OPTIONS

Create a User Administrator

In a MongoDB deployment, users with either the userAdmin or userAdminAnyDatabase roles are effective administrative “superusers”. Users with either of these roles can create and modify any other users and can assign them any privileges. The user also can grant itself any privileges. In production deployments, this user should have no other roles and should only administer users and privileges.

This should be the first user created for a MongoDB deployment. This user can then create all other users in the system.

Important

The userAdminAnyDatabase user can grant itself and any other user full access to the entire MongoDB instance. The credentials to log in as this user should be carefully controlled.

Users with the userAdmin and userAdminAnyDatabase privileges are not the same as the UNIX root superuser in that this role confers no additional access beyond user administration. These users cannot perform administrative operations or read or write data without first conferring themselves with additional permissions.

Note

The userAdmin role is a database-specific privilege, and only grants a user the ability to administer users on a single database. However, for the admin database, userAdmin allows a user the ability to gain userAdminAnyDatabase. Thus, for the admin database only, these roles are effectively the same.

Create a User Administrator

  1. Connect to the mongod or mongos by either:

  2. Switch to the admin database:

    use admin
    
  3. Add the user with either the userAdmin role or userAdminAnyDatabase role, and only that role, by issuing a command similar to the following, where <username> is the username and <password> is the password:

    db.addUser( { user: "<username>",
                  pwd: "<password>",
                  roles: [ "userAdminAnyDatabase" ] } )
    

To authenticate as this user, you must authenticate against the admin database.

Authenticate with Full Administrative Access via Localhost

If there are no users for the admin database, you can connect with full administrative access via the localhost interface. This bypass exists to support bootstrapping new deployments. This approach is useful, for example, if you want to run mongod or mongos with authentication before creating your first user.

To authenticate via localhost, connect to the mongod or mongos from a client running on the same system. Your connection will have full administrative access.

To disable the localhost bypass, set the enableLocalhostAuthBypass parameter using setParameter during startup:

mongod --setParameter enableLocalhostAuthBypass=0

Note

For versions of MongoDB 2.2 prior to 2.2.4, if mongos is running with keyFile, then all users connecting over the localhost interface must authenticate, even if there aren’t any users in the admin database. Connections on localhost are not correctly granted full access on sharded systems that run those versions.

MongoDB 2.2.4 resolves this issue.

Note

In version 2.2, you cannot add the first user to a sharded cluster using the localhost connection. If you are running a 2.2 sharded cluster and want to enable authentication, you must deploy the cluster and add the first user to the admin database before restarting the cluster to run with keyFile.