fieldTag",
in: { $setIsSubset: [ "$$fieldTag", userAccess ] }
}
}
},
then: "$$DESCEND",
else: "$$PRUNE"
}
}
}
]
)
The aggregation operation returns the following redacted document for the user:
{ "_id" : 1,
"title" : "123 Department Report",
"tags" : [ [ "G" ], [ "FDW" ] ],
"year" : 2014,
"subsections" :
[
{
"subtitle" : "Section 1: Overview",
"tags" : [ [ "SI", "G" ], [ "FDW" ] ],
"content" : "Section 1: This is the content of section 1."
},
{
"subtitle" : "Section 3: Budgeting",
"tags" : [ [ "TK" ], [ "FDW", "TGE" ] ]
}
]
}
See also:
$map, $setIsSubset, $anyElementTrue
3.5 User and Role Management Tutorials
The following tutorials provide instructions on how to enable authentication and limit access for users with privilege
roles.
Create a User Administrator (page 67) Create users with special permissions to to create, modify, and remove other
users, as well as administer authentication credentials (e.g. passwords).
Add a User to a Database (page 69) Create non-administrator users using MongoDBs role-based authentication sys-
tem.
66
Create an Administrative User with Unrestricted Access (page 71) Create a user with unrestricted access. Create
such a user only in unique situations. In general, all users in the system should have no more access than needed
to perform their required operations.
Create a Role (page 72) Create custom role.
Assign a User a Role (page 74) Assign a user a role. A role grants the user a dened set of privileges. A user can
have multiple roles.
Verify User Privileges (page 75) View a users current privileges.
Modify a Users Access (page 76) Modify the actions available to a user on specic database resources.
View Roles (page 78) View a roles privileges.
Change a Users Password (page 79) Only user administrators can edit credentials. This tutorial describes the pro-
cess for editing an existing users password.
Change Your Password and Custom Data (page 80) Users with sufcient access can change their own passwords
and modify the optional custom data associated with their user credential.
Create a User Administrator
Overview
User administrators create users and create and assigns roles. A user administrator can grant any privilege in the
database and can create new ones. In a MongoDB deployment, create the user administrator as the rst user. Then let
this user create all other users.
To provide user administrators, MongoDB has userAdmin (page 88) and userAdminAnyDatabase (page 92)
roles, which grant access to actions (page 99) that support user and role management. Following the policy of least
privilege userAdmin (page 88) and userAdminAnyDatabase (page 92) confer no additional privileges.
Carefully control access to these roles. A user with either of these roles can grant itself unlimited additional privileges.
Specically, a user with the userAdmin (page 88) role can grant itself any privilege in the database. A user assigned
either the userAdmin (page 88) role on the admin database or the userAdminAnyDatabase (page 92) can
grant itself any privilege in the system.
Prerequisites
Required Access You must have the createUser (page 100) action (page 99) on a database to create a new user
on that database.
You must have the grantRole (page 100) action (page 99) on a roles database to grant the role to another user.
If you have the userAdmin (page 88) or userAdminAnyDatabase (page 92) role, you have those actions.
First User Restrictions If your MongoDB deployment has no users, you must connect to mongod using the local-
host exception (page 9) or use the --noauth option when starting mongod to gain full access the system. Once you
have access, you can skip to Creating the system user administrator in this procedure.
If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you
do not have access to them, you must restart mongod with the --noauth option.
67
Procedure
Step 1: Connect to MongoDB with the appropriate privileges. Connect to the mongod or mongos as a user
with the privileges required in the Prerequisites (page 67) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Create the system user administrator. Add the user with the userAdminAnyDatabase (page 92) role,
and only that role.
The following example creates the user siteUserAdmin user on the admin database:
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Step 4: Create a user administrator for a single database. Optionally, you may want to create user administrators
that only have access to administer users in a specic database by way of the userAdmin (page 88) role.
The following example creates the user recordsUserAdmin on the records database:
use products
db.createUser(
{
user: "recordsUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdmin",
db: "records"
68
}
]
}
)
Related Documents
Authentication (page 6)
Security Introduction (page 4)
Enable Client Access Control (page 41)
Access Control Tutorials (page 40)
Add a User to a Database
Changed in version 2.6.
Overview
Each application and user of a MongoDB system should map to a distinct application or administrator. This access
isolation facilitates access revocation and ongoing user maintenance. At the same time users should have only the
minimal set of privileges required to ensure a system of least privilege.
To create a user, you must dene the users credentials and assign that user roles (page 10). Credentials verify the
users identity to a database, and roles determine the users access to database resources and operations.
For an overview of credentials and roles in MongoDB see Security Introduction (page 4).
Considerations
For users that authenticate using external mechanisms,
52
you do not need to provide credentials when creating users.
For all users, select the roles that have the exact required privileges (page 10). If the correct roles do not exist, create
roles (page 72).
You can create a user without assigning roles, choosing instead to assign the roles later. To do so, create the user with
an empty roles (page 96) array.
When adding a user to multiple databases, use unique username-and-password combinations for each database, see
Password Hashing Insecurity (page 109) for more information.
Prerequisites
To create a user on a system that uses authentication (page 6), you must authenticate as a user administrator. If you
have not yet created a user administrator, do so as described in Create a User Administrator (page 67).
52
Congure MongoDB with Kerberos Authentication on Linux (page 56), Authenticate Using SASL and LDAP with OpenLDAP (page 53),
Authenticate Using SASL and LDAP with ActiveDirectory (page 50), and x.509 certicates provide external authentication mechanisms.
69
Required Access You must have the createUser (page 100) action (page 99) on a database to create a new user
on that database.
You must have the grantRole (page 100) action (page 99) on a roles database to grant the role to another user.
If you have the userAdmin (page 88) or userAdminAnyDatabase (page 92) role, you have those actions.
First User Restrictions If your MongoDB deployment has no users, you must connect to mongod using the local-
host exception (page 9) or use the --noauth option when starting mongod to gain full access the system. Once you
have access, you can skip to Creating the system user administrator in this procedure.
If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you
do not have access to them, you must restart mongod with the --noauth option.
Procedures
Step 1: Connect to MongoDB with the appropriate privileges. Connect to the mongod or mongos with the
privileges required in the Prerequisites (page 69) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Create the new user. Create the user in the database to which the user will belong. Pass a well formed user
document to the db.createUser() method.
The following operation creates a user in the reporting database with the specied name, password, and roles.
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" }
]
}
)
To authenticate the reportsUser, you must authenticate the user in the reporting database.
70
Create an Administrative User with Unrestricted Access
Overview
Most users should have only the minimal set of privileges required for their operations, in keeping with the policy of
least privilege. However, some authorization architectures may require a user with unrestricted access. To support
these super users, you can create users with access to all database resources (page 97) and actions (page 99).
For many deployments, you may be able to avoid having any users with unrestricted access by having an administrative
user with the createUser (page 100) and grantRole (page 100) actions granted as needed to support operations.
If users truly need unrestricted access to a MongoDB deployment, MongoDB provides a built-in role (page 86) named
root (page 93) that grants the combined privileges of all built-in roles. This document describes how to create an
administrative user with the root (page 93) role.
For descriptions of the access each built-in role provides, see the section on built-in roles (page 86).
Prerequisites
Required Access You must have the createUser (page 100) action (page 99) on a database to create a new user
on that database.
You must have the grantRole (page 100) action (page 99) on a roles database to grant the role to another user.
If you have the userAdmin (page 88) or userAdminAnyDatabase (page 92) role, you have those actions.
First User Restrictions If your MongoDB deployment has no users, you must connect to mongod using the local-
host exception (page 9) or use the --noauth option when starting mongod to gain full access the system. Once you
have access, you can skip to Creating the system user administrator in this procedure.
If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you
do not have access to them, you must restart mongod with the --noauth option.
Procedure
Step 1: Connect to MongoDB with the appropriate privileges. Connect to the mongod or mongos as a user
with the privileges required in the Prerequisites (page 71) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
71
Step 3: Create the administrative user. In the admin database, create a new user using the db.createUser()
method. Give the user the built-in root (page 93) role.
For example:
use admin
db.createUser(
{
user: "superuser",
pwd: "12345678",
roles: [ "root" ]
}
)
Authenticate against the admin database to test the new user account. Use db.auth() while using the admin
database or use the mongo shell with the --authenticationDatabase option.
