Skip to main content

Security and Authentication Setup

Now that you've mastered MongoDB administration, let's secure your database. In this lesson, you'll learn to implement robust security measures including authentication, authorization, and network security to protect your MongoDB deployments.

By the end of this lesson, you'll be able to:

  • Enable and configure MongoDB authentication
  • Create and manage user accounts with appropriate roles
  • Implement network security and encryption
  • Secure MongoDB Atlas deployments
  • Apply security best practices

Understanding MongoDB Security Architecture

MongoDB security operates on three main layers:

Authentication - Verifying user identity Authorization - Controlling access to resources Encryption - Protecting data in transit and at rest

tip

Always implement the principle of least privilege: grant users only the permissions they absolutely need to perform their tasks.

Enabling Authentication

To enable authentication, you must first create an admin user, then restart MongoDB with authentication enabled.

Creating the First Admin User

Connect to MongoDB without authentication first:

Create admin user
mongosh
Switch to admin database and create user
use admin
db.createUser({
  user: "admin",
  pwd: "securePassword123",
  roles: ["root"]
})

Starting MongoDB with Authentication

Stop your MongoDB service and restart with authentication:

Restart MongoDB with auth
# On Linux/macOS
mongod --auth --port 27017 --dbpath /path/to/your/db

# Or update your mongod.conf file
security:
  authorization: enabled

User Management and Roles

Creating Application Users

Create dedicated users for specific applications with limited privileges:

Create application user
use myapp
db.createUser({
  user: "appUser",
  pwd: "appPassword456",
  roles: [
    {
      role: "readWrite",
      db: "myapp"
    }
  ]
})

Connecting with Authentication

Now connect to MongoDB using authentication:

Authenticated connection
mongosh -u "appUser" -p "appPassword456" --authenticationDatabase "myapp"

Built-in Roles and Custom Roles

Common Built-in Roles

View available roles
use admin
db.runCommand({ rolesInfo: 1 })
Assign multiple roles to user
use admin
db.createUser({
  user: "backupAdmin",
  pwd: "backupPass789",
  roles: [
    { role: "backup", db: "admin" },
    { role: "restore", db: "admin" },
    { role: "read", db: "reports" }
  ]
})

Creating Custom Roles

Create custom role for reporting
use admin
db.createRole({
  role: "reportReader",
  privileges: [
    {
      resource: { db: "sales", collection: "transactions" },
      actions: ["find", "aggregate"]
    },
    {
      resource: { db: "sales", collection: "products" },
      actions: ["find"]
    }
  ],
  roles: []
})

Network Security and Encryption

Binding to Specific Interfaces

mongod.conf network security
net:
  port: 27017
  bindIp: 127.0.0.1,192.168.1.100  # Only allow local and specific IP
  ssl:
    mode: requireSSL
    PEMKeyFile: /path/to/mongodb.pem

Enabling TLS/SSL

Start MongoDB with SSL
mongod --sslMode requireSSL --sslPEMKeyFile /path/to/mongodb.pem

MongoDB Atlas Security Features

MongoDB Atlas provides built-in security features:

Atlas connection string with security
const uri = "mongodb+srv://username:password@cluster.mongodb.net/mydb?retryWrites=true&w=majority&tls=true";

// Additional Atlas security features:
// - Network Access Lists (IP whitelisting)
// - Database Auditing
// - Encryption at rest
// - VPC Peering

Common Pitfalls

  • Default no-auth deployments: Always enable authentication in production
  • Weak passwords: Use strong, complex passwords for all users
  • Over-privileged users: Avoid using root roles for applications
  • Exposed network interfaces: Bind to specific IPs, not 0.0.0.0
  • Missing encryption: Always use TLS/SSL for network communication
  • Hardcoded credentials: Use environment variables for connection strings
warning

Never run MongoDB in production without authentication enabled. The default installation has no authentication, leaving your data completely exposed.

Summary

In this lesson, you learned to secure MongoDB deployments through authentication, user management with appropriate roles, network security configurations, and encryption. Remember to enable authentication before deploying to production, create dedicated users with minimal required privileges, implement network restrictions, and use encryption for data protection.

Show quiz

  1. What is the first step to enable authentication in MongoDB?

    • A) Restart MongoDB with --auth flag
    • B) Create an admin user
    • C) Update mongod.conf file
    • D) Install SSL certificates

  2. Which role provides the highest level of privileges?

    • A) dbAdmin
    • B) userAdmin
    • C) root
    • D) readWrite

  3. What does the principle of least privilege mean in MongoDB security?

    • A) Use the simplest password possible
    • B) Grant users only the permissions they need
    • C) Run MongoDB on the default port
    • D) Disable all network access

  4. Why should you bind MongoDB to specific IP addresses?

    • A) To improve performance
    • B) To limit network access to trusted sources
    • C) To enable replication
    • D) To reduce memory usage

  5. What is the purpose of the authenticationDatabase parameter?

    • A) Specifies where user credentials are stored
    • B) Determines the default database for queries
    • C) Sets the encryption method
    • D) Configures backup schedules

Answers:

  1. B - You must first create an admin user before enabling authentication
  2. C - The root role provides superuser privileges across all databases
  3. B - Grant users only the permissions absolutely necessary for their tasks
  4. B - Binding to specific IPs limits network access to trusted sources only
  5. A - authenticationDatabase specifies which database stores the user's credentials