We Keep Coding

How to create custom rule for a mongodb user

How to create a mongodb user who can read write but not delete a document.
As mistakes can happen so some people may want to disable delete option for users. which can be achieved using the below tutorial.
It took me few minutes to find so sharing so it may reduce some peoples time in searching.

In order to do that we have to create a role.
Go to admin db
use admin
then execute the below command
db.createRole(
{
role: "customROle",
privileges: [
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert"] },
{ resource: { db: "", collection: "" }, actions: [ "update", "insert", "find" ] }
],
roles: [
{ role: "readWrite", db: "admin" }
]
},
{ w: "majority" , wtimeout: 5000 }
)
Note: You can give a specific db access too and give only read access or something like that.
Then we can add the role to a user by using the below command.
db.createUser(
{ user: "gokul",
pwd: "gokul123",
roles:[{role: "customROle" , db:"admin"}]})

Can't execute listCollections in collection level role based access in MongoDB using Robot 3T

I have enabled collection level access on my MongoDB database. I want my users to access their own collection(and not others) in the Database while connecting from Robo3T. But, after connecting to the database, Robo 3T won't allow to browse the collections list and pop the below error:
Error:
ListCollections failed: { ok: 0.0, errmsg: "not authorized on
DssScheduler to execute command { listCollections: 1, filter: {},
cursor: {}, $readPreference: { mode: "secondaryPreferred" }, $db:
...", code: 13, codeName: "Unauthorized" }
So, I tried to set the database privileges as below:
db.createRole({ role: "collAReadWrite",
privileges: [
{ resource:
{ db: "MyDB", collection: "collA"
},
actions: ["find","insert","update","remove"]
},
{ resource:
{ db: "MyDB", collection: "collB"
},
actions: ["find"]
},
{ resource:
{ db: "MyDB", collection: "collC"
},
actions: ["find"]
}
],
roles: []
})
I expected this to work as I gave read access to the user for all the collections but write access to only collectionA. After this I assigned the user the above role using the command below:
db.createUser(
{
user: "collAUser",
pwd: "collAUserPassxxxxxxx",
roles: [ { role: "collAReadWrite", db: "MyDB" } ]
}
)
Still Robo 3T pops the same error up.
Would appreciate any help on this !

Due to a change in MongoDB 4.0, Studio 3T or Robo 3T users running a server instance of MongoDB 4.0+ who experience incomplete collection listings are kindly asked to review the privileges of the corresponding MongoDB database user account.
Please make sure that sufficient privileges - which allow a user to list the collections of a database - have been assigned. One possible fix is to update a user's roles to include the privilege to run the operation/action "listCollections" on a database.

Add the following to privileges[].
{ resource:
{ db: "MyDB", collection: "" },
actions: ["listCollections"] }
}
Listing collections will show all collections in the db, not just those the user has access to.

How to remove dropCollection access right from users in MongoDB?

Created a MongoDB user with readWrite access to a collection. But I don't want to give dropCollection access right to that user. How can I implement that.
Thanks.

You can define your custom role for your purpose.
You can also extend existing roles, by inheriting with the admin.system.roles.roles field of your custom role.
Here is an example custom role
{
role: "YourRole",
db: "YourDatabase",
privileges:
[
{
resource: {db: "YourDatabase", collection: "OneOfCollections"},
actions: ["find", "insert", "update", "remove", "createIndex" ...]
},
{
resource: {db: "YourDatabase", collection: "AnotherCollection"},
actions: ["find", "insert", "update", "remove", "createIndex" ...]
},
.
.
.
],
roles:
[
{ role: "RoleYouWantToInherit", db: "TheDatabaseRoleIsDefinedFor" },
...
]
}

#n9code.
Running following query on admin collection gives an error.
db.runCommand({
createRole:"mynew",
priviliges : [..],
roles: [
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
})
showing "error msg:no such cmd creareRole"

MongoLab not authorized for db.eval

First I tried db.eval() for my local mogodb server.It is working fine.I used this example
Then I tried the same thing with MongoLab.But I got this error message.
The error say not authorized to execute command.Can you explain why this error message.thanks

Eval is a powerfull, dangerous and deprecated action that mLab don't give.
In a local mongo db you should create a role:
use admin
db.createRole(
{
role: "dangerEval",
privileges : [
{ resource: {anyResource: true }, actions : ["anyAction"] },
// or this for grant anyAction only on a single db:
{ resource: {db: "myDb", collection: "" }, actions: [ "anyAction" ] }
],
roles: []
}
)
Then you can assign this role to a user:
db.createUser({
user: "temporaneyEvalUser",
pwd: "psw",
roles: [ { role: "dangerEval", db: "myDb" } ]
});
So you have to choose another way to archive your target or change mongo installation.

Limit query to only access objects within namespace?

I want each MongoDB [sub] database to have access to a specific database (central); as well as access to query anything within their own database/namespace.
How do I set this up? - I am using mongoengine BTW.

You can use collection level authentication as outlined here: http://docs.mongodb.org/manual/core/authentication/
Specifically this section of the authentication manual:
http://docs.mongodb.org/manual/reference/system-roles-collection/#a-user-defined-role-specifies-privileges
You can set permissions with documents:
{
_id: "myApp.appUser",
role: "appUser",
db: "myApp",
privileges: [
{ resource: { db: "myApp", collection: "data" },
actions: [ "insert", "update", "remove", "compact" ] },
{ resource: { db: "myApp", collection: "system.indexes" },
actions: [ "find" ] }
]
}