ArangoDB v3.4 reached End of Life (EOL) and is no longer supported.

This documentation is outdated. Please see the most recent version here: Latest Docs

Using authentication

Problem

I want to use authentication in ArangoDB.

Solution

In order to make authentication work properly, you will need to create user accounts first.

Then adjust ArangoDB’s configuration and turn on authentication (if it’s off).

Set up or adjust user accounts

ArangoDB user accounts are valid throughout a server instance and users can be granted access to one or more databases. They are managed through the database named _system.

To manage user accounts, connect with the ArangoShell to the ArangoDB host and the _system database:

$ arangosh --server.endpoint tcp://127.0.0.1:8529 --server.database "_system"

By default, arangosh will connect with a username root and an empty password. This will work if authentication is turned off.

When connected, you can create a new user account with the following command:

arangosh> require("org/arangodb/users").save("myuser", "mypasswd");

myuser will be the username and mypasswd will be the user’s password. Note that running the command like this may store the password literally in ArangoShell’s history.

To avoid that, use a dynamically created password, e.g.:

arangosh> passwd = require("internal").genRandomAlphaNumbers(20);
arangosh> require("org/arangodb/users").save("myuser", passwd);

The above will print the password on screen (so you can memorize it) but won’t store it in the command history.

While there, you probably want to change the password of the default root user too. Otherwise one will be able to connect with the default root user and its empty password. The following commands change the root user’s password:

arangosh> passwd = require("internal").genRandomAlphaNumbers(20);
arangosh> require("org/arangodb/users").update("root", passwd);

Turn on authentication

Authentication is turned on by default in ArangoDB. You should make sure that it was not turned off manually however. Check the configuration file (normally named /etc/arangodb.conf) and make sure it contains the following line in the server section:

authentication = true

This will make ArangoDB require authentication for every request (including requests to Foxx apps).

If you want to run Foxx apps without HTTP authentcation, but activate HTTP authentication for the built-in server APIs, you can add the following line in the server section of the configuration:

authentication-system-only = true

The above will bypass authentication for requests to Foxx apps.

When finished making changes, you need to restart ArangoDB:

service arangodb restart

Check accessibility

To confirm authentication is in effect, try connecting to ArangoDB with the ArangoShell:

$ arangosh --server.endpoint tcp://127.0.0.1:8529 --server.database "_system"

The above will implicity use a username root and an empty password when connecting. If you changed the password of the root account as described above, this should not work anymore.

You should also validate that you can connect with a valid user:

$ arangosh --server.endpoint tcp://127.0.0.1:8529 --server.database "_system" --server.username myuser

You can also use curl to check that you are actually getting HTTP 401 (Unauthorized) server responses for requests that require authentication:

$ curl --dump - http://127.0.0.1:8529/_api/version

Author: Jan Steemann

Tags: #authentication #security