I am creating user in mongo db who can perform following operation on database :-
createCollection
createIndex
find
insert
update
But user can't remove or delete record from database/collection .
I am using following code :-
db.addUser({
user:"rwUser", pwd:"password",
roles:["readWrite"]
})
But this user can delete record too . how can i restrict user to delete record from database.
You could create a custom role with the wanted privileges: http://docs.mongodb.org/manual/tutorial/define-roles/
Connect to your mongo and db.createRole with the wanted privileges. You can find the privileges listed here: http://docs.mongodb.org/manual/reference/privilege-actions/. Then just grant the user this role or create a user with this role.
The privileges you want here are:
createCollection
createIndex
find
insert
update
So for example:
db.createRole(
{
role: "foobarRole",
privileges: [
{ resource: { db: "exampleDb", collection: "bar" }, actions: [ "createCollection", "createIndex", "find", "insert", "update" ] }
],
roles: []
}
)
And grant this to an existing user:
db.grantRolesToUser(
"foobarUser",
[
{ role: "foobarRole", db: "exampleDb" }
]
)
Related
In MongoDB, I want to create a role with read/write access to all collections in a database, how would I do that? I'm using
db.createRole({
role: "rolenamehere",
privileges: [
{
resource: {
role: 'readWrite',
db: 'dbnamehere'
}, actions: ["find"]
}
],
roles: []
})
to create a role, but it gives me the error
MongoServerError: resource must set both db and collection or neither, but not exactly one.
Am I able to specify all collections, or do I have to add each collection to it manually?
Specify resource document with both db and collection. If you want to apply the privilege to all collections, the give empty string as - { db: "test", collection: "" }
Refer - Specify a database as resource
I have enabled collection level access on my MongoDB database. I want my users to access their own collection(and not others) in the Database while connecting from Robo3T. But, after connecting to the database, Robo 3T won't allow to browse the collections list and pop the below error:
Error:
ListCollections failed: { ok: 0.0, errmsg: "not authorized on
DssScheduler to execute command { listCollections: 1, filter: {},
cursor: {}, $readPreference: { mode: "secondaryPreferred" }, $db:
...", code: 13, codeName: "Unauthorized" }
So, I tried to set the database privileges as below:
db.createRole({ role: "collAReadWrite",
privileges: [
{ resource:
{ db: "MyDB", collection: "collA"
},
actions: ["find","insert","update","remove"]
},
{ resource:
{ db: "MyDB", collection: "collB"
},
actions: ["find"]
},
{ resource:
{ db: "MyDB", collection: "collC"
},
actions: ["find"]
}
],
roles: []
})
I expected this to work as I gave read access to the user for all the collections but write access to only collectionA. After this I assigned the user the above role using the command below:
db.createUser(
{
user: "collAUser",
pwd: "collAUserPassxxxxxxx",
roles: [ { role: "collAReadWrite", db: "MyDB" } ]
}
)
Still Robo 3T pops the same error up.
Would appreciate any help on this !
Due to a change in MongoDB 4.0, Studio 3T or Robo 3T users running a server instance of MongoDB 4.0+ who experience incomplete collection listings are kindly asked to review the privileges of the corresponding MongoDB database user account.
Please make sure that sufficient privileges - which allow a user to list the collections of a database - have been assigned. One possible fix is to update a user's roles to include the privilege to run the operation/action "listCollections" on a database.
Add the following to privileges[].
{ resource:
{ db: "MyDB", collection: "" },
actions: ["listCollections"] }
}
Listing collections will show all collections in the db, not just those the user has access to.
I'm trying to create an extended role that allows
- read/write on any database
- allow collMod on any database
- allow createCollection on any database
- readonly on admin database
I tried the following
use admin
db.runCommand({ createRole: "_ReadWriteAnyDatabase",
privileges: [
{ resource: { db: "", collection: "" }, actions: [ "collMod", "createCollection" ] }
],
roles: [
"readWriteAnyDatabase",
{ role: "read", db : "admin" }
]
})
then I created the user on the admin database, because I wasn't able to create the user on an alternative database
but i found out that I can create and delete collections on the admin database
mongo admin -u user1 -p user1
db.createCollection('mycollection')
{ ok : 1 }
db.mycollection.drop()
{ ok : 1 }
If you give user "readWriteAnyDatabase" role, you cannot exclude admin DB. So, solution is give use "readWrite" role to all other databases, but then that users cannot create new databases.
You can create script (loop; forEach()) what lists all databases (excluding admin, local, config) and grant "readWrite" right to user.
I have database traffic and in that two collections readMe and readWriteMe.
I want to create a user in mongoDB that can do the following -
read the readMe collection.
read and write to the readWriteMe collection.
can create new collection and have readWrite authorization to that collection.
I have role say myRole - I tried giving following privileges to this role
privileges: [
{ resource: { db: "traffic", collection: "" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]},
]
but it allows to insert in readMe collection too!
This raises the question - what happens in the case of conflicting privileges. Which is given more priority etc.
I think it's because you are not specifying the collection name on the first permission. Try:
privileges: [
{ resource: { db: "traffic", collection: "readWriteMe" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]}
]
If you want the same user to create collections and be able to readWrite them, I think it's impossible to not grant enough privileges without him being able to somehow read and write your readMe collection. You could try applying the createCollection along with grantRole but this would allow the user to self assign the readWrite role to itself for the readMe collection too
First I tried db.eval() for my local mogodb server.It is working fine.I used this example
Then I tried the same thing with MongoLab.But I got this error message.
The error say not authorized to execute command.Can you explain why this error message.thanks
Eval is a powerfull, dangerous and deprecated action that mLab don't give.
In a local mongo db you should create a role:
use admin
db.createRole(
{
role: "dangerEval",
privileges : [
{ resource: {anyResource: true }, actions : ["anyAction"] },
// or this for grant anyAction only on a single db:
{ resource: {db: "myDb", collection: "" }, actions: [ "anyAction" ] }
],
roles: []
}
)
Then you can assign this role to a user:
db.createUser({
user: "temporaneyEvalUser",
pwd: "psw",
roles: [ { role: "dangerEval", db: "myDb" } ]
});
So you have to choose another way to archive your target or change mongo installation.