Create a Role
Overview
Roles grant users access to MongoDB resources. By default, MongoDB provides a number of built-in roles (page 86)
that administrators may use to control access to a MongoDB system. However, if these roles cannot describe the
desired privilege set of a particular user type in a deployment, you can dene a new, customized role.
A roles privileges apply to the database where the role is created. The role can inherit privileges from other roles in
its database. A role created on the admin database can include privileges that apply to all databases or to the cluster
(page 98) and can inherit privileges from roles in other databases.
The combination of the database name and the role name uniquely denes a role in MongoDB.
Prerequisites
You must have the createRole (page 100) action (page 99) on a database to create a role on that database.
You must have the grantRole (page 100) action (page 99) on the database that a privilege targets in order to grant
that privilege to a role. If the privilege targets multiple databases or the cluster resource , you must have the
grantRole (page 100) action on the admin database.
You must have the grantRole (page 100) action (page 99) on a roles database to grant the role to another role.
To view a roles information, you must be explicitly granted the role or must have the viewRole (page 100) action
(page 99) on the roles database.
Procedure
Step 1: Connect to MongoDB with the appropriate privileges. Connect to the mongod or mongos with the
privileges required in the Prerequisites (page 72) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
72
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Dene the privileges to grant to the role. Decide which resources (page 97) to grant access to and which
actions (page 99) to grant on each resource.
When creating the role, you will enter the resource-action pairings as documents in the privileges array, as in the
following example:
{ db: "products", collection: "electronics" }
Step 4: Check whether an existing role provides the privileges. If an existing role contains the exact set of
privileges (page 10), the new role can inherit (page 10) those privileges.
To view the privileges provided by existing roles, use the rolesInfo command, as in the following:
db.runCommand( { rolesInfo: 1, showPrivileges: 1 } )
Step 5: Create the role. To create the role, use the createRole command. Specify privileges in the
privileges array and inherited roles in the roles array.
The following example creates the myClusterwideAdmin role in the admin database:
use admin
db.createRole(
{
role: "myClusterwideAdmin",
privileges:
[
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles:
[
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)
The operation denes myClusterwideAdmin roles privileges in the privileges array. In the roles array,
myClusterwideAdmin inherits privileges from the admin databases read role.
73
Assign a User a Role
Changed in version 2.6.
Overview
A role provides a user privileges to perform a set of actions (page 99) on a resource (page 97). A user can have
multiple roles.
In MongoDB systems with authorization enforced, you must grant a user a role for the user to access a database
resource. To assign a role, rst determine the privileges the user needs and then determine the role that grants those
privileges.
For an overview of roles and privileges, see Authorization (page 9). For descriptions of the access each built-in role
provides, see the section on built-in roles (page 86).
Prerequisites
You must have the grantRole (page 100) action (page 99) on a database to grant a role on that database.
To view a roles information, you must be explicitly granted the role or must have the viewRole (page 100) action
(page 99) on the roles database.
Procedure
Step 1: Connect with the privilege to grant roles. Connect to the mongod or mongos either through the localhost
exception (page 9) or as a user with the privileges required in the Prerequisites (page 74) section.
The following example operation connects to the MongoDB instance as a user named roleManager:
mongo --port 27017 -u roleManager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Identify the users roles and privileges. To display the roles and privileges of the user to be modied, use
the db.getUser() and db.getRole() methods, as described in Verify User Privileges (page 75).
To display the privileges granted by siteRole01 on the current database, issue:
db.getRole( "siteRole01", { showPrivileges: true } )
74
Step 4: Identify the privileges to grant or revoke. Determine which role contains the privileges and only those
privileges. If such a role does not exist, then to grant the privileges will require creating a new role (page 72) with the
specic set of privileges. To revoke a subset of privileges provided by an existing role: revoke the original role, create
a new role (page 72) that contains the privileges to keep, and then grant that role to the user.
Step 5: Grant a role to a user. Grant the user the role using the db.grantRolesToUser() method.
For example:
use admin
db.grantRolesToUser(
"accountAdmin01",
[
{
role: "readWrite", db: "products"
},
{
role: "readAnyDatabase", db:"admin"
}
]
)
Verify User Privileges
Overview
A users privileges determine the access the user has to MongoDB resources (page 97) and the actions (page 99) that
user can perform. Users receive privileges through role assignments. A user can have multiple roles, and each role can
have multiple privileges.
For an overview of roles and privileges, see Authorization (page 9).
Prerequisites
To view a roles information, you must be explicitly granted the role or must have the viewRole (page 100) action
(page 99) on the roles database.
Procedure
Step 1: Identify the users roles. Use the usersInfo command or db.getUser() method to display user
information. The roles (page 96) array species the users roles.
For example, to view roles for accountUser01 on the accounts database, issue the following:
use accounts
db.getUser("accountUser01")
The roles (page 96) array displays all roles for accountUser01:
"roles" : [
{
"role" : "readWrite",
"db" : "accounts"
},
75
{
"role" : "siteRole01",
"db" : "records"
}
]
Step 2: Identify the privileges granted by the roles. For a given role, use the rolesInfo command or
db.getRole() method, and include the showPrivileges parameter. The resulting role document displays
both privileges granted directly and roles from which this role inherits privileges.
For example, to view the privileges granted by siteRole01 on the records database, use the following operation,
which returns a document with a privileges (page 94) array:
use records
db.getRole( "siteRole01", { showPrivileges: true } )
The returned document includes the roles (page 94) and privileges (page 94) arrays:
"roles" : [
{
"role" : "read",
"db" : "corporate"
}
],
"privileges" : [
{
"resource" : {
"db" : "records",
"collection" : ""
},
"actions" : [
"find",
"insert",
"update"
]
}
]
To view the privileges granted by the read (page 86) role, use db.getRole() again with the appropriate parame-
ters.
Modify a Users Access
Overview
When a users responsibilities change, modify the users access to include only those roles the user requires. This
follows the policy of least privilege.
To change a users access, rst determine the privileges the user needs and then determine the roles that grants those
privileges. Grant and revoke roles using the method:db.grantRolesToUser() and db.revokeRolesFromUser
methods.
For an overview of roles and privileges, see Authorization (page 9). For descriptions of the access each built-in role
provides, see the section on built-in roles (page 86).
76
Prerequisites
You must have the grantRole (page 100) action (page 99) on a database to grant a role on that database.
You must have the revokeRole (page 100) action (page 99) on a database to revoke a role on that database.
To view a roles information, you must be explicitly granted the role or must have the viewRole (page 100) action
(page 99) on the roles database.
Procedure
Step 1: Connect to MongoDBwith the appropriate privileges. Connect to the mongod or mongos either through
the localhost exception (page 9) or as a user with the privileges required in the Prerequisites (page 77) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Identify the users roles and privileges. To display the roles and privileges of the user to be modied, use
the db.getUser() and db.getRole() methods, as described in Verify User Privileges (page 75).
To display the privileges granted by siteRole01 on the current database, issue:
db.getRole( "siteRole01", { showPrivileges: true } )
Step 4: Identify the privileges to grant or revoke. Determine which role contains the privileges and only those
privileges. If such a role does not exist, then to grant the privileges will require creating a new role (page 72) with the
specic set of privileges. To revoke a subset of privileges provided by an existing role: revoke the original role, create
a new role (page 72) that contains the privileges to keep, and then grant that role to the user.
Step 5: Modify the users access.
Revoke a Role Revoke a role with the db.revokeRolesFromUser() method. Access revocations apply as
soon as the user tries to run a command. On a mongos revocations are instant on the mongos on which the command
ran, but there is up to a 10-minute delay before the user cache is updated on the other mongos instances in the
cluster. The following example operation removes the readWrite (page 86) role on the accounts database from
the accountUser01 users existing roles:
77
use accounts
db.revokeRolesFromUser(
"accountUser01",
[
{ role: "readWrite", db: "accounts" }
]
)
Grant a Role Grant a role using the db.grantRolesToUser() method. For example, the following operation
grants the accountUser01 user the read (page 86) role on the records database:
use accounts
db.grantRolesToUser(
"accountUser01",
[
{ role: "read", db: "records" }
]
)
View Roles
Overview
A role (page 10) grants privileges to the users who are assigned the role. Each role is scoped to a particular database,
but MongoDB stores all role information in the admin.system.roles collection in the admin database.
