I had create an account on "admin" database with roles :
roles:["readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase”,”root"]
Is it an highest privileges account ?
If not which roles have I missing ?
I want this "admin" account can manage all the action on database mongo includes replicate set , sharding ...
The privileges mentioned by you should manage all the actions on a single mongod instance. As you want to manage the replica set also, I would suggest you to add clusterAdmin privilege as well.
It potentially contains the clusterManager, clusterMonitor, and hostManager including dropping database action.
So, update the admin user with clusterAdmin role to get the absolute control on your mongod cluster.
ref: https://docs.mongodb.org/manual/reference/built-in-roles/
Related
I was practicing ont mongodb documentation : https://docs.mongodb.com/manual/tutorial/enable-authentication/
and I can't figure out if the "admin" database in the example is just a database created for the tutorial or if it is a built-in database made specifically for managing admin users.
Thanks in advance.
The main purpose of this admin database is to store system collections and user authentication and authorization data, which includes the administrator and user's usernames, passwords, and roles. Access is limited to only to administrators, who have the ability to create, update, and delete users and assign roles.
When you create a database in MongoDB you don’t have authentication enabled, the user has all the privileges and roles over that database, you even have access to the database remotely if the firewall doesn’t have port 27017 blocked.
There are two special databases admin and local, users of these databases can perform operations such as those mentioned in the document on other databases to which they have access. In a development environment it is convenient not to worry about users and passwords, however, when users interact with the database remotely on an application, it is essential to activate user authentication.
The admin database is built-in database. Apart from user authentication and authorization data it also includes Roles for administering the whole system rather than just a single database. These roles are mainly related to replica set and sharded cluster administrative functions.
Roles which are created in other database than admin can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the admin database can include privileges that apply to any database or to the cluster resource, and can inherit from roles in other databases as well as the admin database.
I am writing a program that operates on one main mongoDb but may create new mongo databases.
I am trying to figure out what are the minimal rights that the mongoDbUser (used by my program) needs in order to be able to create new databases and have readWrite access to the databases it has created.
Your mongoDbUser user needs the role: readWriteAnyDatabase.
From the docs:
readWriteAnyDatabase
Provides the same read and write privileges as readWrite on all databases except local and config. readWriteAnyDatabase also provides the listDatabases privilege action on the cluster.
I have created MongoDB deployment (replica set) using MMS Portal. I have enabled authentication in MMS portal, so that DB can be only accessed by providing credentials.
In MMS portal I don't find any option to assign oplog permission to user.
So, how can I create User with OpLog permission?
Background
Before posting this question I have searched for for the same, and found following link.
How to access to oplog MongoDB (MMS replica set)
Solution in above link is to create roles. But am not sure about this approach because, in MMS portal I can see many build-in roles but in admin database there is no system.roles collection!
INFO MongoDB version is 3.0.3
Here is how I added user with oplog access for MongoDB Replication set deployed via MMS.
In MMS Portal
Click Deployment -> MongoDB Users menu.
Click ADD USERS button.
In the form type database as admin, type preferred username & password, in roles enter root#admin (You can choose other roles as well which has create users privilege)
Now we have to login via mongo console.
mongo <domain.name>:<port>/admin -u <just_created_user> -p
Once inside mongo console type following command to create user with access to oplog
db.createUser({user: "oplogUser", pwd: "PASSWORD", roles: [{role: "read", db: "local"}]})
Now we can access oplog using following URL
mongodb://oplogUser:PASSWORD#<domain.name>:<port>/local?authSource=admin
I've created two users, who I thought were userAdmins. Unfortunately, when I login with them, I get permission denied for everything. If I login locally without providing a username or password, I get permission denied for everything. What can I do?
The users were created using the following commands
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles: ["userAdminAnyDatabase" ]
}
)
Does userAdminAnyDatabase not mean what I think it means?
I'm using that you've got authorization security enabled for this to be happening. Why don't you just set security.authorization to disabled and restart mongod?
http://docs.mongodb.org/manual/reference/configuration-options/
As far as the command you issued it looks to be incorrect, should be something like this:
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Note that you have to pass in a document with both the role and the db into the call.
Best starting point is here: http://docs.mongodb.org/manual/tutorial/enable-authentication/
This user is limited to the userAdmin role on all databases. If you want to perform additional actions you'll need to either grant yourself additional roles or create a new user who has them:
userAdminAnyDatabase
Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster. The role also provides the following actions on the cluster as a whole:
authSchemaUpgrade
invalidateUserCache
listDatabases
The role also provides the following actions on the admin.system.users and admin.system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:
collStats
dbHash
dbStats
find
killCursors
planCacheRead
The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.
http://docs.mongodb.org/manual/reference/built-in-roles/#built-in-roles
You can simply restart your MongoD without the auth options and it should happily allow you to login and do any operations.
Alternatively you can also enable the bypass for localhost authentication and connect from the same host where you the MongoD is running. You can find more information about it at http://docs.mongodb.org/manual/core/authentication/#localhost-exception
The above mentioned steps may have different behaviour based on version of MongoDB you are using and I would suggest looking up version specific documentation at the mentioned website.
I would like to know how database access roles work in Mongo DB. The 10 gen page below gives ample details on what the rights of each role are but I don't how to implement them.
http://docs.mongodb.org/manual/reference/user-privileges/
Do I need to add each role to my database? or is it already added?
Edit
I understand adding roles to users. However I don't see how the roles can be added to specific databases. I see the following warnings after I have added the user with any of the "default" roles :
warning: No such role, "dbAdminAnyDatabase", in database db1. No privileges will be acquired from this role
User privilege roles in MongoDB are granted to users. Users may have multiple roles, and may have different roles on different logical database. As at MongoDB 2.4, authentication is disabled by default and you must explicitly Enable Authentication and add credentials for an administrative user.
If you want to grant a user access to broader roles that apply to any database (eg. dbAdminAnyDatabase) you need to grant these roles in the admin user database. In your example where you received an error, you were trying to grant the dbAdminAnyDatabase role via database db1 instead of the admin db.
The MongoDB manual includes a tutorial with examples of adding to specific databases as well as the admin database:
Add a User to a Database
It's worth noting that the available roles/privileges have significantly more granularity in MongoDB 2.4 than previous versions. The available user privilege roles are currently pre-defined, but future versions of MongoDB may allow user defined roles -- watch/upvote SERVER-8580 in the MongoDB issue tracker for this feature request.