I am struggling with the MongoDB authorization system. I have an application with must execute some very precise defined db.eval() statements. As we all know, this function requires special privileges.
I tried
use admin
db.createRole({ role: "dbEval", privileges: [{ resource: {anyResource: true}, actions: ["anyAction"]}], roles:[ { role: "readWrite", db: "test" }]})
use test
db.createUser({ user: "default", pwd: "default", roles: [ { role: "dbEval", db: "test" }] })
But I get the error message
Error: couldn't add user: No role named dbEval#test
How can I create a user in "admin" and let him allow "dbEval" role to be used in "test"?
Thanks!
Related
What would be the configuration/command for creating a role which can be applied to a user in MongoDB so that the user is unable to drop a collection?
Check the mongoDB documentation for creating user roles and privileges.
http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
In general, for a non-admin role, only providing read access will prevent a user from dropping a collection. The code below is taken from the mongo docs and demonstrates access modifications for various collections.
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
I have 22 databases on a single MongoDB instance. I came across root role of MongoDB authentication. I want to create a single user which can do anything to existing database as well as create new database and manage them fully. I ran the following command but it doesn't allow me to access any database except admin.
use admin
db.createUser(
{
user: "iamroot",
pwd: "<pa$$w0rd>",
roles: [ "root" ]
})
It only stores root role for admin database only. How can I apply root role to all existing database as well as on new database if added? Is there only one way to supply all the DB name in roles array like this to achieve what I want?
use admin
db.createUser(
{
user: "iamroot",
pwd: "<pa$$w0rd>",
roles: [
{ role: "root", db: "db_1" },
{ role: "root", db: "db_2" },
{ role: "root", db: "db_n" },
]
})
You would need to assign root for admin db explicitly I guess.
For me the following worked (am on version: 3.4.23):
use admin
db.createUser(
{
user: "iamroot",
pwd: "<pa$$w0rd>",
roles: [
{ role: "root", db: "admin" }
]
})
What would be the configuration/command for creating a role which can be applied to a user in MongoDB so that the user is unable to drop a collection?
Check the mongoDB documentation for creating user roles and privileges.
http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
In general, for a non-admin role, only providing read access will prevent a user from dropping a collection. The code below is taken from the mongo docs and demonstrates access modifications for various collections.
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
First I tried db.eval() for my local mogodb server.It is working fine.I used this example
Then I tried the same thing with MongoLab.But I got this error message.
The error say not authorized to execute command.Can you explain why this error message.thanks
Eval is a powerfull, dangerous and deprecated action that mLab don't give.
In a local mongo db you should create a role:
use admin
db.createRole(
{
role: "dangerEval",
privileges : [
{ resource: {anyResource: true }, actions : ["anyAction"] },
// or this for grant anyAction only on a single db:
{ resource: {db: "myDb", collection: "" }, actions: [ "anyAction" ] }
],
roles: []
}
)
Then you can assign this role to a user:
db.createUser({
user: "temporaneyEvalUser",
pwd: "psw",
roles: [ { role: "dangerEval", db: "myDb" } ]
});
So you have to choose another way to archive your target or change mongo installation.
Following users are created in mongodb
first user created with name "user" having read write role for "project" database
use project
db.createUser(
{
user: "user",
pwd: "user123",
roles: [
{ role: "readWrite", db: "project" },
{ role: "readAnyDatabase", db:"admin" }
]
}
)
second user created with name "stud" having read write role for "student" database
use student
db.createUser(
{
user: "stud",
pwd: "stud123",
roles: [
{ role: "readWrite", db: "stud" },
{ role: "readAnyDatabase", db:"admin" }
]
}
)
When I connected to database having name project using "user" I am getting project as well as student database. Also to able to add collection in student database. I havent give any permission to "user" to access student database. Still it is possible to access student database. How to avoid it?