Create user and add role in MongoDB

In MongoDB, we are allowed to create new users for the database. Every MongoDB user only accesses the data that is required for their role. A role in MongoDB grants privileges to perform some set of operations on a given resource. In MongoDB, users are created using createUser() method. This method creates a new user for the database, if the specified user is already present in the database then this method will return an error.

Syntax:

 db.createUser(user, writeConcern)

Parameters: 

1. user: It contains authentication and access information about the user to create. It is a document.

• user: Name of the user
• pwd: User password. This field is not required if you use this method on $external database to create a user whose credentials are stored externally. The value of this field can be of string type or passwordPrompt().
• customData: User Associative Information. It is an optional field.
• roles: Access Level or Privilege of a user. You can also create a user without roles by passing an empty array[]. In this field, you use built-in roles or you can create you own role using db.createRole(role, writeConcern) method. To specify the roles you can use any of the following syntax:

Simply specify the role name:

 “read”

Or you can specify a document that contains the role and db fields. It is generally used when the role is specified in a different database.

{role:<role>, db: <database>}

• authenticationRestrictions: Authentication permission of the user. It is an optional field.
• mechanisms: It is used to specify the SCRM mechanisms or mechanisms for creating SCRM user credentials. It is an optional field.
• passwordDigestor: It is used to check whether the server or client digest the password. It is an optional field.

2. writeConcern: It is an optional parameter. It manages the level of Write Concern for the creation operation. It takes the same field as the getLastError Command takes. 

Notes:

• In MongoDB, the first created user in the database must be the admin user. The admin user has the privileges to maintain all the users. Also, you are not allowed to create users in the local database.
• db.createUser() Sends Password And All Other Data to The MongoDB Instance Without Any Encryption. To Encrypt the Password During Transmission, Use TLS/SSL In order To Encrypt It.

How to create an administrative user?

In MongoDB, you can create an administrative user using the createUser() method. In this method, we can create the name, password, and roles of an administrative user. Let us discuss this concept with the help of an example:

Example:

In this example, we are going to create an administrative user in the admin database and gives the user readWrite access to the config database which lets the user change certain settings for sharded clusters.

db.createUser(
{ 
 user: "hello_admin",
 pwd:  "hello123",
 roles:
 [
 { role:"readWrite",db:"config"},
 "clusterAdmin"
 ] } );

So to create an administrative user first we use the admin database. In this database, we create an admin user using the createUser() method. In this method, we set the user name is “hello_admin”, password is “hello123” and the roles of the admin user are readWrite, config, clusterAdmin. 

How to create a normal user without any roles?

In MongoDB, we can create a user without any roles by specifying an empty array[] in the role field in createUser() method.

Syntax:

db.createUser({ user:”User_Name”, pwd:”Your_Password”, roles:[]});

Let us discuss this concept with the help of an example:

Example:

In the following example, we are going to create a user without roles.

db.createUser({user:"geeks", pwd: "computer", roles:[]});

Here, we are working on the “example” database and created a user named “geeks” without roles.

How to create a user with some specifying roles?

In MongoDB, we can create a user with some specified roles using the createUser() method. In this method, we can specify the roles that the user will do after creating. Let us discuss this concept with the help of an example:

Example:

In this example, we are going to create a user with some specified roles.

db.createUser(
...{
...user: "new_one_role",
...pwd: with_roles",
...roles:["readWrite", "dbAdmin"]
...}
...);

Here, we create a user whose name is “new_one_role”, password is “with_roles” and the specified roles are:

• readWrite Role: This role provides all the privileges of the read role plus the ability to modify data on all non-system collections.
• dbAdmin Role: This role gives the ability to the user to perform administrative tasks such as schema-related tasks, indexing. It does not grant privileges for the User and Role Management.

How to create a user for a single database?

In MongoDB, we can also create a user for single database using createUser() method. Let us discuss this concept with the help of an example:

Example:

db.createUser(
{
user: "robert",
pwd:  "hellojose",
roles:[{role: "userAdmin" , db:"example"}]})

Here, we create a user whose user name is “Robert”, password is “hellojose”, and we assign a role for the user which in this case needs to be a database administrator so it is assigned to the “userAdmin” role. This role will allow the user to have administrative privileges only to the database specified in the db option, i.e., “example”.

How to create a user with authentication restrictions?

In MongoDB, authentication is a process which checks whether the user/client who is trying to access the database is known or unknown. If the user is known then it allows them to connect with server. We can also create a user with authentication restrictions using createUser() method by setting the value of authenticationRestrictions field. This field provides authentication permission of the user and contains the following fields:

• clientSource: If the value of this field is present, so when a user is authenticating the server verifies the client IP by checking the IP address in the given list or CIDR range in the list. If the client IP present in the list then the server authenticate the client or if not then server will not authenticate the user.
• serverAddress: It is a list of IP addresses or CIDR ranges to which the client can connect. If the value of this field is present in the list, then the server verify the client connection and if the connection was established via unrecognized IP address, then the server does not authenticate the user.

Let us discuss this concept with the help of an example:

Example:

In this example, we are going to create a user with authentication restrictions:

use admin
db.createUser(
   {
     user: "restrict",
     pwd: passwordPrompt(),      
     roles: [ { role: "readWrite", db: "example" } ],
     authenticationRestrictions: [ {
        clientSource: ["192.168.65.10"],
        serverAddress: ["198.157.56.0"]
     } ]
   }
)

Here we create a user named “restrict” in the admin database. So this user may only authenticate if connecting from IP address 192.168.65.10 to this server address IP address 198.157.56.0.

How to drop a User?

In Mongodb, we can also drop a user using dropUser() method. This method returns true when the user is deleted otherwise return false.

Syntax:

db.dropUser(“Username”)

Example:

In this example, we will drop a user whose name is Robert.

db.dropUser("robert")