MongoDB provides support for authentication and authorization on a per-database level. Users exist in the context of a single logical database.
MongoDB provisions authentication, or verification of the user identity, on a per-database level. Authentication disables anonymous access to the database. For basic authentication, MongoDB stores the user credentials in a database’s system.users collection.
For MongoDB Enterprise installations, authentication using a Kerberos service is available. See Deploy MongoDB with Kerberos Authentication.
You can authenticate as only one user for a given database. If you authenticate to a database as one user and later authenticate on the same database as a different user, the second authentication invalidates the first. You can, however, log into a different database as a different user and not invalidate your authentication on other databases, though this is not a recommended approach.
Each client connection should authenticate as exactly one user.
A database’s system.users collection stores information for authentication and authorization to that database. Specifically, the collection stores user credentials for authentication and user privilege information for authorization. MongoDB requires authorization to access the system.users collection in order to prevent privilege escalation attacks. To access the collection, you must have either userAdmin or userAdminAnyDatabase role.