How to disallow a mongoDB user to update dataset? - mongodb

I've created an user xyz with "read" permissions an a given Databases:
{
"_id" : "admin.xyz",
"userId" : UUID("12345trntr4-3465465465771-4d6nre9-96rnc51-96rntrndfb33affebe"),
"user" : "user01",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "08154711",
"storedKey" : "raunuqfiagnuiraed132c4=",
"serverKey" : "LH89uhiearnuiae323cj3k="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "nuqfgiaeh98hepQFGHdmnudtrianefqX1Ag==",
"storedKey" : "nDuqfgiaeh98hepQFGHdmnudtrianefqmaM=",
"serverKey" : "zNuqfgiaeh98hepQFGHdmnudtrianefqDI="
}
},
"roles" : [
{
"role" : "read",
"db" : "myDatabase01"
},
{
"role" : "read",
"db" : "myDatabase02"
}
]
}
And in fact, if I connect with a DB-Client, and try to enter new Dataset it is denied.
BUT, it is still possible to EDIT an existing entry.
Question
How to I archive to have a user, who has read-only permission, but is not allowed to update (or change anything at all) in the Database?

Can you check whether user1 has some edit role(s) in the DB itself (not in admin DB)?
e.g. by running
use myDatabase01;
db.getUser("user1");
use myDatabase02;
db.getUser("user1");
A possible readWrite role defined on the specific DB (not in admin DB) might explain the weird situation that you are experiencing.

Related

Adding column in meanjs database

the below code is the default structure of a meanjs.org database. How can I add a new column like Balance in the mongodb?
{
"_id" : ObjectId("597695d922fa1025a453ed39"),
"salt" : "aGHDfk3+7Bg1lR8YI2JTAg==",
"displayName" : "sample samples",
"provider" : "local",
"username" : "admins",
"created" : ISODate("2017-07-25T00:50:33.800Z"),
"roles" : [
"user"
],
"profileImageURL" : "modules/users/client/img/profile/default.png",
"password" : "McRqjKUIzslHzCrg8VLyXXQZEZS/GqQyBewvI8xgutppYGvsexcbqf/ua9foennx6xy0unRiHrVAB7T1jF2v1Q==",
"email" : "admin#admin.com",
"lastName" : "samples",
"firstName" : "sample",
"__v" : 0 }enter code here
The code you showed is an example of a user saved in your MongoDB database inside User collection.
To edit the User schema in MEAN.JS you can do so by editing the file located in /modules/users/server/models/user.server.model.js and add the properties you need.

mongodb: how to set correctly roles and privileges?

I added an 'admin' user in the admin db, with roles on admin db and another db :
[admin] user: yves>db.auth("isabelle", "abc123")
1
[admin] user: isabelle>db.getUser("isabelle")
{
"_id" : "admin.isabelle",
"user" : "isabelle",
"db" : "admin",
"roles" : [
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "cockpit"
}
]
}
I am testing that this user cannot admin the 'test' database ( updating a tester user email )
[admin] user: isabelle>use test
switched to db test
[test] user: isabelle>db.updateUser(
... "myTester",
... {
... customData: {email: "mytester#example.com"}
... }
... )
As 'isabelle' has no roles on 'test' db , she should not be allowed to update any user on this db ... (?)
but it is ...
[test] user: isabelle>db.getUser("myTester")
{
"_id" : "test.myTester",
"user" : "myTester",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "reporting"
}
],
"customData" : {
"email" : "mytester#example.com"
}
}
what am I missing ?
do the isabelle' role 'userAdmin' on 'admin' db allow it ?
I tried to remove it, but it deosn(t change anything ...
I also tried to move isabelle in the cockpit database, with dbOwner role, it doesn't change anything... isabelle is still able to update myTester user in the test database...
how can I restrict isabelle to admin only the 'cockpit' db ( managing users and roles for this db ..?
thanks for enlightment ...
Add to your mongod.conf
security:
authorization: enabled
Also check this mongodb link.

How to update user-defined roles in MongoDB 3.0 in a sharding environment?

I'm using MMS to manage my a typical sharding cluster with just one shard (at the moment): 3 mongod for shard000 (2 servers + 1 arbiter) + 1 config server + 2 mongos instances.
Auth is enabled and it's working well. I've added a user-defined role in the MMS admin console, and I can see it in mongo shell.
db.system.roles.findOne()
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"changeCustomData",
"changePassword",
...
I want to change it to AnyAction on AnyResource (as doEval action requires). So, I'm trying to execute this:
db.runCommand({ "updateRole": "myrole", "privileges": [ { resource: { anyResource: true}, actions: [ "anyAction" ] } ] }); db.system.roles.findOne()`
and for one second, I get the result I want:
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"anyResource" : true
},
"actions" : [
"anyAction"
]
}
],
"roles" : [ ]
}
But, about two seconds later:
the role got restored:
configsvr> db.system.roles.findOne()
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"changeCustomData",
"changePassword",
...
and I don't know "who" is restoring it.
I've tried the above commands from the PRIMARY and from CONFIG server in admin database.
How can I get the role stored?
P.S: I know that "eval" is deprecated in 3.0, but what I'm asking is the reason I can't update the role.

Mongodb add superuser

I tried adding a 'root' superuser in admin but he can't do anything.
> show users
{
"_id" : "admin.superuser",
"user" : "superuser",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
I would like to create admins, users databases, remove, add, edit etc. everything. I know this is not recommended but I'm prototyping, this is not production.

db.dropUser("user") returning false when logged in as root

I am logged in with the following:
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
The following happens:
> use mydb
switched to db mydb
> db.dropUser("mydbReadWrite")
false
I suspect I do not have the roles, I am root?
It was correct, the user was somehow dropped before without notifying me(hmm...). So it returned false as the user did not exist.
may be you need switch to the db that you create the uesr "mydbReadWrite"