We Keep Coding

How to disallow a mongoDB user to update dataset?

I've created an user xyz with "read" permissions an a given Databases:
{
"_id" : "admin.xyz",
"userId" : UUID("12345trntr4-3465465465771-4d6nre9-96rnc51-96rntrndfb33affebe"),
"user" : "user01",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "08154711",
"storedKey" : "raunuqfiagnuiraed132c4=",
"serverKey" : "LH89uhiearnuiae323cj3k="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "nuqfgiaeh98hepQFGHdmnudtrianefqX1Ag==",
"storedKey" : "nDuqfgiaeh98hepQFGHdmnudtrianefqmaM=",
"serverKey" : "zNuqfgiaeh98hepQFGHdmnudtrianefqDI="
}
},
"roles" : [
{
"role" : "read",
"db" : "myDatabase01"
},
{
"role" : "read",
"db" : "myDatabase02"
}
]
}
And in fact, if I connect with a DB-Client, and try to enter new Dataset it is denied.
BUT, it is still possible to EDIT an existing entry.
Question
How to I archive to have a user, who has read-only permission, but is not allowed to update (or change anything at all) in the Database?

Can you check whether user1 has some edit role(s) in the DB itself (not in admin DB)?
e.g. by running
use myDatabase01;
db.getUser("user1");
use myDatabase02;
db.getUser("user1");
A possible readWrite role defined on the specific DB (not in admin DB) might explain the weird situation that you are experiencing.

MongoDB Auth Error running Local on MACOS

I installed Locally on mac. Created user superuser with root privledges as per MongoDB Docs:https://docs.mongodb.com/guides/server/auth/#procedure
> db.createUser({user:"superuser",pwd:"strongPassword",roles:["root"]})
Successfully added user: { "user" : "superuser", "roles" : [ "root" ] }
> show users
{
"_id" : "admin.superuser",
"userId" : UUID("f873bafd-8d9b-4d2d-95a2-95d9e05db25d"),
"user" : "superuser",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
launch it with
resulting in running mongodb instance:
"ctx":"listener","msg":"Waiting for connections","attr":{"port":27017,"ssl":"off"}}
then I mongo --port 27017
use admin
response: switched to db admin
here's the kicker:
I input
db.auth("superuser","strongPassword")
and then
0```
This is the output in the running mongod client:
```{"t":{"$date":"2021-03-15T14:41:11.167-05:00"},"s":"I", "c":"ACCESS", "id":20251, "ctx":"conn1","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":"superuser#admin"}}
{"t":{"$date":"2021-03-15T14:41:11.168-05:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn1","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"superuser","authenticationDatabase":"admin","client":"127.0.0.1:51532","result":"UserNotFound: Could not find user \"superuser\" for db \"admin\""}}
Please help me? Seems pretty straightforward what my problem is here. Followed the mongoDb docs exactly, and then just totally failing to see my user. What's the trick here?

mongodb user can login without any authentication

When you first install mongodb, there is no root user. You simply start mongo with (if on mac osx) "mongod --dbpath='/usr/local/var/mongodb'", and then run mongo in the shell and it will connect you without any authentication.
I create the admin user in the admin database:
> db
admin
> db.createUser({
"user" : "test1",
"pwd" : "test1",
"roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]
})
> db.getUsers()
[
{
"_id" : "admin.test1",
"user" : "test1",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Now I connect to mongo shell as admin user:
> db
admin
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "test1",
"db" : "admin"
}
],
"authenticatedUserRoles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
"ok" : 1
}
I start mongod with access control:
$ sudo mongod --auth --port 27017 --dbpath=.
Password:
2020-04-16T20:28:40.656-0400 I CONTROL [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2020-04-16T20:28:40.672-0400 I CONTROL [initandlisten] MongoDB starting : pid=8441 port=27017 dbpath=. 64-bit
I even turned on security:
$ cd /usr/local/etc/
$ vim mongod.conf
security:
authorization: "enabled"
Yet I can simply login with just "mongo":
$ mongo admin
MongoDB shell version v4.0.4
connecting to: mongodb://127.0.0.1:27017/admin
Implicit session: session { "id" : UUID("95879725-00ed-4cee-bd43-8ba093df1e19") }
MongoDB server version: 4.0.4
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1
}
This is wild. What else must I do? Unless there is some type of automatic login when logged into the ip the server is running on?

Some commands do not require authentication. Try reading or writing to a collection.
Authentication itself is performed via a sequence of commands (you can read about those here) therefore some of the commands must by necessity not require authentication.
Some commands return different responses based on whether a connection is authenticated. For example, try {ismaster:1} with and without authentication.

See / setup a user with MongoDB Compass?

With MongoDB Compass is it possible to see users for a database or create new ones?

Ive managed it on the command line with:
mongo
use (my database name)
db.createUser( { user: "myuser", pwd: "password", roles: ["readWrite"] })
However I would still much prefer a GUI to do this.

No, it isn't (at least until version 1.20.4 of Compass)

If you're trying to create a new DB with a user that "owns" that DB (i.e. has read/write and admin commands for that DB), here's how to do that using only MongoDB Compass:
Open up MongoDB Compass and connect with your admin user.
Create a new DB with the "+" button at bottom of the DB list.
Click the MONGOSH shelf/tab at the bottom of the screen and paste this:
use NAME_OF_NEW_DB
db.createUser(
{
user: "NAME_OF_NEW_USER",
pwd: "NEW_USER_PASSWORD",
roles: [ { role: "dbOwner", db: "NAME_OF_NEW_DB" } ]
}
)
Other roles are explained in the MongoDB docs.

If I run a command in CLI after made up a user. I can see that by using this command.
db.system.users.find().pretty()
{
"_id" : "admin.admin",
"userId" : UUID("****"),
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
But I can't see the 'system.users' collection in the Compass client.
I think, the Compass does not support this the listing and creating user features.
But, if you use other client (eg. TablePlus), You can see those hidden documents

Mongodb db.dropUser() ReferenceError: is not defined

> use mydb
switched to db mydb
> show users
{
"_id" : "mydb.mydbReadWrite",
"user" : "mydbReadWrite",
"db" : "mydb",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
}
]
}
> db.dropUser(mydbReadWrite)
2015-03-29T03:55:52.276+0200 E QUERY ReferenceError: mydbReadWrite is not defined
at (shell):1:13
I don't understand? I am logged in with a root user.

db.dropUser(mydbReadWrite)
instead use:
db.dropUser("mydbReadWrite")