Prerequisites
To view a roles information, you must be explicitly granted the role or must have the viewRole (page 100) action
(page 99) on the roles database.
Procedures
The following procedures use the rolesInfo command. You also can use the methods db.getRole() (singular)
and db.getRoles().
View a Role in the Current Database If the role is in the current database, you can refer to the role by name, as for
the role dataEntry on the current database:
db.runCommand({ rolesInfo: "dataEntry" })
View a Role in a Different Database If the role is in a different database, specify the role as a document. Use the
following form:
{ role: "<role name>", db: "<role db>" }
To view the custom appWriter role in the orders database, issue the following command from the mongo shell:
db.runCommand({ rolesInfo: { role: "appWriter", db: "orders" } })
78
View Multiple Roles To view information for multiple roles, specify each role as a document or string in an array.
To view the custom appWriter and clientWriter roles in the orders database, as well as the dataEntry
role on the current database, use the following command from the mongo shell:
db.runCommand( { rolesInfo: [ { role: "appWriter", db: "orders" },
{ role: "clientWriter", db: "orders" },
"dataEntry" ]
} )
View All Custom Roles To view the all custom roles, query admin.system.roles (page 93) collection directly, for
example:
db = db.getSiblingDB('admin')
db.system.roles.find()
Change a Users Password
Changed in version 2.6.
Overview
Strong passwords help prevent unauthorized access, and all users should have strong passwords. You can use the
openssl program to generate unique strings for use in passwords, as in the following command:
openssl rand -base64 48
Prerequisites
You must have the changeAnyPassword action (page 99) on a database to modify the password of any user on
that database.
You must have the changeOwnPassword (page 99) action (page 99) on your database to change your own pass-
word.
Procedure
Step 1: Connect to MongoDB with the appropriate privileges. Connect to the mongod or mongos with the
privileges required in the Prerequisites (page 79) section.
The following example operation connects to MongoDB as an authenticated user named manager:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. Use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
79
}
)
The resulting users document displays the privileges granted to manager.
Step 3: Change the password. Pass the users username and the new password to the
db.changeUserPassword() method.
The following operation changes the reporting users password to SOh3TbYhxuLiW8ypJPxmt1oOfL:
db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")
Change Your Password and Custom Data
Changed in version 2.6.
Overview
Users with appropriate privileges can change their own passwords and custom data. Custom data (page 97) stores
optional user information.
Considerations
To generate a strong password for use in this procedure, you can use the openssl utilitys rand command. For
example, issue openssl rand with the following options to create a base64-encoded string of 48 pseudo-random
bytes:
openssl rand -base64 48
Prerequisites
To modify your own password or custom data, you must have the changeOwnPassword (page 99) and
changeOwnCustomData (page 99) actions (page 99) respectively on the cluster resource.
Procedure
Step 1: Connect with the appropriate privileges. Connect to the mongod or mongos with your username and
current password.
For example, the following operation connects to MongoDB as an authenticated user named manager.
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
Step 2: Verify your privileges. To check that you have the privileges specied in the Prerequisites (page 80) section,
use the usersInfo command with the showPrivileges option.
The following example operation checks privileges for a user connected as manager:
80
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
}
)
The resulting users document displays the privileges granted to manager.
Step 2: View your custom data. Connect to the mongod or mongos with your username and current password.
For example, the following operation returns information for the manager user:
db.runCommand( { usersInfo: "manager" } )
Step 3: Change your password and custom data. Pass your username, new password, and new custom data to the
updateUser command.
For example, the following operation changes a users password to KNlZmiaNUp0B and custom data to { title:
"Senior Manager" }:
db.runCommand(
{ updateUser: "manager",
pwd: "KNlZmiaNUp0B",
customData: { title: "Senior Manager" }
}
)
3.6 Congure System Events Auditing
New in version 2.6.
MongoDB Enterprise supports auditing (page 15) of various operations. A complete auditing solution must involve
all mongod server and mongos router processes.
The audit facility can write audit events to the console, the syslog (option is unavailable on Windows), a JSON le,
or a BSON le. For details on the audited operations and the audit log messages, see System Event Audit Messages
(page 104).
Enable and Congure Audit Output
Use the --auditDestination option to enable auditing and specify where to output the audit events.
Output to Syslog
To enable auditing and print audit events to the syslog (option is unavailable on Windows) in JSON format, specify
syslog for the --auditDestination setting. For example:
mongod --dbpath data/db --auditDestination syslog
Warning: The syslog message limit can result in the truncation of the audit messages. The auditing system will
neither detect the truncation nor error upon its occurrence.
81
You may also specify these options in the configuration file:
dbpath=data/db
auditDestination=syslog
Output to Console
To enable auditing and print the audit events to standard output (i.e. stdout), specify console for the
--auditDestination setting. For example:
mongod --dbpath data/db --auditDestination console
You may also specify these options in the configuration file:
dbpath=data/db
auditDestination=console
Output to JSON File
To enable auditing and print audit events to a le in JSON format, specify file for the --auditDestination set-
ting, JSON for the --auditFormat setting, and the output lename for the --auditPath. The --auditPath
option accepts either full path name or relative path name. For example, the following enables auditing and records
audit events to a le with the relative path name of data/db/auditLog.json:
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
The audit le rotates at the same time as the server log le.
You may also specify these options in the configuration file:
dbpath=data/db
auditDestination=file
auditFormat=JSON
auditPath=data/db/auditLog.json
Note: Printing audit events to a le in JSON format degrades server performance more than printing to a le in BSON
format.
Output to BSON File
To enable auditing and print audit events to a le in BSON binary format, specify file for the
--auditDestination setting, BSON for the --auditFormat setting, and the output lename for the
--auditPath. The --auditPath option accepts either full path name or relative path name. For ex-
ample, the following enables auditing and records audit events to a BSON le with the relative path name of
data/db/auditLog.bson:
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
The audit le rotates at the same time as the server log le.
You may also specify these options in the configuration file:
82
dbpath=data/db
auditDestination=file
auditFormat=BSON
auditPath=data/db/auditLog.bson
To view the contents of the le, pass the le to the MongoDB utility bsondump. For example, the following converts
the audit log into a human-readable form and output to the terminal:
bsondump data/db/auditLog.bson
Filter Events
By default, the audit facility records all auditable operations (page 105). The audit feature has an --auditFilter
option to determine which events to record. The --auditFilter option takes a document of the form:
{ atype: <expression> }
The <expression> is a query condition expression to match on various actions (page 105) .
Filter for a Single Operation Type
For example, to audit only the createCollection (page 100) action, use the lter { atype:
"createCollection" }:
Tip
To specify the lter as a command-line option, enclose the lter document in single quotes to pass the document as a
string.
mongod --dbpath data/db --auditDestination file --auditFilter '{ atype: "createCollection" }' --auditFormat JSON --auditPath data/db/auditLog.json
Filter for Multiple Operation Types
To match on multiple operations, use the $in operator in the <expression> as in the following:
Tip
To specify the lter as a command-line option, enclose the lter document in single quotes to pass the document as a
string.
mongod --dbpath data/db --auditDestination file --auditFilter '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' --auditFormat JSON --auditPath data/db/auditLog.json
Filter on Authentication Operations on a Single Database
For authentication operations, you can also specify a specic database with the param.db eld:
{ atype: <expression>, "param.db": <database> }
For example, to audit only authenticate operations that occur against the test database, use the lter {
atype: "authenticate", "param.db": "test" }:
Tip
83
To specify the lter as a command-line option, enclose the lter document in single quotes to pass the document as a
string.
mongod --dbpath data/db --auth --auditDestination file --auditFilter '{ atype: "authenticate", "param.db": "test" }' --auditFormat JSON --auditPath data/db/auditLog.json
To lter on all authenticate operations across databases, use the lter { atype: "authenticate" }.
3.7 Create a Vulnerability Report
If you believe you have discovered a vulnerability in MongoDB or have experienced a security incident related to
MongoDB, please report the issue to aid in its resolution.
To report an issue, we strongly suggest ling a ticket in the SECURITY
53
project in JIRA. MongoDB, Inc responds to
vulnerability notications within 48 hours.
Create the Report in JIRA
Submit a ticket in the Security
54
project at: <http://jira.mongodb.org/browse>. The ticket number will become the
reference identication for the issue for its lifetime. You can use this identier for tracking purposes.
