1

I'm trying to create an authenticate database in MongoDB 2.6 using java driver v 2.12. In particular I need to create a user accessing to admin collection. Any suggestion? Thanks.

Improve this question

2 Answers 2

Reset to default
1

Here my solution:

MongoClient mcAdmin = new MongoClient(
            configuration.getServerAddresses(),
            Arrays.asList(MongoCredential.createMongoCRCredential(
                    MONGODB_ADMIN_USERNAME, "admin",
                    MONGODB_ADMIN_PASSWORD.toCharArray())));
    try {
        mcAdmin.setWriteConcern(WriteConcern.JOURNALED);
        DB db = mcAdmin.getDB(userDbName);
        BasicDBObject commandArguments = new BasicDBObject();
        commandArguments.put("user", userUsername);
        commandArguments.put("pwd", userPassword);
        String[] roles = { "readWrite" };
        commandArguments.put("roles", roles);
        BasicDBObject command = new BasicDBObject("createUser",
                commandArguments);
        db.command(command);
    } finally {
        mcAdmin.close();
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Doing this in Java code is not the best way to do it, and except for very rare use cases (writing an admin application for MongoDB) even one I would strongly advice against.

Security risk

First of all, your application would need extremely high privileges, namely userAdminAnyDatabase or userAdmin on the admin database, which more or less grants the same rights: creating a superuser at will. To put it in other words: this code would be a high security risk.

Granting roles and rights on a database is an administrative task and for good reasons should be decoupled from an application accessible by arbitrary users.

Technical problems

Activating authentication from a client simply is impossible. The mongod instance in question has to be started with authentication enabled. Furthermore, you would have to save to create a user with the mentioned roles before you could have your app administer users. The problem: you would have to store the password for that user somewhere. Unless you encrypt it, you basically store the most powerful password for your MongoDB databases and cluster in cleartext. And if you encrypt it, you have to pass the key for decryption to your application at some point in a secure manner. And all this to break best practices ("Separation of concerns")?

Improve this answer

2 Comments

The code I gave is exactly part of an administration interface, in particular a java webapp. The access to the administration interface is secured by https protocol with ssl-client-side-authentication enabled (login is by a smartcard). The mongoDB admin user and password is not stored anywhere, is requested to the user when it activates the db creation procedure. Do you still discorage thi solution? Eventually have you a best solution to suggest (assuming that the user that creates the database cannot have direct access to mongoDb via command line)?
MMS, new version. User admin included. Less work, already up and running, on premise available.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.