Posts

How to create new users in MongoDB with MongoChef

Creating and managing users in MongoDB from the command line can be a very cumbersome and unwieldy task. Luckily, MongoChef makes it super-easy to manage your users and their roles for your MongoDB instance.

In this tutorial, I will assume that you have already set up a user administrator for your database. If not, please first read our tutorial on how to bootstrap user authentication in MongoDB.

1. Select the MongoDB database for which you want to create a new user

In MongoDB, users are defined for a particular database. Although it is possible to grant a user from a database A access to another database B, users are typically defined in the database that they will access primarily.

So, start by connecting to your MongoDB instance with your user administrator or with any other user that has sufficient privileges to create new users (usually via roles dbAdmin or dbAdminAnyDatabase). Next, right-click the database for which you want to create a new user and select “Manage Users” from the context menu. This will open the user management tab for your database. Here, you can see all users that have already been created for this database. You can also expand users to immediately see all the roles they have been granted. To create a new user, simply click the “Add…” button.

Manage MongoDB Users

2. Enter the new user

This will bring up the Add User dialog where you can enter the name of the new user (in our case “sarah”) and their password. Next, we need to grant the new user a role so that they’ll actually be able to do something. For that, click the “Grant Roles…” button.

Assign MongoDB Role

3. Grant roles to the user

In this dialog, you will be presented with all roles that are currently defined for your database. Built-in roles will be marked by a yellow icon, custom roles by a green icon. You can also click the combo-box at the top to choose from roles in other databases of your MongoDB instance in case you want your new user to access other databases as well. For our example, we will simply make our new user an administrator of their database and also grant them read-write access to it by selecting the roles dbAdmin and readWrite. When done, click the “Grant” button.

Manage MongoDB Roles and Users

4. Create the new user

You return to the previous dialog where you can now see the roles that will be granted to your new user. To create the new user, click the “Add User” button. After that, you will be taken back to the user management tab.

Manage MongoDB Roles and Users

Manage MongoDB Roles and Users

MongoDB 3.0: Setting up user authentication with MongoChef

Needless to say: you need to secure your MongoDB instances. Leaving aside complementary network-level security such as VPNs or SSH, MongoDB 3.0 itself provides robust built-in user authentication that governs and restricts what users can and cannot see and do inside your MongoDB instances. At the very least, you should run your MongoDB server(s) with user authentication enabled. Always.

Luckily, MongoChef makes user management – a task that can sometimes seem somewhat daunting – incredibly easy. In this post, we’ll see how MongoChef gets you up and running with MongoDB user authentication in no time.

Of Chickens and Eggs

Some background first. There is of course a bit of a chicken-egg situation when you start with user authentication. If you start your mongod / mongos server(s) with user authentication enabled right away, you will of course need to have a user to authenticate with when you try to connect to your server. If, on the other hand, you run your mongod / mongos server(s) without user authentication, you can define as many users as you like, they will simply remain inactive. Therefore, there are two general approaches to bootstrapping user authentication in MongoDB:

1. Enable Authentication after Creating the User Administrator

This straight-forward approach involves the following 3 sequential steps:

  1. Start your MongoDB server without authentication.
  2. Create the system user administrator.
  3. Restart your MongoDB, this time with authentication enabled. You can now connect to your server as that user administrator.

2. Enable Authentication Right Away and Use the Localhost Exception

This approach lets you run your MongoDB server with authentication right from the beginning. However, you need to have localhost access to your server:

  1. Start your MongoDB server with authentication enabled straight away.
  2. Now connect to your MongoDB server from localhost. This localhost exception grants you full access (i.e. without any authentication required) to your instance via the localhost interface. Note that the localhost exception is only active as long as no users have been created in your MongoDB instance. Btw, you can always disable the local host exception by passing —setParameter enableLocalhostAuthBypass=0 to your server.
  3. Proceed to create your system user administration – which must be the first user you create this way.

Bootstrapping User Administration

Since it won’t always be possible to connect to your MongoDB server via your localhost interface, we will use the first approach in this post and create the user administrator before we restart our MongoDB server with authentication.

1. Start your MongoDB server without authentication

From your command line (on your server), start your MongoDB server. For the sake of simplicity, we’ll just start a single mongod instance using the new WiredTiger storage engine:

mongod —dbpath ./data/3.0.0 —storageEngine wiredTiger —port 27017

Note that your data path, your port and other options may differ from this simple example.
The main thing is that you start the server without authentication (i.e. you do not pass —auth to it).

2. Create the system user administrator

Now, let’s quickly connect to our MongoDB server. In MongoChef, click the “Connect” icon in the toolbar and then choose “Quick Connect” in the Connection Manager. Here, simply enter the name or the IP address of your server, and then just click “Connect”.

QuickConnect to a MongoDB with MongoChef GUI

In MongoDB, system-wide users (i.e. users that can have access to all other databases on the server) need to be created in a special database “admin”. If you have only just started your server for the first time, you probably won’t have an “admin” database yet. So, let’s quickly create one (if you already have an “admin” database, just skip this step).
To add the “admin” database to your MongoDB instance, simply right-click your connection, choose “Add Database…” and name your new database admin:

MongoDB Add Admin Database

Now, we can add our system-wide user administrator. A system-wide user administrator is simply an (arbitrarily named) user defined in your “admin” database that has – at least – been granted privileges to create other users. To start, select your “admin” database, right-click, and choose “Manage Users”. This will open a user management tab for the “admin” database. Of course, since we are only just getting started, there aren’t any users defined yet. Click the “Add…” button to add a new user.

