- Security >
- Security Tutorials >
- Access Control Tutorials >
- Create a User Administrator
Create a User Administrator¶
In a MongoDB deployment, users with either the
userAdmin
or userAdminAnyDatabase
roles are
effective administrative “superusers”. Users
with either of these roles can create and modify any other users and can
assign them any privileges. The user also can grant itself any
privileges. In production deployments, this user should have no other
roles and should only administer users and privileges.
This should be the first user created for a MongoDB deployment. This user can then create all other users in the system.
Important
The userAdminAnyDatabase
user can grant
itself and any other user full access to the entire MongoDB
instance. The credentials to log in as this user should be
carefully controlled.
Users with the userAdmin
and
userAdminAnyDatabase
privileges are not the same as the
UNIX root
superuser in that this role confers no additional
access beyond user administration. These users cannot perform
administrative operations or read or write data without first
conferring themselves with additional permissions.
Note
The userAdmin
role is a database-specific privilege, and
only grants a user the ability to administer users on a single
database. However, for the admin
database,
userAdmin
allows a user the ability to gain
userAdminAnyDatabase
. Thus, for the admin
database
only, these roles are effectively the same.
Create a User Administrator¶
Connect to the
mongod
ormongos
by either:- Authenticating as an existing user with the
userAdmin
oruserAdminAnyDatabase
role. - Authenticating using the localhost exception. When creating the first user in a deployment, you must authenticate using the localhost exception.
- Authenticating as an existing user with the
Switch to the
admin
database:Add the user with either the
userAdmin
role oruserAdminAnyDatabase
role, and only that role, by issuing a command similar to the following, where<username>
is the username and<password>
is the password:
To authenticate as this user, you must authenticate against the
admin
database.
Authenticate with Full Administrative Access via Localhost¶
If there are no users for the admin
database, you can connect with
full administrative access via the localhost interface. This bypass
exists to support bootstrapping new deployments. This approach is
useful, for example, if you want to run mongod
or
mongos
with authentication before creating your first user.
To authenticate via localhost, connect to the mongod
or
mongos
from a client running on the same system. Your
connection will have full administrative access.
To disable the localhost bypass, set the
enableLocalhostAuthBypass
parameter using
setParameter
during startup:
Note
For versions of MongoDB 2.2 prior to 2.2.4, if mongos
is
running with keyFile
, then all users connecting over the
localhost interface must authenticate, even if there aren’t any users
in the admin
database. Connections on localhost are not correctly
granted full access on sharded systems that run those versions.
MongoDB 2.2.4 resolves this issue.
Note
In version 2.2, you cannot add the first user to a sharded cluster
using the localhost
connection. If you are running a 2.2
sharded cluster and want to enable authentication, you must deploy
the cluster and add the first user to the admin
database before
restarting the cluster to run with keyFile
.