MongoDB Security & Administration

Master MongoDB security and operational practices.

Quick Start

Enable Authentication

# Create admin user before enabling auth
mongod --dbpath /data --logpath /var/log/mongod.log

mongo
> use admin
> db.createUser({
    user: 'admin',
    pwd: 'securepassword',
    roles: ['root']
  })

# Restart with auth enabled
mongod --auth --dbpath /data

Authentication

// Connect with credentials
const client = new MongoClient(
  'mongodb://admin:password@localhost:27017/?authSource=admin'
);

// Create application user
db.createUser({
  user: 'appuser',
  pwd: 'apppassword',
  roles: ['readWrite']
})

Authorization (RBAC)

// Built-in roles
/*
Admin Roles:
  - root: Full access
  - dbAdmin: Database administration
  - userAdmin: User management

Database Roles:
  - read: Read-only access
  - readWrite: Read and write

Cluster Roles:
  - clusterAdmin: Full cluster access
  - clusterManager: Cluster monitoring
  - clusterMonitor: Read-only monitoring
*/

// Create user with specific role
db.createUser({
  user: 'analyst',
  pwd: 'password',
  roles: [{ role: 'read', db: 'analytics' }]
})

// Grant multiple roles
db.grantRolesToUser('analyst', [
  { role: 'read', db: 'db1' },
  { role: 'readWrite', db: 'db2' }
])

Custom Roles

// Create custom role
db.createRole({
  role: 'reportViewer',
  privileges: [
    {
      resource: { db: 'analytics', collection: 'reports' },
      actions: ['find']
    }
  ],
  roles: []
})

// Assign custom role
db.grantRolesToUser('analyst', [
  { role: 'reportViewer', db: 'admin' }
])

Encryption

TLS/SSL Setup

# Generate self-signed certificate
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes \
  -out server.crt -keyout server.key
cat server.crt server.key > server.pem

# Start MongoDB with TLS
mongod --tlsMode requireTLS \
  --tlsCertificateKeyFile /path/to/server.pem \
  --dbpath /data

# Connect with TLS
mongo --tls --tlsCertificateKeyFile /path/to/client.pem \
  mongodb://localhost:27017

Encryption at Rest

# Enable encryption with WiredTiger
mongod --encryptionCipherMode AES256-CBC \
  --encryptionKeyFile /path/to/keyfile.key \
  --dbpath /data

Backup & Recovery

Backup Methods

# Backup with mongodump
mongodump --out /backup/`date +%Y%m%d`

# Backup specific database
mongodump --db myapp --out /backup/myapp

# Backup with compression
mongodump --archive=backup.archive --gzip

# Restore
mongorestore /backup/
mongorestore --archive=backup.archive --gzip

Point-in-Time Recovery with Snapshots

# Snapshot strategy
# 1. Create filesystem snapshot on replica secondary
# 2. Stop mongod
# 3. Copy snapshot to backup
# 4. Restart mongod
# 5. Use oplog for point-in-time recovery

# Restore from snapshot
# 1. Restore filesystem snapshot
# 2. Start mongod (automatic recovery)
# 3. Verify data integrity

Audit Logging

// Enable audit logging
// mongod --auditLog.destination file \
//   --auditLog.format BSON \
//   --auditLog.path /var/log/mongodb/audit.log

// View audit log
db.adminCommand({
  getParameter: 1,
  auditLog: 1
})

// Configure audit filters
// --auditLog.filter '{ atype: "authenticate" }'

User Management

// List users
db.getUsers()

// Modify user password
db.changeUserPassword('username', 'newpassword')

// Remove user
db.removeUser('username')

// Check current user
db.runCommand({ connectionStatus: 1 })

Python Examples

from pymongo import MongoClient
from pymongo.auth_mechanisms import MECHANISMS

# Connect with authentication
client = MongoClient(
    'mongodb://user:password@localhost:27017/?authSource=admin'
)

# Create user
db = client['admin']
db.command('createUser', 'newuser',
    pwd='password',
    roles=['readWrite']
)

# Check permissions
db.command('usersInfo', 'newuser')

Security Checklist

✅ Enable authentication in production ✅ Use strong, unique passwords ✅ Implement role-based access control ✅ Enable TLS/SSL for connections ✅ Enable encryption at rest ✅ Implement audit logging ✅ Regular backup testing ✅ Network isolation (firewall) ✅ IP whitelisting ✅ Principle of least privilege ✅ Monitor access logs ✅ Keep MongoDB updated