Information to Provide
All vulnerability reports should contain as much information as possible so MongoDBs developers can move quickly
to resolve the issue. In particular, please include the following:
The name of the product.
Common Vulnerability information, if applicable, including:
CVSS (Common Vulnerability Scoring System) Score.
CVE (Common Vulnerability and Exposures) Identier.
Contact information, including an email address and/or phone number, if applicable.
Send the Report via Email
While JIRA is the preferred reporting method, you may also report vulnerabilities via email to secu-
[email protected]
55
.
You may encrypt email using MongoDBs public key at http://docs.mongodb.org/10gen-security-gpg-key.asc.
MongoDB, Inc. responds to vulnerability reports sent via email with a response email that contains a reference number
for a JIRA ticket posted to the SECURITY
56
project.
Evaluation of a Vulnerability Report
MongoDB, Inc. validates all submitted vulnerabilities and uses Jira to track all communications regarding a vulner-
ability, including requests for clarication or additional information. If needed, MongoDB representatives set up a
conference call to exchange information regarding the vulnerability.
53
https://jira.mongodb.org/browse/SECURITY
54
https://jira.mongodb.org/browse/SECURITY
55
[email protected]
56
https://jira.mongodb.org/browse/SECURITY
84
Disclosure
MongoDB, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the
issue until it has had the opportunity to analyze the vulnerability, to respond to the notication, and to notify key users,
customers, and partners.
The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue.
MongoDB, Inc. takes all required vulnerabilities very seriously and will always ensure that there is a clear and open
channel of communication with the reporter.
After validating an issue, MongoDB, Inc. coordinates public disclosure of the issue with the reporter in a mutually
agreed timeframe and format. If required or requested, the reporter of a vulnerability will receive credit in the published
security bulletin.
4 Security Reference
4.1 Security Methods in the mongo Shell
Name Description
db.auth() Authenticates a user to a database.
User Management Methods
Name Description
db.addUser() Deprecated. Adds a user to a database, and allows administrators to congure the
users privileges.
db.changeUserPassword() Changes an existing users password.
db.createUser() Creates a new user.
db.dropAllUsers() Deletes all users associated with a database.
db.dropUser() Removes a single user.
db.getUser() Returns information about the specied user.
db.getUsers() Returns information about all users associated with a database.
db.grantRolesToUser() Grants a role and its privileges to a user.
db.removeUser() Deprecated. Removes a user from a database.
db.revokeRolesFromUser() Removes a role from a user.
db.updateUser() Updates user data.
Role Management Methods
Name Description
db.createRole() Creates a role and species its privileges.
db.dropAllRoles() Deletes all user-dened roles associated with a database.
db.dropRole() Deletes a user-dened role.
db.getRole() Returns information for the specied role.
db.getRoles() Returns information for all the user-dened roles in a database.
db.grantPrivilegesToRole() Assigns privileges to a user-dened role.
db.grantRolesToRole() Species roles from which a user-dened role inherits privileges.
db.revokePrivilegesFromRole() Removes the specied privileges from a user-dened role.
db.revokeRolesFromRole() Removes a role from a user.
db.updateRole() Updates a user-dened role.
85
4.2 Security Reference Documentation
Built-In Roles (page 86) Reference on MongoDB provided roles and corresponding access.
system.roles Collection (page 93) Describes the content of the collection that stores user-dened roles.
system.users Collection (page 96) Describes the content of the collection that stores users credentials and role as-
signments.
Resource Document (page 97) Describes the resource document for roles.
Privilege Actions (page 99) List of the actions available for privileges.
Default MongoDB Port (page 104) List of default ports used by MongoDB.
System Event Audit Messages (page 104) Reference on system event audit messages.
Built-In Roles
MongoDB grants access to data and commands through role-based authorization (page 10) and provides built-in
roles that provide the different levels of access commonly needed in a database system. You can additionally create
user-dened roles (page 10).
A role grants privileges to perform sets of actions (page 99) on dened resources (page 97). A given role applies to
the database on which it is dened and can grant access down to a collection level of granularity.
Each of MongoDBs built-in roles denes access at the database level for all non-system collections in the roles
database and at the collection level for all system collections.
MongoDB provides the built-in database user (page 86) and database administration (page 87) roles on every
database. MongoDB provides all other built-in roles only on the admin database.
This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any
time by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles elds both set
to true.
Database User Roles
Every database includes the following client roles:
read
Provides the ability to read data on all non-system collections and on the following system collections:
system.indexes, system.js, and system.namespaces collections. The role provides read access
by granting the following actions (page 99):
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
readWrite
Provides all the privileges of the read (page 86) role plus ability to modify data on all non-system collections
and the system.js collection. The role provides the following actions on those collections:
collStats (page 103)
convertToCapped (page 102)
86
createCollection (page 100)
dbHash (page 103)
dbStats (page 103)
dropCollection (page 100)
createIndex (page 100)
dropIndex (page 102)
emptycapped (page 100)
find (page 99)
insert (page 99)
killCursors (page 100)
remove (page 99)
renameCollectionSameDB (page 102)
update (page 99)
Database Administration Roles
Every database includes the following database administration roles:
dbAdmin
Provides the following actions (page 99) on the databases system.indexes, system.namespaces, and
system.profile collections:
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
dropCollection (page 100) on system.profile only
Provides the following actions on all non-system collections. This role does not include full read access on
non-system collections:
collMod (page 102)
collStats (page 103)
compact (page 102)
convertToCapped (page 102)
createCollection (page 100)
createIndex (page 100)
dbStats (page 103)
dropCollection (page 100)
dropDatabase (page 102)
dropIndex (page 102)
87
enableProfiler (page 100)
indexStats (page 103)
reIndex (page 102)
renameCollectionSameDB (page 102)
repairDatabase (page 103)
storageDetails (page 101)
validate (page 103)
dbOwner
The database owner can perform any administrative action on the database. This role combines the privileges
granted by the readWrite (page 86), dbAdmin (page 87) and userAdmin (page 88) roles.
userAdmin
Provides the ability to create and modify roles and users on the current database. This role also indirectly
provides superuser (page 93) access to either the database or, if scoped to the admin database, the cluster. The
userAdmin (page 88) role allows users to grant any user any privilege, including themselves.
The userAdmin (page 88) role explicitly provides the following actions:
changeCustomData (page 99)
changePassword (page 99)
createRole (page 100)
createUser (page 100)
dropRole (page 100)
dropUser (page 100)
grantRole (page 100)
revokeRole (page 100)
viewRole (page 100)
viewUser (page 100)
Cluster Administration Roles
The admin database includes the following roles for administering the whole system rather than just a single database.
These roles include but are not limited to replica set and sharded cluster administrative functions.
clusterAdmin
Provides the greatest cluster-management access. This role combines the privileges granted by the
clusterManager (page 88), clusterMonitor (page 89), and hostManager (page 90) roles. Addi-
tionally, the role provides the dropDatabase (page 102) action.
clusterManager
Provides management and monitoring actions on the cluster. A user with this role can access the config and
local databases, which are used in sharding and replication, respectively.
Provides the following actions on the cluster as a whole:
addShard (page 101)
applicationMessage (page 102)
88
cleanupOrphaned (page 100)
flushRouterConfig (page 101)
listShards (page 102)
removeShard (page 102)
replSetConfigure (page 101)
replSetGetStatus (page 101)
replSetStateChange (page 101)
resync (page 101)
Provides the following actions on all databases in the cluster:
enableSharding (page 101)
moveChunk (page 102)
splitChunk (page 102)
splitVector (page 102)
On the config database, provides the following actions on the settings collection:
insert (page 99)
remove (page 99)
update (page 99)
On the config database, provides the following actions on all conguration collections and on the
system.indexes, system.js, and system.namespaces collections:
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
On the local database, provides the following actions on the replset collection:
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
clusterMonitor
Provides read-only access to monitoring tools, such as the MongoDBManagement Service (MMS)
57
monitoring
agent.
Provides the following actions on the cluster as a whole:
connPoolStats (page 103)
cursorInfo (page 103)
57
http://mms.mongodb.com/help/
89
getCmdLineOpts (page 103)
getLog (page 103)
getParameter (page 102)
getShardMap (page 101)
hostInfo (page 102)
inprog (page 101)
listDatabases (page 103)
listShards (page 102)
netstat (page 103)
replSetGetStatus (page 101)
serverStatus (page 103)
shardingState (page 102)
top (page 104)
Provides the following actions on all databases in the cluster:
collStats (page 103)
dbStats (page 103)
getShardVersion (page 101)
Provides the find (page 99) action on all system.profile collections in the cluster.
