I’m running the service inside a container. I followed the instructions here to create a user and password and update the mongod.conf file. If I try to log in with authentication but I use the wrong password, I’m blocked. If I use the right password, it works. But if I use no authentication at all I can get in and make changes.
If you can login without credentials and make changes then authentication is not enabled.
This is quite a different scenario from topic(The poster explains a “Server Information Disclosure”). Please create a new topic, post your docker config(compose file/docker run), mongo.conf.
The output of
mongosh --eval 'db.serverCmdLineOpts()' --quiet could be useful to see what is going on also.
Welcome to the MongoDB Community @amb83 !
As @chris noted, your question is different than the older topic you replied on so I have moved this to a new topic focused on your question.
It sounds like you have created a user but have perhaps missed a step like restarting the
mongod process after enabling access control in the
mongod configuration file. Another possibility would be that you have started
mongod manually (without using a
service definition), in which case you would also have to explicitly specify a path to a configuration file (eg
mongod --config /path/to/mongod.conf) or include the
--auth option to enable access control.
db.serverCmdLineOpts() in the MongoDB shell will show command line options that were used, including either a configuration file or access control parameter.
For more information on available security measures please see the MongoDB Security Checklist.