I am going to have my collections named as 'a', 'a.b', 'a.b.c'... in the format of a package names.
I want to create roles in mongodb like below,
db.createRole(
{
role: "regexAccess",
privileges: [
{ resource: { db: "scriptrepo", collection: "a.*" }, actions: [ "find","update","insert","remove" ] }
],
roles: []
}
)
Is it possible to do such a thing in MongoDB?
It is not possible to use regex in the name of the collections while creating roles. The exact name of the collection's are to be used.
Related
In MongoDB, I want to create a role with read/write access to all collections in a database, how would I do that? I'm using
db.createRole({
role: "rolenamehere",
privileges: [
{
resource: {
role: 'readWrite',
db: 'dbnamehere'
}, actions: ["find"]
}
],
roles: []
})
to create a role, but it gives me the error
MongoServerError: resource must set both db and collection or neither, but not exactly one.
Am I able to specify all collections, or do I have to add each collection to it manually?
Specify resource document with both db and collection. If you want to apply the privilege to all collections, the give empty string as - { db: "test", collection: "" }
Refer - Specify a database as resource
I am have created some of views that JSON i want to provide to frontend developers. i want front-end developer to access this views only. not the entire collection or database. this views contains cross-collection "$lookup" aggregations.
how could we create user with roles that have only access to "views" of the "db" only not even "collections"?
Permissions in MongoDB are based on roles. Would be like this:
const admin = db.getSiblingDB("admin")
admin.createRole({ role: "read_views", privileges: [], roles: [] })
admin.grantPrivilegesToRole("read_views", [
{
resource: { db: "<database name>", collection: "<view name>" },
actions: ["find"]
}
])
I'm wondering id there is a way to create a new user for a database who can only manage his the documents he has created.
I've read almost everything regarding roles and custom roles in the MongoDB documentation but couldn't find what I'm looking for.
What I need is to create a user who can only create documents (not collections), reads others' documents, edit delete his own documents, and not to be able to edit nor delete documents were created by other users.
Is this possible?
If not, is there a workaround I can implement?
At the point of creating the document, you can pass the user's id as one of the attributes so when you want to update or delete that document, you perform a check if the user that is trying to update that document is the person that initially created it.
Something has attributes moviename, dataAdded, userid
userId=12;
const data = Something.findOne({someDocument});
if(userId==data.userid){
//perform update/delete
}else{
//return error
}
There is nothing built-in but you can use custom roles like this:
db.getSiblingDB("admin").createRole({
role: "myDefaultRole",
privileges: [
{
resource: { db: "myDB", collection: "myCollection" },
actions: ["update", "insert", "remove", "find"]
}
]
})
db.getSiblingDB("admin").createRole({
role: "mySuperRole",
privileges: [ {<maybe some additional privileges>} ],
roles: [{ role: "myDefaultRole", db: "admin" }, {<maybe some additional roles>}]
})
db.getSiblingDB("admin").createUser({
user: "user1",
pwd: passwordPrompt(),
roles: [{ role: "mySuperRole", db: "admin" }]
})
db.getSiblingDB("admin").createUser({
user: "user2",
pwd: passwordPrompt(),
roles: [{ role: "myDefaultRole", db: "admin" }]
})
function hasRole(v_user, v_role) {
return v_user != null && db.getSiblingDB(v_user.db).getUser(v_user.user, { filter: { roles: v_role } }) != null;
}
And then use it like this:
const currentUser = db.runCommand({ connectionStatus: 1 }).authInfo.authenticatedUsers.shift();
use myDB
db.myCollection.insertOne({ user: currentUser });
var data = db.myCollection.findOne({ someDocument });
if (data.user == currentUser || hasRole(currentUser, { role: "mySuperRole", db: "admin" })) {
//perform update/delete
} else {
//return error
}
Note, users and roles can be defined in several databases. Thus you should check both, the database and user names. I prefer to create them commonly in the admin database.
Instead of custom roles you may also use field customData, but I think custom roles are more flexible.
I have database traffic and in that two collections readMe and readWriteMe.
I want to create a user in mongoDB that can do the following -
read the readMe collection.
read and write to the readWriteMe collection.
can create new collection and have readWrite authorization to that collection.
I have role say myRole - I tried giving following privileges to this role
privileges: [
{ resource: { db: "traffic", collection: "" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]},
]
but it allows to insert in readMe collection too!
This raises the question - what happens in the case of conflicting privileges. Which is given more priority etc.
I think it's because you are not specifying the collection name on the first permission. Try:
privileges: [
{ resource: { db: "traffic", collection: "readWriteMe" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]}
]
If you want the same user to create collections and be able to readWrite them, I think it's impossible to not grant enough privileges without him being able to somehow read and write your readMe collection. You could try applying the createCollection along with grantRole but this would allow the user to self assign the readWrite role to itself for the readMe collection too
I want each MongoDB [sub] database to have access to a specific database (central); as well as access to query anything within their own database/namespace.
How do I set this up? - I am using mongoengine BTW.
You can use collection level authentication as outlined here: http://docs.mongodb.org/manual/core/authentication/
Specifically this section of the authentication manual:
http://docs.mongodb.org/manual/reference/system-roles-collection/#a-user-defined-role-specifies-privileges
You can set permissions with documents:
{
_id: "myApp.appUser",
role: "appUser",
db: "myApp",
privileges: [
{ resource: { db: "myApp", collection: "data" },
actions: [ "insert", "update", "remove", "compact" ] },
{ resource: { db: "myApp", collection: "system.indexes" },
actions: [ "find" ] }
]
}