Provides the following actions on the config databases conguration collections and system.indexes,
system.js, and system.namespaces collections:
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
hostManager
Provides the ability to monitor and manage servers.
Provides the following actions on the cluster as a whole:
applicationMessage (page 102)
closeAllDatabases (page 102)
connPoolSync (page 102)
cpuProfiler (page 100)
diagLogging (page 103)
flushRouterConfig (page 101)
fsync (page 102)
invalidateUserCache (page 101)
killop (page 101)
90
logRotate (page 102)
resync (page 101)
setParameter (page 103)
shutdown (page 103)
touch (page 103)
unlock (page 100)
Provides the following actions on all databases in the cluster:
killCursors (page 100)
repairDatabase (page 103)
Backup and Restoration Roles
The admin database includes the following roles for backing up and restoring data:
backup
Provides minimal privileges needed for backing up data. This role provides sufcient privileges to use the
MongoDB Management Service (MMS)
58
backup agent, or to use mongodump to back up an entire mongod
instance.
Provides the following actions (page 99) on the mms.backup collection in the admin database:
insert (page 99)
update (page 99)
Provides the listDatabases (page 103) action on the cluster as a whole.
Provides the find (page 99) action on the following:
all non-system collections in the cluster
all the following system collections in the cluster: system.indexes, system.namespaces, and
system.js
the admin.system.users and admin.system.roles collections
legacy system.users collections from versions of MongoDB prior to 2.6
restore
Provides minimal privileges needed for restoring data from backups. This role provides sufcient privileges to
use the mongorestore tool to restore an entire mongod instance.
Provides the following actions on all non-system collections and system.js collections in the cluster; on the
admin.system.users and admin.system.roles collections in the admin database; and on legacy
system.users collections from versions of MongoDB prior to 2.6:
collMod (page 102)
createCollection (page 100)
createIndex (page 100)
dropCollection (page 100)
insert (page 99)
58
http://mms.mongodb.com/help/
91
Provides the following additional actions on admin.system.users and legacy system.users collec-
tions:
find (page 99)
remove (page 99)
update (page 99)
Provides the find (page 99) action on all the system.namespaces collections in the cluster.
Although, restore (page 91) includes the ability to modify the documents in the admin.system.users
collection using normal modication operations, only modify these data using the user management methods.
All-Database Roles
The admin database provides the following roles that apply to all databases in a mongod instance and are roughly
equivalent to their single-database equivalents:
readAnyDatabase
Provides the same read-only permissions as read (page 86), except it applies to all databases in the cluster.
The role also provides the listDatabases (page 103) action on the cluster as a whole.
readWriteAnyDatabase
Provides the same read and write permissions as readWrite (page 86), except it applies to all databases in
the cluster. The role also provides the listDatabases (page 103) action on the cluster as a whole.
userAdminAnyDatabase
Provides the same access to user administration operations as userAdmin (page 88), except it applies to all
databases in the cluster. The role also provides the following actions on the cluster as a whole:
authSchemaUpgrade (page 100)
invalidateUserCache (page 101)
listDatabases (page 103)
The role also provides the following actions on the admin.system.users and admin.system.roles
collections on the admin database, and on legacy system.users collections from versions of MongoDB
prior to 2.6:
collStats (page 103)
dbHash (page 103)
dbStats (page 103)
find (page 99)
killCursors (page 100)
planCacheRead (page 101)
The userAdminAnyDatabase (page 92) role does not restrict the permissions that a user can grant. As
a result, userAdminAnyDatabase (page 92) users can grant themselves privileges in excess of their cur-
rent privileges and even can grant themselves all privileges, even though the role does not explicitly authorize
privileges beyond user administration. This role is effectively a MongoDB system superuser (page 93).
dbAdminAnyDatabase
Provides the same access to database administration operations as dbAdmin (page 87), except it applies to all
databases in the cluster. The role also provides the listDatabases (page 103) action on the cluster as a
whole.
92
Superuser Roles
Several roles provide either indirect or direct system-wide superuser access.
The following roles provide the ability to assign any user any privilege on any database, which means that users with
one of these roles can assign themselves any privilege on any database:
dbOwner (page 88) role, when scoped to the admin database
userAdmin (page 88) role, when scoped to the admin database
userAdminAnyDatabase (page 92) role
The following role provides full privileges on all resources:
root
Provides access to the operations and all the resources of the readWriteAnyDatabase (page 92),
dbAdminAnyDatabase (page 92), userAdminAnyDatabase (page 92) and clusterAdmin (page 88)
roles combined.
root (page 93) does not include the ability to insert data directly into the system.users and
system.roles collections in the admin database. Therefore, root (page 93) is not suitable for restoring
data that have these collections with mongorestore. To perform these kinds of restore operations, provision
users with the restore (page 91) role.
Internal Role
__system
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and
mongos instances. The role entitles its holder to take any action against any object in the database.
Do not assign this role to user objects representing applications or human administrators, other than in excep-
tional circumstances.
If you need access to all actions on all resources, for example to run the eval or applyOps commands, do
not assign this role. Instead, create a user-dened role that grants anyAction (page 104) on anyResource
(page 99) and ensure that only the users who needs access to these operations has this access.
system.roles Collection
New in version 2.6.
The system.roles collection in the admin database stores the user-dened roles. To create and manage these
user-dened roles, MongoDB provides role management commands.
system.roles Schema
The documents in the system.roles collection have the following schema:
{
_id: <system-defined id>,
role: "<role name>",
db: "<database>",
privileges:
[
{
resource: { <resource> },
93
actions: [ "<action>", ... ]
},
...
],
roles:
[
{ role: "<role name>", db: "<database>" },
...
]
}
A system.roles document has the following elds:
admin.system.roles.role
The role (page 94) eld is a string that species the name of the role.
admin.system.roles.db
The db (page 94) eld is a string that species the database to which the role belongs. MongoDB uniquely
identies each role by the pairing of its name (i.e. role (page 94)) and its database.
admin.system.roles.privileges
The privileges (page 94) array contains the privilege documents that dene the privileges (page 10) for the
role.
A privilege document has the following syntax:
{
resource: { <resource> },
actions: [ "<action>", ... ]
}
Each privilege document has the following elds:
admin.system.roles.privileges[n].resource
A document that species the resources upon which the privilege actions (page 94) apply. The docu-
ment has one of the following form:
{ db: <database>, collection: <collection> }
or
{ cluster : true }
See Resource Document (page 97) for more details.
admin.system.roles.privileges[n].actions
An array of actions permitted on the resource. For a list of actions, see Privilege Actions (page 99).
admin.system.roles.roles
The roles (page 94) array contains role documents that specify the roles fromwhich this role inherits (page 10)
privileges.
A role document has the following syntax:
{ role: "<role name>", db: "<database>" }
A role document has the following elds:
admin.system.roles.roles[n].role
The name of the role. A role can be a built-in role (page 86) provided by MongoDB or a user-dened role
(page 10).
94
admin.system.roles.roles[n].db
The name of the database where the role is dened.
Examples
Consider the following sample documents found in system.roles collection of the admin database.
A User-Dened Role Species Privileges The following is a sample document for a user-dened role appUser
dened for the myApp database:
{
_id: "myApp.appUser",
role: "appUser",
db: "myApp",
privileges: [
{ resource: { db: "myApp" , collection: "" },
actions: [ "find", "createCollection", "dbStats", "collStats" ] },
{ resource: { db: "myApp", collection: "logs" },
actions: [ "insert" ] },
{ resource: { db: "myApp", collection: "data" },
actions: [ "insert", "update", "remove", "compact" ] },
{ resource: { db: "myApp", collection: "system.indexes" },
actions: [ "find" ] },
{ resource: { db: "myApp", collection: "system.namespaces" },
actions: [ "find" ] },
],
roles: []
}
The privileges array lists the ve privileges that the appUser role species:
The rst privilege permits its actions ( "find", "createCollection", "dbStats", "collStats") on
all the collections in the myApp database excluding its system collections. See Specify a Database as Resource
(page 98).
