I have created users but access control is not being enforced

I’m running the service inside a container. I followed the instructions here to create a user and password and update the mongod.conf file. If I try to log in with authentication but I use the wrong password, I’m blocked. If I use the right password, it works. But if I use no authentication at all I can get in and make changes.

If you can login without credentials and make changes then authentication is not enabled.

This is quite a different scenario from topic(The poster explains a “Server Information Disclosure”). Please create a new topic, post your docker config(compose file/docker run), mongo.conf.

The output of mongosh --eval 'db.serverCmdLineOpts()' --quiet could be useful to see what is going on also.

1 Like

Welcome to the MongoDB Community @amb83 !

As @chris noted, your question is different than the older topic you replied on so I have moved this to a new topic focused on your question.

It sounds like you have created a user but have perhaps missed a step like restarting the mongod process after enabling access control in the mongod configuration file. Another possibility would be that you have started mongod manually (without using a service definition), in which case you would also have to explicitly specify a path to a configuration file (eg mongod --config /path/to/mongod.conf) or include the --auth option to enable access control.

Running db.serverCmdLineOpts() in the MongoDB shell will show command line options that were used, including either a configuration file or access control parameter.

For more information on available security measures please see the MongoDB Security Checklist.

Regards,
Stennie

1 Like