MongoDB Add Admin User

Enter a name (anything goes) for your new user and a password. In order to make this new user a system-wide user administrator, we now need to assign it an appropriate role. For this, click the “Grant Roles…” button.

MongoDB Create Admin User

Now, choose from the list of all built-in roles defined for database “admin” the role “userAdminAnyDatabase”. This role will grant the user the privileges required to create (additional) users in any database on your server. Click “Grant” to close the roles selection dialog.
Your Add User dialog will now show that role for your new user:

MongoDB Grant User Admin Role

Click “Add User” to create your new system-wide user administrator.

3. Restart your MongoDB instance with authentication enabled

OK, now that we have a user administrator, we need to restart our MongoDB instance – this time with authentication enabled – as part of the process to bootstrap MongoDB user authentication.

Before restarting your server, disconnect MongoChef from it first. Simply right-click your connection and choose “Disconnect” from the context menu. Next, let’s restart our MongoDB instance with authentication enabled, again from your command line (on your server):

mongod —dbpath ./data/3.0.0 —storageEngine wiredTiger —auth —port 27017

That’s it! You have successfully set up user authentication on your MongoDB server!

Connect to your MongoDB instance with your system-wide user administrator

You can now connect to your MongoDB instance with your system-wide user administrator and create additional users. As before, open your Connection Manager. Since adding new users will probably not be a one-off task, we recommend that this time you create a new connection (rather than just quick-connect to your server).

The IP and port of your server will be the same as before, but this time we need to specify the user we want to connect with in the “Authentication” tab. Enter the name and the password of your system-wide user administrator here and make sure that you specify the database “admin” as that is where the user was defined. Note that MongoChef will automatically use the new challenge-response SCRAM-SHA-1 user authentication mechanism introduced in MongoDB 3.0.

MongoChef for MongoDB: Authenticate User Admin

After you have connected, you can then go on and define additional users for any database on your server. See this tutorial video for more details.

How to find all users that have been granted a specific role in MongoDB with MongoChef

In this tutorial, we will see how to easily find all users that have been granted a specific role in MongoDB with MongoChef.

In MongoDB, users are defined for specific databases. Each user is then assigned a number of roles that in turn define the user’s privileges.

While MongoDB’s API makes it trivial to list all roles that a particular user has been granted, there is unfortunately no easy way for the reverse case where you want to find all users that have been granted a particular role, i.e. the role’s grantees.

Luckily, MongoChef makes it very easy to find those users.

List MongoDB Roles

First off, connected to your MongoDB server as a user that has sufficient privileges to manage users and roles.

Then, simply select the database that contains the role for which you want to find all grantees, and click the “Roles” icon in the toolbar.

MongoDB GUI for Role Management

Inspect Selected MongoDB Role

This will open the roles management tab for this database. Here, you can see all the built-in and user-defined roles created for the database.

Now, simply select the role for which you want to see all the users that have been granted that role. In our case, that is the user-defined role “rwAdmin”.

Then click the “Edit” button.

MongoDB GUI Manage MongoDB Roles

This opens the edit dialog for the select role.

By default, In the “Granted To” tab, you can see all grantees from the same database that the role is defined in.

In our case, that is natalie, paul, peter, and richard.

If you want to see all users from all databases that have been granted role “rwAdmin”, click the “Refresh for all DBs” button.

Show MongoDB Users with a MongoDB Role

That’s it! You can now see all users from all databases that have been granted the role “rwAdmin” on our database “test”.

Modify MongoDB Role

In this view, you can now even conceptually add new users to this role. For this, click the “Add” button.

Grant MongoDB Role

In the new dialog, you can choose users from any database that you want to add to the role. Of course, users in MongoDB are not really added to a role. Rather, under the hood, the selected users will be granted the role instead. Click “Add” to add the selected users.

Assign MongoDB Role to Multiple MongoDB Users

How to grant roles to multiple users at once in MongoDB with MongoChef

In MongoDB, users are defined for specific databases. Each user is then assigned a list of roles that in turn define the user’s privileges.

Not surprisingly, MongoDB’s API therefore makes it easy to assign a user a list of roles via the grantRolesToUser method:

db.grantRolesToUser( "<username>", [ <roles> ], { <writeConcern> } )

However, MongoDB’s role API (http://docs.mongodb.org/v2.6/reference/method/js-role-management/) doesn’t directly cover another common use case where you want to assign a (maybe newly created) role or multiple roles to a list of users in one go.

Luckily, MongoChef makes it very easy to assign roles to multiple users at once. Let’s consider the following example. Say you have just created a new role “rwAdmin” on database “test” that makes users dbAdmins on that database and also let’s them read from and write to it. You now want to assign this new role and the existing role “userAdmin” to a group of users.

1) Connect to your MongoDB server as a user that has sufficient privileges to grant roles to users, select the database where your users are defined, and click the “Users” icon in the toolbar to open the user management tab for that database.

MongoDB GUI Manage MongoDB Users

2) You will now see a list of all your users in the selected database. Simply select all users that you want to grant those roles to and click the “Grant Roles…” button.

Grant Roles to MongoDB Users

3) Now, select from the list of available roles those that you want to grant to your list of selected users, and click “Grant”.

Manage MongoDB Roles with a GUI

4) That’s it! You can verify that those two roles were indeed granted to the group of selected users. Voilà :-)

View MongoDB Users and Roles with a GUI