MongoDB Authentication (Docker)
This guide will demonstrate how to use the docker-compose.override.yml file to allows us to enable explicit authentication for MongoDB.
For more info about the override file, please consult: Docker Compose Override
Notes:
- The default configuration is secure by blocking external port access, but we can take it a step further with access credentials.
- As noted by the developers of MongoDB themselves, authentication in MongoDB is fairly complex. We will be taking a simple approach that will be good enough for most cases, especially for existing configurations of MyLinks. To learn more about how mongodb authentication works with docker, see here: https://hub.docker.com/_/mongo/
- This guide focuses exclusively on terminal-based setup procedures.
- While the steps outlined may also be applicable to Docker Desktop environments, or with non-Docker, local MongoDB, or other container setups, details specific to those scenarios are not provided.
There are 3 basic steps:
- Create an admin user within your mongodb container
- Enable authentication and create a “readWrite” user for “MyLinks”
- Configure the MONGO_URI with newly created user
TL;DR
These are all the necessary commands if you’d like to run through these quickly or for reference:
Example
Example docker-compose.override.yml file using the librechat.yaml config file, MongoDB Authentication, and mongo-express for managing your MongoDB database:
Step 1: Creating an Admin User
First, we must stop the default containers from running, and only run the mongodb container.
docker compose downdocker compose up -d mongodbNote: The
-dflag detaches the current terminal instance as the container runs in the background. If you would like to see the mongodb log outputs, omit it and continue in a separate terminal.
Once running, we will enter the container’s terminal and execute mongosh:
docker exec -it chat-mongodb mongoshYou should see the following output:
~/MyLinks$ docker exec -it chat-mongodb mongosh
Current Mongosh Log ID: 65bfed36f7d7e3c2b01bcc3d
Connecting to: mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB: 7.0.4
Using Mongosh: 2.1.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
test> Optional: While we’re here, we can disable telemetry for mongodb if desired, which is anonymous usage data collected and sent to MongoDB periodically:
Execute the command below.
Notes:
- All subsequent commands should be run in the current terminal session, regardless of the environment (Docker, Linux,
mongosh, etc.)- I will represent the actual terminal view with # example input/output or simply showing the output in some cases
Command:
disableTelemetry()Example input/output:
test> disableTelemetry()
Telemetry is now disabled.Now, we must access the admin database, which mongodb creates by default to create our admin user:
use adminswitched to db admin
Replace the credentials as desired and keep in your secure records for the rest of the guide.
Run command to create the admin user:
db.createUser({ user: "adminUser", pwd: "securePassword", roles: ["userAdminAnyDatabase", "readWriteAnyDatabase"] })You should see an “ok” output.
You can also confirm the admin was created by running show users:
admin> show users
[
{
_id: 'admin.adminUser',
userId: UUID('86e90441-b5b7-4043-9662-305540dfa6cf'),
user: 'adminUser',
db: 'admin',
roles: [
{ role: 'userAdminAnyDatabase', db: 'admin' },
{ role: 'readWriteAnyDatabase', db: 'admin' }
],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
]:warning: Important: if you are using mongo-express to manage your database (guide here), you need the additional permissions for the mongo-express service to run correctly:
db.grantRolesToUser("adminUser", ["clusterAdmin", "readAnyDatabase"])Exit the Mongosh/Container Terminal by running exit:
admin> exitAnd shut down the running container:
docker compose downStep 2: Enabling Authentication and Creating a User with readWrite Access
We must now create/edit the docker-compose.override.yml file to enable authentication for our mongodb container. You can use this configuration to start or reference:
version: '3.4'
services:
api:
volumes:
- ./librechat.yaml:/app/librechat.yaml # Optional for using the librechat config file.
mongodb:
command: mongod --auth # <--- Add this to enable authenticationAfter configuring the override file as above, run the mongodb container again:
docker compose up -d mongodbAnd access mongosh as the admin user:
docker exec -it chat-mongodb mongosh -u adminUser -p securePassword --authenticationDatabase adminConfirm you are authenticated:
db.runCommand({ connectionStatus: 1 })test> db.runCommand({ connectionStatus: 1 })
{
authInfo: {
authenticatedUsers: [ { user: 'adminUser', db: 'admin' } ],
authenticatedUserRoles: [
{ role: 'readWriteAnyDatabase', db: 'admin' },
{ role: 'userAdminAnyDatabase', db: 'admin' }
]
},
ok: 1
}
test>Switch to the “MyLinks” database
Note: This the default database unless you changed it via the MONGO_URI; default URI:
MONGO_URI=mongodb://mongodb:27017/MyLinks
use MyLinksNow we’ll create the actual credentials to be used by our Mongo connection string, which will be limited to read/write access of the “MyLinks” database. As before, replace the example with your desired credentials:
db.createUser({ user: 'user', pwd: 'userpasswd', roles: [ { role: "readWrite", db: "MyLinks" } ] });
You should see an “ok” output again.
You can verify the user creation with the show users command.
Exit the Mongosh/Container Terminal again with exit, and bring the container down:
exitdocker compose downI had an issue where the newly created user would not persist after creating it. To solve this, I simply repeated the steps to ensure it was created. Here they are for your convenience:
docker compose downdocker compose up -d mongodbdocker exec -it chat-mongodb mongosh -u adminUser -p securePassword --authenticationDatabase adminuse MyLinksshow usersdb.createUser({ user: 'user', pwd: 'userpasswd', roles: [ { role: "readWrite", db: "MyLinks" } ] });If it’s still not persisting, you can try running the commands with all containers running, but note that the MyLinks container will be in an error/retrying state.
Step 3: Update the MONGO_URI to Use the New Credentials
Finally, we add the new connection string with our newly created credentials to our docker-compose.override.yml file under the api service:
environment:
- MONGO_URI=mongodb://user:userpasswd@mongodb:27017/MyLinksSo our override file looks like this now:
version: '3.4'
services:
api:
volumes:
- ./librechat.yaml:/app/librechat.yaml
environment:
- MONGO_URI=mongodb://user:userpasswd@mongodb:27017/MyLinks
mongodb:
command: mongod --authYou should now run docker compose up successfully authenticated with read/write access to the MyLinks database
Example successful connection:
MyLinks | 2024-02-04 20:59:43 info: Server listening on all interfaces at port 3080. Use http://localhost:3080 to access it
chat-mongodb | {"t":{"$date":"2024-02-04T20:59:53.880+00:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.160.4:58114","uuid":{"uuid":{"$uuid":"027bdc7b-a3f4-429a-80ee-36cd172058ec"}},"connectionId":17,"connectionCount":10}}If you’re having Authentication errors, run the last part of Step 2 again. I’m not sure why it’s finicky but it will work after a few tries.