password protect mongo database

[Mick]

I added a user with a password to the database, and when I run c++ application it authenticates properly - i.e. if I provide the wrong credentials, it tells me that it can't connect. 

But when I go in the shell to connect manually to the database with no credentials, it connects no problem...  Same thing when I'm connecting via MongoVUE, it does not prompt for credentials...

What's the proper way to password protect a database? 

[Dwight Merriman]

it allows you to connect from the localhost interface without credentials.

[Mick]

Thank you for your response. 

Actually, I noticed that even in the C++ code I can create a ScopedDbConnection and if I don't provide any credentials it still connects...  It only fails if I give the wrong credentials.  Is that how it's supposed to work?

[Thomas Rueckstiess]

Are you running the mongod process with the --auth flag?

And do you have "localhost" in the connection string in your C++ application or the IP address / proper hostname?

Thomas

[Mick]

Ahh, I didn't have the mongod running with the --auth, thank you.

 

I noticed that when I run it with the flag it creates the "admin" database.  To have proper authentication do I have to add my users/passwords to the admin database, or to my actual database?  Or both?

[Thomas Rueckstiess]

The admin database is a special database that gives its users more rights, for example: A user with read/write access to the admin database has read/write access to ALL databases.

Users that should only be able to access a certain database should NOT be added to the admin database. Only add administrator users to the admin db.

Additionally, users from the admin database can run certain commands, like listDatabases. See here for more details: http://docs.mongodb.org/manual/administration/security/#authentication

Regards,

Thomas