The Complete DevOps Guide to MongoDB Installation on Ubuntu with User Roles and Security

Introduction

Installing MongoDB on Ubuntu sounds easy until you actually move into a production environment. Most beginner tutorials simply show sudo apt install mongodb, create a database, and stop there. But in real-world DevOps work, that approach creates security risks, permission issues, and maintenance problems later.

I have seen many developers deploy applications using MongoDB without proper authentication enabled, leaving databases exposed publicly on the internet. Unfortunately, attackers actively scan servers for unsecured MongoDB instances. A small configuration mistake can expose sensitive customer information within minutes.

If you want to deploy a professional backend application using MongoDB on Ubuntu Linux, you should know how to install MongoDB properly, create dedicated users, assign roles, restrict permissions, and secure the server before production deployment.

In this guide, we will walk through the complete MongoDB installation process on Ubuntu, create admin and application users, assign database-specific permissions, enable authentication, configure remote access securely, and cover practical DevOps troubleshooting commands that engineers actually use.

Step 1: Update Ubuntu Server
Step 2: Install MongoDB on Ubuntu
Step 3: Verify MongoDB Service
Step 4: Create MongoDB Admin User
Step 5: Create a Specific Database User
Step 6: Add Roles and Permissions
Step 7: Enable Authentication
Step 8: Configure Remote Access Securely
Step 9: DevOps MongoDB Commands
Common MongoDB Deployment Mistakes
Frequently Asked Questions (FAQ)
Conclusion

Step 1: Update Ubuntu Server

Before installing any database server, always update your Ubuntu packages. This is one of the first things DevOps engineers do because outdated packages often create dependency conflicts.

Run the following command:

sudo apt update
sudo apt upgrade -y

This ensures your system packages are updated before MongoDB installation starts.

If you are using a cloud VPS or production server, reboot once after major package upgrades:

sudo reboot

Step 2: Install MongoDB on Ubuntu

Instead of using Ubuntu’s default repository, always install MongoDB from the official MongoDB repository. Why? Because Ubuntu repositories sometimes contain outdated MongoDB versions.

First, install required packages:

sudo apt install gnupg curl -y

Now import the MongoDB GPG key:

curl -fsSL https://pgp.mongodb.com/server-8.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg \
--dearmor

Add the MongoDB repository:

echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/8.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list

Update package information:

sudo apt update

Now install MongoDB:

sudo apt install mongodb-org -y

Once installation completes, start MongoDB service:

sudo systemctl start mongod
sudo systemctl enable mongod

The enable command ensures MongoDB automatically starts after server reboot.

Step 3: Verify MongoDB Service

Before creating databases or users, always confirm the service is running correctly.

Check MongoDB status:

sudo systemctl status mongod

You should see:

Active: active (running)

If MongoDB is not running, restart it:

sudo systemctl restart mongod

Also check logs if something fails:

sudo journalctl -u mongod

This log command is extremely useful in DevOps environments when debugging service startup issues.

Step 4: Create MongoDB Admin User

One mistake beginners make is using MongoDB without authentication. Never do that in production.

First, access MongoDB shell:

mongosh

Switch to the admin database:

use admin

Now create an admin user:

db.createUser({
  user: "mongoAdmin",
  pwd: "StrongPassword@123",
  roles: [
    { role: "userAdminAnyDatabase", db: "admin" },
    { role: "dbAdminAnyDatabase", db: "admin" },
    { role: "readWriteAnyDatabase", db: "admin" }
  ]
})

What does this do?

userAdminAnyDatabase → Manage users
dbAdminAnyDatabase → Database administration
readWriteAnyDatabase → Read/write access

Think of this account as your master database administrator.

Step 5: Create a Specific Database User

For security reasons, your backend applications (like FastAPI, .NET, or Express) should never connect using the admin credentials. Instead, create a dedicated user that only has access to a specific database.

While still in the mongosh shell, switch to your application's target database (it will be created automatically if it doesn't exist):

use my_app_production

Create a dedicated user for this database:

db.createUser({
  user: "appUser",
  pwd: "AppSecurePassword!2026",
  roles: [{ role: "readWrite", db: "my_app_production" }]
})

Now, your backend application has isolated access limited strictly to my_app_production.

