Authentication and Authorization in MongoDB

[Abhi]

Hi,

I am trying to setup authentication and authorization using MongoDB-CR methods in my mongodb instance and I have couple of queries regarding that:

1. Where should I add all the users:  in the admin database and provide appropriate rules or in the indvidual databases which they access?

or it would be a combination of both? What are some best practices regarding these?

2. My understanding is that when I connect using mongodb drivers, I will always have to specify user, name, and password for complete authentication and a user is authenticated to only the database which it is part of? Is this correct?

3. Say I am using using multiple db's in my application, Do I have to authenticate each time I access them or The authentication information is cached in the MongoClient somewhere? How does this work?

Thanks for all the help,

Abhi

[Abhi]

Hi MongoExperts,

Did anyone got a changes to look at this?

Thanks,

Abhi

[Will Berkeley]

Apologies for the delay.

1. Add them in the database that they access. The admin database is special and lets you add privileges that apply to all databases. Best practice is to give the minimum possible privileges that a user needs to accomplish its job, including only creating the user in the database(s) that it needs to access. You can do this with role-based authorization and custom roles.

2. The user will be authenticated to the MongoDB instance, which will mean it only has access to the appropriate databases (but not just to the authenticating database). If you try to authenticate to a database that you don't have access to, it will fail. Once you are authenticated to one database you can switch to another database for which you are privileged.

3. I think 2 explains this in the case of one user having privileges to many databases. For multiple users you need to create multiple connections. The object/class/whatever that represents the connection in the driver will store the connection.

You can find a lot of this information in the security section os the manual. I linked you to the introduction from which you can branch out into the more detailed documentation.

-Will