MongoDB Security & Administration
Master MongoDB security and operational practices.
Quick Start
Enable Authentication
Create admin user before enabling auth
mongod --dbpath /data --logpath /var/log/mongod.log
mongo
use admin db.createUser({ user: 'admin', pwd: 'securepassword', roles: ['root'] })
Restart with auth enabled
mongod --auth --dbpath /data
Authentication
// Connect with credentials const client = new MongoClient( 'mongodb://admin:password@localhost:27017/?authSource=admin' );
// Create application user db.createUser({ user: 'appuser', pwd: 'apppassword', roles: ['readWrite'] })
Authorization (RBAC)
// Built-in roles /* Admin Roles:
- root: Full access
- dbAdmin: Database administration
- userAdmin: User management
Database Roles:
- read: Read-only access
- readWrite: Read and write
Cluster Roles:
- clusterAdmin: Full cluster access
- clusterManager: Cluster monitoring
- clusterMonitor: Read-only monitoring */
// Create user with specific role db.createUser({ user: 'analyst', pwd: 'password', roles: [{ role: 'read', db: 'analytics' }] })
// Grant multiple roles db.grantRolesToUser('analyst', [ { role: 'read', db: 'db1' }, { role: 'readWrite', db: 'db2' } ])
Custom Roles
// Create custom role db.createRole({ role: 'reportViewer', privileges: [ { resource: { db: 'analytics', collection: 'reports' }, actions: ['find'] } ], roles: [] })
// Assign custom role db.grantRolesToUser('analyst', [ { role: 'reportViewer', db: 'admin' } ])
Encryption
TLS/SSL Setup
Generate self-signed certificate
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes
-out server.crt -keyout server.key
cat server.crt server.key > server.pem
Start MongoDB with TLS
mongod --tlsMode requireTLS
--tlsCertificateKeyFile /path/to/server.pem
--dbpath /data
Connect with TLS
mongo --tls --tlsCertificateKeyFile /path/to/client.pem
mongodb://localhost:27017
Encryption at Rest
Enable encryption with WiredTiger
mongod --encryptionCipherMode AES256-CBC
--encryptionKeyFile /path/to/keyfile.key
--dbpath /data
Backup & Recovery
Backup Methods
Backup with mongodump
mongodump --out /backup/date +%Y%m%d
Backup specific database
mongodump --db myapp --out /backup/myapp
Backup with compression
mongodump --archive=backup.archive --gzip
Restore
mongorestore /backup/ mongorestore --archive=backup.archive --gzip
Point-in-Time Recovery with Snapshots
Snapshot strategy
1. Create filesystem snapshot on replica secondary
2. Stop mongod
3. Copy snapshot to backup
4. Restart mongod
5. Use oplog for point-in-time recovery
Restore from snapshot
1. Restore filesystem snapshot
2. Start mongod (automatic recovery)
3. Verify data integrity
Audit Logging
// Enable audit logging
// mongod --auditLog.destination file
// --auditLog.format BSON
// --auditLog.path /var/log/mongodb/audit.log
// View audit log db.adminCommand({ getParameter: 1, auditLog: 1 })
// Configure audit filters // --auditLog.filter '{ atype: "authenticate" }'
User Management
// List users db.getUsers()
// Modify user password db.changeUserPassword('username', 'newpassword')
// Remove user db.removeUser('username')
// Check current user db.runCommand({ connectionStatus: 1 })
Python Examples
from pymongo import MongoClient from pymongo.auth_mechanisms import MECHANISMS
Connect with authentication
client = MongoClient( 'mongodb://user:password@localhost:27017/?authSource=admin' )
Create user
db = client['admin'] db.command('createUser', 'newuser', pwd='password', roles=['readWrite'] )
Check permissions
db.command('usersInfo', 'newuser')
Security Checklist
✅ Enable authentication in production ✅ Use strong, unique passwords ✅ Implement role-based access control ✅ Enable TLS/SSL for connections ✅ Enable encryption at rest ✅ Implement audit logging ✅ Regular backup testing ✅ Network isolation (firewall) ✅ IP whitelisting ✅ Principle of least privilege ✅ Monitor access logs ✅ Keep MongoDB updated