OPTIONS

Enable Authentication after Creating the User Administrator

Overview

Enabling authentication on a MongoDB instance restricts access to the instance by requiring that users identify themselves when connecting. In this procedure, you will create the instance’s first user, which must be a user administrator and then enable authentication. Then, you can authenticate as the user administrator to create additional users and grant additional access to the instance.

This procedures outlines how enable authentication after creating the user administrator. The approach requires a restart. To enable authentication without restarting, see Enable Client Access Control.

Considerations

This document outlines a procedure for enabling authentication for MongoDB instance where you create the first user on an existing MongoDB system that does not require authentication before restarting the instance and requiring authentication. You can use the localhost exception to gain access to a system with no users and authentication enabled. See Enable Client Access Control for the description of that procedure.

Procedure

1

Start the MongoDB instance without authentication.

Start the mongod or mongos instance without the authorization or keyFile setting. For example:

mongod --port 27017 --dbpath /data/db1

For details on starting a mongod or mongos, see Manage mongod Processes or Deploy a Sharded Cluster.

2

Create the system user administrator.

Add the user with the userAdminAnyDatabase role, and only that role.

The following example creates the user siteUserAdmin user on the admin database:

use admin
db.createUser(
  {
    user: "siteUserAdmin",
    pwd: "password",
    roles:
    [
      {
        role: "userAdminAnyDatabase",
        db: "admin"
      }
    ]
  }
)
3

Re-start the MongoDB instance with authentication enabled.

Re-start the mongod or mongos instance with the authorization or keyFile setting. Use authorization on a standalone instance. Use keyFile on an instance in a replica set or sharded cluster.

The following example enables authentication on a standalone mongod using the authorization command-line option:

mongod --auth --config /etc/mongodb/mongodb.conf
4

Create additional users.

Log in with the user administrator’s credentials and create additional users. See Add a User to a Database.

Next Steps

If you need to disable authentication for any reason, restart the process without the authorization or keyFile option.