Change default "admin:pass" in MongoExpress within Docker

Question

I'm running the MongoDB/MongoExpress stack via docker compose up as presented here:

# Use root/example as user/password credentials
version: '3.1'

services:

  mongo:
    image: mongo
    restart: always
    environment:
      MONGO_INITDB_ROOT_USERNAME: root
      MONGO_INITDB_ROOT_PASSWORD: example

  mongo-express:
    image: mongo-express
    restart: always
    ports:
      - 8081:8081
    environment:
      ME_CONFIG_MONGODB_ADMINUSERNAME: root
      ME_CONFIG_MONGODB_ADMINPASSWORD: example
      ME_CONFIG_MONGODB_URL: mongodb://root:example@mongo:27017/

Everything works, but from the output of MongoExpress I can read

mongotest-mongo-express-1  | Mongo Express server listening at http://0.0.0.0:8081
mongotest-mongo-express-1  | Server is open to allow connections from anyone (0.0.0.0)
mongotest-mongo-express-1  | basicAuth credentials are "admin:pass", it is recommended you change this in your config.js!

In fact, by connecting to localhost:8081 I have to provide admin and pass as access credentials.

I would like to change this behaviour directly from the Dockerfile by setting the default username and password

Following this documentation, I modified the mongo-express environment as follows:

    environment:
      ME_CONFIG_MONGODB_ENABLE_ADMIN: false
      ME_CONFIG_MONGODB_AUTH_DATABASE: custom_db_name
      ME_CONFIG_MONGODB_AUTH_USERNAME: custom_username
      ME_CONFIG_MONGODB_AUTH_PASSWORD: custom_password
      ME_CONFIG_MONGODB_ADMINUSERNAME: root
      ME_CONFIG_MONGODB_ADMINPASSWORD: example
      ME_CONFIG_MONGODB_URL: mongodb://root:example@mongo:27017/

but nothing has changed, except for Mongo, which has gone from having three databases (admin, config and local) to only one (test).

Thank you for any help you can give me.

Answer 1

I have the same problem and I found a solution that works for me. I've checked the default config file that is used by mongo-express.

Just set the ME_CONFIG_BASICAUTH variable to true.

The docker-compose.yml file may look like the following:

    environment:
      ME_CONFIG_MONGODB_URL: mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@mongo:27017/

      ME_CONFIG_MONGODB_ADMINUSERNAME: $MONGO_ROOT_USERNAME
      ME_CONFIG_MONGODB_ADMINPASSWORD: $MONGO_ROOT_PASSWORD
      ME_CONFIG_MONGODB_SERVER: mongo
      ME_CONFIG_MONGODB_PORT: 27017

      ME_CONFIG_BASICAUTH: true
      ME_CONFIG_BASICAUTH_USERNAME: $ME_WEB_USERNAME
      ME_CONFIG_BASICAUTH_PASSWORD: $ME_WEB_PASSWORD

I recommend using ME_CONFIG_MONGODB_URL, this makes the connection much faster, but it works without this line.

Of course, you need to have a .env file with the following variables in the same directory as docker-compose.yml.

Sample .env file:

MONGO_ROOT_USERNAME=root
MONGO_ROOT_PASSWORD=changeme

ME_WEB_USERNAME=user
ME_WEB_PASSWORD=qwerty

Unfortunately, it doesn't fix the problem when you are setting ME_CONFIG_MONGODB_ENABLE_ADMIN to false, but I assume you can just use your own config.js and pass it to docker.

Answer 2

I have no clue about Docker, but let me try to explain the user management in MongoDB.

A user is scoped to a database, i.e. you can define the database where the user is created, for example:

use products
db.createUser( { 
   user: "custom_username",
   pwd: "secret"
   roles: [ 
      { role: "clusterAdmin", db: "admin" },
      "readWrite"
   ] 
})

or you can also write

db.getSiblingDB("products").createUser(...

However, usually users are created in admin database, honestly I don't know any reason why user should be created somewhere else.

The admin database is built-in database. Apart from user authentication and authorization data it also includes Roles for administering the whole system rather than just a single database. These roles are mainly related to replica set and sharded cluster administrative functions.

Roles which are created in other database than admin can only include privileges that apply to its database and can only inherit from other roles in its database.

A role created in the admin database can include privileges that apply to any database or to the cluster resource, and can inherit from roles in other databases as well as the admin database.

Try db.getUsers() to see where users are created and which roles thy got granted.