The next two privileges permits additional actions on specic collections, logs and data, in the myApp
database. See Specify a Collection of a Database as Resource (page 97).
The last two privileges permits actions on two system collections in the myApp database. While the
rst privilege gives database-wide permission for the find action, the action does not apply to myApps system
collections. To give access to a systemcollection, a privilege must explicitly specify the collection. See Resource
Document (page 97).
As indicated by the empty roles array, appUser inherits no additional privileges from other roles.
User-Dened Role Inherits from Other Roles The following is a sample document for a user-dened role
appAdmin dened for the myApp database: The document shows that the appAdmin role species privileges
as well as inherits privileges from other roles:
{
_id: "myApp.appAdmin",
role: "appAdmin",
db: "myApp",
privileges: [
{
resource: { db: "myApp", collection: "" },
actions: [ "insert", "dbStats", "collStats", "compact", "repairDatabase" ]
95
}
],
roles: [
{ role: "appUser", db: "myApp" }
]
}
The privileges array lists the privileges that the appAdmin role species. This role has a single privilege that
permits its actions ( "insert", "dbStats", "collStats", "compact", "repairDatabase") on all the
collections in the myApp database excluding its system collections. See Specify a Database as Resource (page 98).
The roles array lists the roles, identied by the role names and databases, from which the role appAdmin inherits
privileges.
system.users Collection
Changed in version 2.6.
The system.users collection in the admin database stores user authentication (page 6) and authorization (page 9)
information. To manage data in this collection, MongoDB provides user management commands.
system.users Schema
The documents in the system.users collection have the following schema:
{
_id: <system defined id>,
user: "<name>",
db: "<database>",
credentials: { <authentication credentials> },
roles: [
{ role: "<role name>", db: "<database>" },
...
],
customData: <custom information>
}
Each system.users document has the following elds:
admin.system.users.user
The user (page 96) eld is a string that identies the user. A user exists in the context of a single logical
database but can have access to other databases through roles specied in the roles (page 96) array.
admin.system.users.db
The db (page 96) eld species the database associated with the user. The users privileges are not necessarily
limited to this database. The user can have privileges in additional databases through the roles (page 96)
array.
admin.system.users.credentials
The credentials (page 96) eld contains the users authentication information. For users with externally
stored authentication credentials, such as users that use Kerberos (page 56) or x.509 certicates for authentica-
tion, the system.users document for that user does not contain the credentials (page 96) eld.
admin.system.users.roles
The roles (page 96) array contains role documents that specify the roles granted to the user. The array contains
both built-in roles (page 86) and user-dened role (page 10).
A role document has the following syntax:
96
{ role: "<role name>", db: "<database>" }
A role document has the following elds:
admin.system.users.roles[n].role
The name of a role. A role can be a built-in role (page 86) provided by MongoDB or a custom user-dened
role (page 10).
admin.system.users.roles[n].db
The name of the database where role is dened.
When specifying a role using the role management or user management commands, you can specify the role
name alone (e.g. "readWrite") if the role that exists on the database on which the command is run.
admin.system.users.customData
The customData (page 97) eld contains optional custom information about the user.
Example
Consider the following document in the system.users collection:
{
_id: "home.Kari",
user: "Kari",
db: "home",
credentials: { "MONGODB-CR" :"<hashed password>" },
roles : [
{ role: "read", db: "home" },
{ role: "readWrite", db: "test" },
{ role: "appUser", db: "myApp" }
],
customData: { zipCode: "64157" }
}
The document shows that a user Kari is associated with the home database. Kari has the read (page 86) role
in the home database, the readWrite (page 86) role in the test database, and the appUser role in the myApp
database.
Resource Document
The resource document species the resources upon which a privilege permits actions.
Database and/or Collection Resource
To specify databases and/or collections, use the following syntax:
{ db: <database>, collection: <collection> }
Specify a Collection of a Database as Resource If the resource document species both the db an collection
elds as non-empty strings, the resource is the specied collection in the specied database. For example, the following
document species a resource of the inventory collection in the products database:
{ db: "products", collection: "inventory" }
97
For a user-dened role scoped for a non-admin database, the resource specication for its privileges must specify the
same database as the role. User-dened roles scoped for the admin database can specify other databases.
Specify a Database as Resource If only the collection eld is an empty string (""), the resource is the speci-
ed database, excluding the system collections. For example, the following resource document species the
resource of the test database, excluding the system collections:
{ db: "test", collection: "" }
For a user-dened role scoped for a non-admin database, the resource specication for its privileges must specify the
same database as the role. User-dened roles scoped for the admin database can specify other databases.
Note: When you specify a database as the resource, the system collections are excluded, unless you name them
explicitly, as in the following:
{ db: "test", collection: "system.namespaces" }
System collections include but are not limited to the following:
<database>.system.profile
<database>.system.namespaces
<database>.system.indexes
<database>.system.js
local.system.replset
system.users Collection (page 96) in the admin database
system.roles Collection (page 93) in the admin database
Specify Collections Across Databases as Resource If only the db eld is an empty string (""), the resource is all
collections with the specied name across all databases. For example, the following document species the resource
of all the accounts collections across all the databases:
{ db: "", collection: "accounts" }
For user-dened roles, only roles scoped for the admin database can have this resource specication for their privi-
leges.
Specify All Non-System Collections in All Databases If both the db and collection elds are empty strings
(""), the resource is all collections, excluding the system collections, in all the databases:
{ db: "", collection: "" }
For user-dened roles, only roles scoped for the admin database can have this resource specication for their privi-
leges.
Cluster Resource
To specify the cluster as the resource, use the following syntax:
{ cluster : true }
98
Use the cluster resource for actions that affect the state of the system rather than act on specic set of databases
or collections. Examples of such actions are shutdown, replSetReconfig, and addShard. For example, the
following document grants the action shutdown on the cluster.
{ resource: { cluster : true }, actions: [ "shutdown" ] }
For user-dened roles, only roles scoped for the admin database can have this resource specication for their privi-
leges.
anyResource
The internal resource anyResource gives access to every resource in the system and is intended for internal use.
Do not use this resource, other than in exceptional circumstances. The syntax for this resource is { anyResource:
true }.
Privilege Actions
New in version 2.6.
Privilege actions dene the operations a user can perform on a resource (page 97). A MongoDB privilege (page 10)
comprises a resource (page 97) and the permitted actions. This page lists available actions grouped by common
purpose.
MongoDB provides built-in roles with pre-dened pairings of resources and permitted actions. For lists of the actions
granted, see Built-In Roles (page 86). To dene custom roles, see Create a Role (page 72).
Query and Write Actions
find
User can perform the db.collection.find() method. Apply this action to database or collection re-
sources.
insert
User can perform the insert command. Apply this action to database or collection resources.
remove
User can perform the db.collection.remove() method. Apply this action to database or collection
resources.
update
User can perform the update command. Apply this action to database or collection resources.
Database Management Actions
changeCustomData
User can change the custom information of any user in the given database. Apply this action to database
resources.
changeOwnCustomData
Users can change their own custom information. Apply this action to database resources.
changeOwnPassword
Users can change their own passwords. Apply this action to database resources.
99
changePassword
User can change the password of any user in the given database. Apply this action to database resources.
createCollection
User can perform the db.createCollection() method. Apply this action to database or collection re-
sources.
createIndex
Provides access to the db.collection.createIndex() method and the createIndexes command.
Apply this action to database or collection resources.
createRole
User can create new roles in the given database. Apply this action to database resources.
createUser
User can create new users in the given database. Apply this action to database resources.
dropCollection
User can perform the db.collection.drop() method. Apply this action to database or collection re-
sources.
dropRole
User can delete any role from the given database. Apply this action to database resources.
dropUser
User can remove any user from the given database. Apply this action to database resources.
emptycapped
User can perform the emptycapped command. Apply this action to database or collection resources.
enableProfiler
User can perform the db.setProfilingLevel() method. Apply this action to database resources.
grantRole
User can grant any role in the database to any user from any database in the system. Apply this action to database
resources.
killCursors
User can kill cursors on the target collection.
revokeRole
User can remove any role fromany user fromany database in the system. Apply this action to database resources.
unlock
User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.
viewRole
User can view information about any role in the given database. Apply this action to database resources.
viewUser
User can view the information of any user in the given database. Apply this action to database resources.
