This version of the documentation is archived and no longer supported.

Enable Authentication in a Sharded Cluster

New in version 2.0: Support for authentication with sharded clusters.


When authentication is enabled on a sharded cluster every client that accesses the cluster must provide credentials. This includes MongoDB instances that access each other within the cluster.

To enable authentication on a sharded cluster, you must enable authentication individually on each component of the cluster. This means enabling authentication on each mongos and each mongod, including each config server, and all members of a shard’s replica set.

Authentication requires an authentication mechanism and, in most cases, a keyfile. The content of the key file must be the same on all cluster members.


It is not possible to convert an existing sharded cluster that does not enforce access control to require authentication without taking all components of the cluster offline for a short period of time.



Create a key file.

Create the key file your deployment will use to authenticate servers to each other.

To generate pseudo-random data to use for a keyfile, issue the following openssl command:

openssl rand -base64 741 > mongodb-keyfile
chmod 600 mongodb-keyfile

You may generate a key file using any method you choose. Always ensure that the password stored in the key file is both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.


Enable authentication on each component in the cluster.

On each mongos and mongod in the cluster, including all config servers and shards, specify the key file using one of the following approaches:

Specify the key file in the configuration file.

In the configuration file, set the keyFile option to the key file’s path and then start the component, as in the following example:

  keyFile: /srv/mongodb/keyfile

Specify the key file at runtime.

When starting the component, set the --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file’s path. The keyFile setting implies the authorization setting, which means in most cases you do not need to set authorization explicitly.


Add users.

While connected to a mongos, add the first administrative user and then add subsequent users. See Create a User Administrator.