Step 6: Add Roles and Permissions

MongoDB uses Role-Based Access Control (RBAC). In DevOps, following the "Principle of Least Privilege" is critical. Here are the most common roles you will assign depending on the requirement:

read: Good for analytical tools or reporting dashboards that only need to view data.
readWrite: The standard role for backend applications that need to query and update data.
dbOwner: Has full control over a specific database, allowing them to manage custom roles and users within it.

Step 7: Enable Authentication

Even though we created users, MongoDB does not enforce passwords by default. You must explicitly tell the server to require authentication.

Exit the MongoDB shell by typing exit, then open the main configuration file:

sudo nano /etc/mongod.conf

Scroll down to the security section, uncomment it, and enable authorization:

security:
  authorization: "enabled"

Save and close the file (Ctrl+O, Enter, Ctrl+X), then restart the MongoDB service to apply the new security rules:

sudo systemctl restart mongod

Step 8: Configure Remote Access Securely

By default, MongoDB only listens to 127.0.0.1 (localhost). If your backend API is on a different server, you need to configure remote access safely.

Open the configuration file again:

sudo nano /etc/mongod.conf

Find the net section and append your server's private network IP (VPC) to the bindIp directive, separated by a comma. Never use 0.0.0.0 in production.

net:
  port: 27017
  bindIp: 127.0.0.1,10.116.0.2

Restart the service:

sudo systemctl restart mongod

Next, configure your UFW firewall to only allow incoming connections from your specific application server's IP:

sudo ufw allow from 10.116.0.5 to any port 27017

Step 9: DevOps MongoDB Commands

Here are the daily commands you will use for database administration and debugging:

Check live connections:
db.serverStatus().connections (Inside mongosh)
Backup a database:
mongodump --uri="mongodb://appUser:pwd@localhost:27017/my_app_production" --out=/backups/
Restore a database:
mongorestore --uri="mongodb://appUser:pwd@localhost:27017/my_app_production" /backups/my_app_production/
View slow queries:
Enable profiling with db.setProfilingLevel(1, { slowms: 100 })

Common MongoDB Deployment Mistakes

Here are the most frequent pitfalls engineers encounter when moving MongoDB to a production environment:

Mistake	Impact	The DevOps Fix
Skipping Authentication	Exposes the database to automated internet scanners.	Enable `authorization: enabled` in `mongod.conf`.
Using Default Repositories	Installs an outdated, unsupported MongoDB version.	Always add the official MongoDB APT repository.
Over-Privileged Users	A compromised backend app grants attackers full DB control.	Create dedicated, scoped users for specific databases.
Global Bind IP (`0.0.0.0`)	Allows connection attempts from any IP address globally.	Bind only to localhost or a private VPC network IP.

Frequently Asked Questions (FAQ)

How do I connect a backend application securely?

When connecting a backend API, never use the mongoAdmin account you created in Step 4. Instead, create a dedicated user for that specific application's database with readWrite access, and use a connection string formatted like this: mongodb://appUser:password@localhost:27017/appName.

Why is my MongoDB service failing to start?

The most common cause is a formatting error (like incorrect spacing) in the /etc/mongod.conf file, especially after modifying the bind IP or enabling security. Always check the exact error by running sudo journalctl -u mongod to pinpoint where the startup process failed.

Do I need to restart MongoDB after creating a user?

No. User creation takes effect immediately within the database shell. However, if you are editing the mongod.conf file to turn on authentication (setting security.authorization: "enabled"), you must restart the service using sudo systemctl restart mongod for the new security rules to apply.

Conclusion

Deploying MongoDB securely on an Ubuntu server requires more than just a simple installation command. By taking the time to set up administrative credentials, assigning scoped database users, enforcing authentication, and locking down the network binding, you protect your infrastructure from the most common vulnerabilities.

Whether you are connecting a robust .NET enterprise backend or scaling a fast Python application, these core DevOps security practices will ensure your database layer remains stable, performant, and impenetrable.