Authentication

FerretDB provides authentication via the backend’s authentication mechanisms and the experimental authentication mode.

For the backend’s authentication mechanism, the default username and password can be specified in FerretDB’s connection string, but the client could use a different user by providing a username and password in MongoDB URI.

For example, if the server was started with postgres://user1:pass1@postgres:5432/ferretdb, anonymous clients will be authenticated as user1, but clients that use mongodb://user2:pass2@ferretdb:27018/ferretdb?tls=true&authMechanism=PLAIN MongoDB URI will be authenticated as user2. Since usernames and passwords are transferred in plain text, the use of TLS is highly recommended.

The FerretDB experimental authentication mode allows you to create user credentials for authenticated connections. See experimental authentication mode for more.

PostgreSQL backend with default username and password

In following examples, default username and password are specified in FerretDB’s connection string user1:pass1. Ensure user1 is a PostgreSQL user with necessary privileges. See more about creating PostgreSQL user and PostgreSQL authentication methods.

Using ferretdb package

Start ferretdb by specifying --postgresql-url with default username and password.

  1. ferretdb --postgresql-url=postgres://user1:pass1@localhost:5432/ferretdb

An anonymous client is authenticated with default user1 from --postgresql-url.

  1. mongosh 'mongodb://127.0.0.1/ferretdb'

A client that specify username and password in MongoDB URI as below is authenticated as user2.

  1. mongosh 'mongodb://user2:pass2@127.0.0.1/ferretdb?authMechanism=PLAIN'

Using Docker

For Docker, specify FERRETDB_POSTGRESQL_URL with default username and password.

  1. services:
  2.   postgres:
  3.     image: postgres
  4.     restart: on-failure
  5.     environment:
  6.       - POSTGRES_USER=username
  7.       - POSTGRES_PASSWORD=password
  8.       - POSTGRES_DB=ferretdb
  9.     volumes:
  10.       - ./data:/var/lib/postgresql/data
  12.   ferretdb:
  13.     image: ghcr.io/ferretdb/ferretdb
  14.     restart: on-failure
  15.     ports:
  16.       - 27017:27017
  17.     environment:
  18.       - FERRETDB_POSTGRESQL_URL=postgres://user1:pass1@postgres:5432/ferretdb
  20. networks:
  21.   default:
  22.     name: ferretdb

To start ferretdb, use docker compose.

  1. docker compose up

An anonymous client is authenticated with user1 from FERRETDB_POSTGRESQL_URL. Use following command to run mongosh inside the temporary MongoDB container, attached to the same Docker network.

  1. docker run --rm -it --network=ferretdb --entrypoint=mongosh \
  2.   mongo 'mongodb://ferretdb/ferretdb'

A client that specify username and password in MongoDB URI as below is authenticated as user2.

  1. docker run --rm -it --network=ferretdb --entrypoint=mongosh \
  2.   mongo 'mongodb://user2:pass2@ferretdb/ferretdb?authMechanism=PLAIN'

Authentication Handshake

Authentication - 图1note

Some drivers may still use the legacy hello command to complete a handshake.

If you encounter any issues while authenticating with FerretDB, try setting the Stable API version to V1 on the client as this may prevent legacy commands from being used. Please refer to your specific driver documentation on how to set this field.

If this does not resolve your issue please file a bug report here.

Experimental authentication mode

FerretDB provides a new experimental authentication mode that supports the SCRAM-SHA-1 and SCRAM-SHA-256 authentication mechanisms. This mode enables FerretDB to manage users by itself and also provide support for more user management commands.

You can enable this mode by setting the FERRETDB_TEST_ENABLE_NEW_AUTH flag or --test-enable-new-auth to true. See flags for more information.

For example:

  1. ferretdb --test-enable-new-auth=true

With this new authentication mode, you can create user credentials for authenticated connections using the createUser command and also access other user management commands such as dropAllUsersFromDatabase, dropUser, updateUser, and usersInfo.

This mode also enables you to set up initial authentication credentials for your instance.

Initial authentication setup

You can secure your connections right from scratch by setting up an initial authentication credential using the following dedicated flags or environment variables

  • --setup-username/FERRETDB_SETUP_USERNAME: Specifies the username to be created.
  • --setup-password/FERRETDB_SETUP_PASSWORD: Specifies the password for the user (can be empty).
  • --setup-database/FERRETDB_SETUP_DATABASE: Specifies the initial database that will be created.

Authentication - 图2note

--test-enable-new-auth/FERRETDB_TEST_ENABLE_NEW_AUTH must be set to true to enable the authentication setup.

Once the flags/environment variables are passed, FerretDB will create the specified user with the given password and the given database.

Initial authentication setup with Postgres backend

A typical setup for a local Postgres database with an initial user setup would look like this:

  1. services:
  2.   postgres:
  3.     image: postgres
  4.     environment:
  5.       - POSTGRES_USER=username
  6.       - POSTGRES_PASSWORD=password
  7.       - POSTGRES_DB=ferretdb
  8.     volumes:
  9.       - ./data:/var/lib/postgresql/data
  11.   ferretdb:
  12.     image: ghcr.io/ferretdb/ferretdb
  13.     restart: on-failure
  14.     ports:
  15.       - 27017:27017
  16.     environment:
  17.       - FERRETDB_POSTGRESQL_URL=postgres://username:password@postgres:5432/ferretdb
  18.       - FERRETDB_TEST_ENABLE_NEW_AUTH=true
  19.       - FERRETDB_SETUP_USERNAME=user
  20.       - FERRETDB_SETUP_PASSWORD=pass
  21.       - FERRETDB_SETUP_DATABASE=ferretdb
  23. networks:
  24.   default:
  25.     name: ferretdb

You can then start the services with docker compose up -d. Once the services are up and running, you can connect to the FerretDB instance using the authencation credentials created during the setup.

  1. mongosh "mongodb://user:pass@ferretdb/ferretdb"

Initial authentication setup with SQLite backend

You can configure your instance to be created with an initial user for authentication.

A typical setup would look like this:

  1. services:
  2.   ferretdb:
  3.     image: ghcr.io/ferretdb/ferretdb
  4.     restart: on-failure
  5.     ports:
  6.       - 27017:27017
  7.     environment:
  8.       - FERRETDB_HANDLER=sqlite
  9.       - FERRETDB_TEST_ENABLE_NEW_AUTH=true
  10.       - FERRETDB_SETUP_USERNAME=user
  11.       - FERRETDB_SETUP_PASSWORD=pass
  12.       - FERRETDB_SETUP_DATABASE=ferretdb
  13.     volumes:
  14.       - ./state:/state
  16. networks:
  17.   default:
  18.     name: ferretdb

You can start the services and connect to the instance as shown in the Postgres example above.