I tried adding a 'root' superuser in admin but he can't do anything.
> show users
{
"_id" : "admin.superuser",
"user" : "superuser",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
I would like to create admins, users databases, remove, add, edit etc. everything. I know this is not recommended but I'm prototyping, this is not production.
Related
I've created an user xyz with "read" permissions an a given Databases:
{
"_id" : "admin.xyz",
"userId" : UUID("12345trntr4-3465465465771-4d6nre9-96rnc51-96rntrndfb33affebe"),
"user" : "user01",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "08154711",
"storedKey" : "raunuqfiagnuiraed132c4=",
"serverKey" : "LH89uhiearnuiae323cj3k="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "nuqfgiaeh98hepQFGHdmnudtrianefqX1Ag==",
"storedKey" : "nDuqfgiaeh98hepQFGHdmnudtrianefqmaM=",
"serverKey" : "zNuqfgiaeh98hepQFGHdmnudtrianefqDI="
}
},
"roles" : [
{
"role" : "read",
"db" : "myDatabase01"
},
{
"role" : "read",
"db" : "myDatabase02"
}
]
}
And in fact, if I connect with a DB-Client, and try to enter new Dataset it is denied.
BUT, it is still possible to EDIT an existing entry.
Question
How to I archive to have a user, who has read-only permission, but is not allowed to update (or change anything at all) in the Database?
Can you check whether user1 has some edit role(s) in the DB itself (not in admin DB)?
e.g. by running
use myDatabase01;
db.getUser("user1");
use myDatabase02;
db.getUser("user1");
A possible readWrite role defined on the specific DB (not in admin DB) might explain the weird situation that you are experiencing.
How can I fix the situation where I can not add a password?
db.createUser({user:'root',pwd:'hello!0.', roles:[{role:'userAdminAnyDatabase', db:'admin'}]})
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}`
Mongodb defaults without permission access so you need to open access access auth = ture
I added an 'admin' user in the admin db, with roles on admin db and another db :
[admin] user: yves>db.auth("isabelle", "abc123")
1
[admin] user: isabelle>db.getUser("isabelle")
{
"_id" : "admin.isabelle",
"user" : "isabelle",
"db" : "admin",
"roles" : [
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "cockpit"
}
]
}
I am testing that this user cannot admin the 'test' database ( updating a tester user email )
[admin] user: isabelle>use test
switched to db test
[test] user: isabelle>db.updateUser(
... "myTester",
... {
... customData: {email: "mytester#example.com"}
... }
... )
As 'isabelle' has no roles on 'test' db , she should not be allowed to update any user on this db ... (?)
but it is ...
[test] user: isabelle>db.getUser("myTester")
{
"_id" : "test.myTester",
"user" : "myTester",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "reporting"
}
],
"customData" : {
"email" : "mytester#example.com"
}
}
what am I missing ?
do the isabelle' role 'userAdmin' on 'admin' db allow it ?
I tried to remove it, but it deosn(t change anything ...
I also tried to move isabelle in the cockpit database, with dbOwner role, it doesn't change anything... isabelle is still able to update myTester user in the test database...
how can I restrict isabelle to admin only the 'cockpit' db ( managing users and roles for this db ..?
thanks for enlightment ...
Add to your mongod.conf
security:
authorization: enabled
Also check this mongodb link.
I am logged in with the following:
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
The following happens:
> use mydb
switched to db mydb
> db.dropUser("mydbReadWrite")
false
I suspect I do not have the roles, I am root?
It was correct, the user was somehow dropped before without notifying me(hmm...). So it returned false as the user did not exist.
may be you need switch to the db that you create the uesr "mydbReadWrite"
I just upgraded to 2.6. I run the authSchemaUpgrade. But after that, I managed to remove all users from the database (Its a private small database, so that is nothing too bad). Now I have created a new user admin:
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
After I have db.auth("admin","..") on the admin database I should be able to query any other databases too, but after I do:
user otherDatabase
show collections
I get:
2014-06-09T09:33:36.853+0000 error: {
"$err" : "not authorized for query on otherDatabase.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
What am I missing?
You need to give your admin user the role readWriteAnyDatabase in order to allow that user to query other databases.
You may want to also consider giving your admin user dbAdminAnyDatabase and clusterAdmin roles.