- Security >
- Security Concepts >
- Access Control
Access Control¶
On this page
MongoDB provides support for authentication and authorization on a per-database level. Users exist in the context of a single logical database.
Authentication¶
MongoDB provisions authentication, or verification of the user
identity, on a per-database level. Authentication disables anonymous
access to the database. For basic authentication, MongoDB stores the
user credentials in a database’s system.users
collection.
Authentication is disabled by default. To enable authentication for
a given mongod
or mongos
instance, use the
auth
and keyFile
configuration settings. For
details, see Enable Authentication.
For MongoDB Enterprise installations, authentication using a Kerberos service is available. See Deploy MongoDB with Kerberos Authentication.
Important
You can authenticate as only one user for a given database. If you authenticate to a database as one user and later authenticate on the same database as a different user, the second authentication invalidates the first. You can, however, log into a different database as a different user and not invalidate your authentication on other databases, though this is not a recommended approach.
Each client connection should authenticate as exactly one user.
Authorization¶
MongoDB provisions authorization, or access to databases and
operations, on a per-database level. MongoDB uses a role-based approach
to authorization, storing each user’s roles in a privilege
document in a database’s
system.users
collection. For more
information on privilege documents and available user roles, see
system.users Privilege Documents and
User Privilege Roles in MongoDB.
Important
The admin
database provides roles that are
unavailable in other databases, including a role that effectively
makes a user a MongoDB system superuser. See
Database Administration Roles and Administrative Roles.
To assign roles to users, you must be a user with administrative role in the database. As such, you must first create an administrative user. For details, see Create a User Administrator and Add a User to a Database.
system.users
Collection¶
A database’s system.users
collection
stores information for authentication and authorization to that
database. Specifically, the collection stores user credentials for
authentication and user privilege information for authorization.
MongoDB requires authorization to access the system.users
collection in order to prevent privilege
escalation attacks. To access the collection, you must have either
userAdmin
or userAdminAnyDatabase
role.
Changed in version 2.4: The schema of system.users
changed
to accommodate a more sophisticated authorization using user
privilege model, as defined in privilege documents.