Deployment Management Actions
authSchemaUpgrade
User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.
cleanupOrphaned
User can perform the cleanupOrphaned command. Apply this action to the cluster resource.
cpuProfiler
User can enable and use the CPU proler. Apply this action to the cluster resource.
100
inprog
User can use the db.currentOp() method to return pending and active operations. Apply this action to the
cluster resource.
invalidateUserCache
Provides access to the invalidateUserCache command. Apply this action to the cluster resource.
killop
User can perform the db.killOp() method. Apply this action to the cluster resource.
planCacheRead
User can perform the planCacheListPlans and planCacheListQueryShapes commands and the
PlanCache.getPlansByQuery() and PlanCache.listQueryShapes() methods. Apply this ac-
tion to database or collection resources.
planCacheWrite
User can perform the planCacheClear command and the PlanCache.clear() and
PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.
storageDetails
User can perform the storageDetails command. Apply this action to database or collection resources.
Replication Actions
appendOplogNote
User can append notes to the oplog. Apply this action to the cluster resource.
replSetConfigure
User can congure a replica set. Apply this action to the cluster resource.
replSetGetStatus
User can perform the replSetGetStatus command. Apply this action to the cluster resource.
replSetHeartbeat
User can perform the replSetHeartbeat command. Apply this action to the cluster resource.
replSetStateChange
User can change the state of a replica set through the replSetFreeze, replSetMaintenance,
replSetStepDown, and replSetSyncFrom commands. Apply this action to the cluster resource.
resync
User can perform the resync command. Apply this action to the cluster resource.
Sharding Actions
addShard
User can perform the addShard command. Apply this action to the cluster resource.
enableSharding
User can enable sharding on a database using the enableSharding command and can shard a collection
using the shardCollection command. Apply this action to database or collection resources.
flushRouterConfig
User can perform the flushRouterConfig command. Apply this action to the cluster resource.
getShardMap
User can perform the getShardMap command. Apply this action to the cluster resource.
101
getShardVersion
User can perform the getShardVersion command. Apply this action to database resources.
listShards
User can perform the listShards command. Apply this action to the cluster resource.
moveChunk
User can perform the moveChunk command. Apply this action to the cluster resource.
removeShard
User can perform the removeShard command. Apply this action to the cluster resource.
shardingState
User can perform the shardingState command. Apply this action to the cluster resource.
splitChunk
User can perform the splitChunk command. Apply this action to database or collection resources.
splitVector
User can perform the splitVector command. Apply this action to database or collection resources.
Server Administration Actions
applicationMessage
User can perform the logApplicationMessage command. Apply this action to the cluster resource.
closeAllDatabases
User can perform the closeAllDatabases command. Apply this action to the cluster resource.
collMod
User can perform the collMod command. Apply this action to database or collection resources.
compact
User can perform the compact command. Apply this action to database or collection resources.
connPoolSync
User can perform the connPoolSync command. Apply this action to the cluster resource.
convertToCapped
User can perform the convertToCapped command. Apply this action to database or collection resources.
dropDatabase
User can perform the dropDatabase command. Apply this action to database resources.
dropIndex
User can perform the dropIndexes command. Apply this action to database or collection resources.
fsync
User can perform the fsync command. Apply this action to the cluster resource.
getParameter
User can perform the getParameter command. Apply this action to the cluster resource.
hostInfo
Provides information about the server the MongoDB instance runs on. Apply this action to the cluster
resource.
logRotate
User can perform the logRotate command. Apply this action to the cluster resource.
reIndex
User can perform the reIndex command. Apply this action to database or collection resources.
102
renameCollectionSameDB
Allows the user to rename collections on the current database using the renameCollection command.
Apply this action to database resources.
Additionally, the user must either have find (page 99) on the source collection or not have find (page 99) on
the destination collection.
If a collection with the new name already exists, the user must also have the dropCollection (page 100)
action on the destination collection.
repairDatabase
User can perform the repairDatabase command. Apply this action to database resources.
setParameter
User can perform the setParameter command. Apply this action to the cluster resource.
shutdown
User can perform the shutdown command. Apply this action to the cluster resource.
touch
User can perform the touch command. Apply this action to the cluster resource.
Diagnostic Actions
collStats
User can perform the collStats command. Apply this action to database or collection resources.
connPoolStats
User can perform the connPoolStats and shardConnPoolStats commands. Apply this action to the
cluster resource.
cursorInfo
User can perform the cursorInfo command. Apply this action to the cluster resource.
dbHash
User can perform the dbHash command. Apply this action to database or collection resources.
dbStats
User can perform the dbStats command. Apply this action to database resources.
diagLogging
User can perform the diagLogging command. Apply this action to the cluster resource.
getCmdLineOpts
User can perform the getCmdLineOpts command. Apply this action to the cluster resource.
getLog
User can perform the getLog command. Apply this action to the cluster resource.
indexStats
User can perform the indexStats command. Apply this action to database or collection resources.
listDatabases
User can perform the listDatabases command. Apply this action to the cluster resource.
netstat
User can perform the netstat command. Apply this action to the cluster resource.
serverStatus
User can perform the serverStatus command. Apply this action to the cluster resource.
103
validate
User can perform the validate command. Apply this action to database or collection resources.
top
User can perform the top command. Apply this action to the cluster resource.
Internal Actions
anyAction
Allows any action on a resource. Do not assign this action except for exceptional circumstances.
internal
Allows internal actions. Do not assign this action except for exceptional circumstances.
Default MongoDB Port
The following table lists the default ports used by MongoDB:
Default
Port
Description
27017 The default port for mongod and mongos instances. You can change this port with port or
--port.
27018 The default port when running with --shardsvr runtime operation or the shardsvr value for the
clusterRole setting in a conguration le.
27019 The default port when running with --configsvr runtime operation or the configsvr value for
the clusterRole setting in a conguration le.
28017 The default port for the web status page. The web status page is always accessible at a port number
that is 1000 greater than the port determined by port.
System Event Audit Messages
Note: The audit system (page 15) is available only in MongoDB Enterprise
59
.
The event auditing feature (page 15) can record events in JSON format. The recorded JSON messages have the
following syntax:
{
atype: <String>,
ts : { "$date": <timestamp> },
local: { ip: <String>, port: <int> },
remote: { ip: <String>, port: <int> },
users : [ { user: <String>, db: String> }, ... ],
params: <document>,
result: <int>
}
eld String atype Action type. See Event Actions, Details, and Results (page 105).
eld document ts Document that contains the date and UTC time of the event, in ISO 8601 format.
eld document local Document that contains the local ip address and the port number of the running
instance.
59
http://www.mongodb.com/products/mongodb-enterprise
104
eld document remote Document that contains the remote ip address and the port number of the
incoming connection associated with the event.
eld array users Array of user identication documents. Because MongoDB allows a session to log in
with different user per database, this array can have more than one user. Each document contains a
user eld for the username and a db eld for the authentication database for that user.
eld document params Specic details for the event. See Event Actions, Details, and Results
(page 105).
eld integer result Error code. See Event Actions, Details, and Results (page 105).
Event Actions, Details, and Results
The following table lists for each atype or action type, the associated params details and the result values, if
any.
atype params result Notes
authenticate
{
user: <user name>,
db: <database>,
mechanism: <mechanism>
}
0 - Success
18 - Authentication Failed
authCheck
{
command: <name>,
ns: <database>.<collection>,
args: <command object>
}
0 - Success
13 - Unauthorized to per-
form the operation.
The auditing system logs
only authorization failures.
ns eld is optional.
args eld may be
redacted.
createCollection
(page 100) { ns: <database>.<collection> }
0 - Success
createDatabase
{ ns: <database> }
0 - Success
createIndex (page 100)
{
ns: <database>.<collection>,
indexName: <index name>,
indexSpec: <full index specification>
}
0 - Success
renameCollection
{
old: <database>.<collection>,
new: <database>.<collection>
}
0 - Success
dropCollection
(page 100) { ns: <database>.<collection> }
0 - Success
Continued on next page
105
Table 1 continued from previous page
atype params result Notes
dropDatabase
(page 102) { ns: <database> }
0 - Success
dropIndex (page 102)
{
ns: <database>.<collection>,
indexName: <index name>
}
0 - Success
createUser (page 100)
{
user: <user name>,
db: <database>,
customData: <document>,
roles: [ <role1>, ... ]
}
0 - Success customData eld is op-
tional.
dropUser (page 100)
{
user: <user name>,
db: <database>
}
0 - Success
dropAllUsersFromDatabase
{ db: <database> }
0 - Success
updateUser
{
user: <user name>,
db: <database>,
passwordChanged: <boolean>,
customData: <document>,
roles: [ <role1>, ... ]
}
0 - Success customData eld is op-
tional.
grantRolesToUser
{
user: <user name>,
db: <database>,
roles: [ <role1>, ... ]
}
0 - Success The roles array contains
role documents. See role
Document (page 108).
revokeRolesFromUser
{
user: <user name>,
db: <database>,
roles: [ <role1>, ... ]
}
0 - Success The roles array contains
role documents. See role
Document (page 108).
Continued on next page
106
Table 1 continued from previous page
atype params result Notes
createRole (page 100)
{
role: <role name>,
db: <database>,
roles: [ <role1>, ... ],
privileges: [ <privilege1>, ... ]
}
0 - Success Either roles or the
privileges eld can be
optional.
The roles array contains
role documents. See role
Document (page 108).
The privileges array
contains privilege doc-
uments. See privilege
Document (page 108).
updateRole
{
role: <role name>,
db: <database>,
roles: [ <role1>, ... ],
privileges: [ <privilege1>, ... ]
}
0 - Success Either roles or the
privileges eld can be
optional.
The roles array contains
role documents. See role
Document (page 108).
The privileges array
contains privilege doc-
uments. See privilege
Document (page 108).
dropRole (page 100)
{
role: <role name>,
db: <database>
}
0 - Success
dropAllRolesFromDatabase
{ db: <database> }
0 - Success
grantRolesToRole
{
role: <role name>,
db: <database>,
roles: [ <role1>, ... ]
}
0 - Success The roles array contains
role documents. See role
Document (page 108).
revokeRolesFromRole
{
role: <role name>,
db: <database>,
roles: [ <role1>, ... ]
}
0 - Success The roles array contains
role documents. See role
Document (page 108).
grantPrivilegesToRole
{
role: <role name>,
db: <database>,
privileges: [ <privilege1>, ... ]
}
0 - Success The privileges array
contains privilege doc-
uments. See privilege
Document (page 108).
Continued on next page
107
Table 1 continued from previous page
atype params result Notes
revokePrivilegesFromRole
{
role: <role name>,
db: <database name>,
privileges: [ <privilege1>, ... ]
}
0 - Success The privileges array
contains privilege doc-
uments. See privilege
Document (page 108).
replSetReconfig
{
old: <configuration>,
new: <configuration>
}
0 - Success
enableSharding
(page 101) { ns: <database> }
0 - Success
shardCollection
{
ns: <database>.<collection>,
key: <shard key pattern>,
options: { unique: <boolean> }
}
0 - Success
addShard (page 101)
{
shard: <shard name>,
connectionString: <hostname>:<port>,
maxSize: <maxSize>
}
0 - Success When a shard is
a replica set, the
connectionString
includes the replica set
name and can include other
members of the replica set.
removeShard (page 102)
{ shard: <shard name> }
0 - Success
shutdown (page 103)
{ }
0 - Success Indicates commencement
of database shutdown.
applicationMessage
(page 102) { msg: <custom message string> }
0 - Success See
logApplicationMessage.
Additional Information
role Document The <role> document in the roles array has the following form:
{
role: <role name>,
db: <database>
}
privilege Document The <privilege> document in the privilege array has the following form:
108
{
resource: <resource document> ,
actions: [ <action>, ... ]
}
See Resource Document (page 97) for details on the resource document. For a list of actions, see Privilege Actions
(page 99).
4.3 Security Release Notes Alerts
Security Release Notes (page 109) Security vulnerability for password.
Security Release Notes
Access to system.users Collection
Changed in version 2.4.
In 2.4, only users with the userAdmin role have access to the system.users collection.
In version 2.2 and earlier, the read-write users of a database all have access to the system.users collection, which
contains the user names and user password hashes.
60
Password Hashing Insecurity
If a user has the same password for multiple databases, the hash will be the same. A malicious user could exploit this
to gain access on a second database using a different users credentials.
As a result, always use unique username and password combinations for each database.
Thanks to Will Urbanski, from Dell SecureWorks, for identifying this issue.
60
Read-only users do not have access to the system.users collection.
109
Index
Symbols
__system (user role), 93
A
addShard (user action), 101
admin.system.roles.db (MongoDB reporting output), 94
admin.system.roles.privileges (MongoDB reporting out-
put), 94
admin.system.roles.privileges[n].actions (MongoDB re-
porting output), 94
admin.system.roles.privileges[n].resource (MongoDB re-
porting output), 94
admin.system.roles.role (MongoDB reporting output), 94
admin.system.roles.roles (MongoDB reporting output),
94
admin.system.roles.roles[n].db (MongoDB reporting out-
put), 94
admin.system.roles.roles[n].role (MongoDB reporting
output), 94
admin.system.users.credentials (MongoDB reporting out-
put), 96
admin.system.users.customData (MongoDB reporting
output), 97
admin.system.users.db (MongoDB reporting output), 96
admin.system.users.roles (MongoDB reporting output),
96
admin.system.users.roles[n].db (MongoDB reporting out-
put), 97
admin.system.users.roles[n].role (MongoDB reporting
output), 97
admin.system.users.user (MongoDB reporting output), 96
anyAction (user action), 104
appendOplogNote (user action), 101
applicationMessage (user action), 102
authSchemaUpgrade (user action), 100
B
backup (user role), 91
C
changeCustomData (user action), 99
changeOwnCustomData (user action), 99
changeOwnPassword (user action), 99
changePassword (user action), 99
cleanupOrphaned (user action), 100
closeAllDatabases (user action), 102
clusterAdmin (user role), 88
clusterManager (user role), 88
clusterMonitor (user role), 89
collMod (user action), 102
collStats (user action), 103
compact (user action), 102
connPoolStats (user action), 103
connPoolSync (user action), 102
convertToCapped (user action), 102
cpuProler (user action), 100
createCollection (user action), 100
createIndex (user action), 100
createRole (user action), 100
createUser (user action), 100
cursorInfo (user action), 103
D
dbAdmin (user role), 87
dbAdminAnyDatabase (user role), 92
dbHash (user action), 103
dbOwner (user role), 88
dbStats (user action), 103
diagLogging (user action), 103
dropCollection (user action), 100
dropDatabase (user action), 102
dropIndex (user action), 102
dropRole (user action), 100
dropUser (user action), 100
E
emptycapped (user action), 100
enableProler (user action), 100
enableSharding (user action), 101
F
nd (user action), 99
ushRouterCong (user action), 101
fsync (user action), 102
G
getCmdLineOpts (user action), 103
getLog (user action), 103
getParameter (user action), 102
getShardMap (user action), 101
getShardVersion (user action), 101
grantRole (user action), 100
H
hostInfo (user action), 102
hostManager (user role), 90
I
indexStats (user action), 103
inprog (user action), 101
110
insert (user action), 99
internal (user action), 104
invalidateUserCache (user action), 101
K
killCursors (user action), 100
killop (user action), 101
L
listDatabases (user action), 103
listShards (user action), 102
logRotate (user action), 102
M
moveChunk (user action), 102
N
netstat (user action), 103
P
planCacheRead (user action), 101
planCacheWrite (user action), 101
R
read (user role), 86
readAnyDatabase (user role), 92
readWrite (user role), 86
readWriteAnyDatabase (user role), 92
reIndex (user action), 102
remove (user action), 99
removeShard (user action), 102
renameCollectionSameDB (user action), 102
repairDatabase (user action), 103
replSetCongure (user action), 101
replSetGetStatus (user action), 101
replSetHeartbeat (user action), 101
replSetStateChange (user action), 101
restore (user role), 91
resync (user action), 101
revokeRole (user action), 100
root (user role), 93
S
serverStatus (user action), 103
setParameter (user action), 103
sharding
localhost, 8
shardingState (user action), 102
shutdown (user action), 103
splitChunk (user action), 102
splitVector (user action), 102
storageDetails (user action), 101
T
top (user action), 104
touch (user action), 103
U
unlock (user action), 100
update (user action), 99
userAdmin (user role), 88
userAdminAnyDatabase (user role), 92
V
validate (user action), 103
viewRole (user action), 100
viewUser (user action), 100
111