I'm trying to update the roles of a user.
So I tried the following command with the admin-user (which has the dbOwner and userAdmin priv. and is created directly on the UnitTestDb)
db.runCommand({ "updateUser" : "unittestuser1", "roles" : [{ "role" : "Testentity_readwrite", "db" : "UnitTestDb" }, { "role" : "Testentity_read", "db" : "UnitTestDb" }] }
I'm running this command directly on the "UnitTestDb" and the role "Testentity_read" is also directly created in this database.
I'm getting the following error:
{
"ok" : 0,
"errmsg" : "not authorized on UnitTestDb to execute command { updateUser: \"unittestuser1\", roles: [ { role: \"Testentity_readwrite\", db: \"UnitTestDb\" }, { role: \"Testentity_read\", db: \
"UnitTestDb\" } ] }",
"code" : 13
}
I am able to update the customData for the user but not the role...
Can someone tell me which privilege or role my admin user needs to execute this update?
dbOwner should have full access to database he was created on ( from mongodb.org: The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.)
Tobias
I believe the issue is that updateUser requires additional rights on all databases. From the documentation:
Required Access
You must have access that includes the revokeRole action on all
databases in order to update a user’s roles array.
You must have the grantRole action on a role’s database to add a role
to a user.
Note the requirement for revokeRole on all databases, not just on the database involved.
I'd try using the db.grantRolesToUsers() command instead, as it does not require the same level of rights.
http://docs.mongodb.org/manual/reference/method/db.grantRolesToUser/
Required Access
You must have the grantRole action on a database to grant a role on
that database.
Alternatively you can make certain that user running the updateUser command has the revokeRole right on all databases.
Related
I want to enable free monitoring on my MongoDB standalone instance running on AWS. I had performed before enabling access control. After enabling, when I tried
db.enableFreeMonitoring()
it returns following error.
uncaught exception: Error: command failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { setFreeMonitoring: 1.0, action: "enable", lsid: { id: UUID("0483e6c8-4d96-4eae-9967-608838f07f42") }, $db: "admin" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
As per the documentation, I have granted the admin clusterMonitor role. Still same error. Is there any other way?
I enabled monitoring by giving the user the role root
use admin;
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }]);
You may want to think this through before assigning the user with 'root' privileges.
I believe dbOwner and adminUser roles could also accomplish the same task, although I have not tried them.
Here's the link to the documentation Role-Aased Access Control
I'm new in MongoDB and I just can not understand how the database works to the end. For a start, I'll explain what I want to do. It is necessary to make a form on the site through which new users will be added for the client program on WPF.NET in which the connection to the server will occur.
It is not clear to me where the user should be in the database in admin or in my database, what is it local, config dbs?
I watched the video and read for the authentification. Okay, I created the user, but it connects to the whole database, and so can read the data of another user. I mean that if someone wants to go to the server and hack into or overwrite the data of another client. Is it possible to give the client access to only a specific document?
Example:
Users: ClientUser1, ClientUser2, ClientUser3
Collection ClientCollection: Document1ForUser1Only, Document2ForUser2Only, Document3ForUser3Only
C# WPF .NET Client I Call
new MongoClient("mongodb://127.0.0.1:27017/?db=custom&user=ClientUser1&password=1234"
Access only for Document1ForUser1Only, because is it correct user account data.
Update1
It seems to me that all this can be done through roles. I did my part and pointed it to the user. But when I do a search for my collections, it shows me a mistake. And in the program Studio 3T I do not see any collection.
db.createRole({ role: "User",
privileges: [
{ resource: { db: "testdb", collection: "UserCollection" }, actions: [ "find", "update", "insert", "remove" ]}
],
roles: []
})
> show collections
2018-05-13T20:38:09.463+0300 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on testdb to execute command {
listCollections: 1.0, filter: {}, $db: \"testdb\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand#src/mongo/shell/db.js:941:1
DB.prototype.getCollectionInfos#src/mongo/shell/db.js:953:19
DB.prototype.getCollectionNames#src/mongo/shell/db.js:964:16
shellHelper.show#src/mongo/shell/utils.js:813:9
shellHelper#src/mongo/shell/utils.js:710:15
#(shellhelp2):1:1
I created a user and password for a database called student.:
db.createUser({user:'Catalin',pwd:'Catalin',roles:[{role:'userAdmin',db:'student'}]});
So I restarted MongoDB Server with this command:
mongod --auth --dbpath C:\data\db
in another terminal, I connected to the sever with:
mongo
then queried the server with :
> db.getUsers()
[
{
"_id" : "student.Catalin",
"user" : "Catalin",
"db" : "student",
"roles" : [
{
"role" : "userAdmin",
"db" : "student"
}
]
}
]
went to the student database:
> use student
switched to db student
Entered my username and password succesfully via this command:
> db.auth('Catalin','Catalin');
1
and when I want to view my collections I get an error, WHY?:
> show collections
2016-03-07T15:54:41.166+0300 E QUERY [thread1] Error: listCollections failed:
{
"ok" : 0,
**"errmsg" : "not authorized on student to execute command { listCollectio
ns: 1.0, filter: {} }",**
"code" : 13
} :
_getErrorWithCode#src/mongo/shell/utils.js:23:13
DB.prototype._getCollectionInfosCommand#src/mongo/shell/db.js:746:1
DB.prototype.getCollectionInfos#src/mongo/shell/db.js:758:15
DB.prototype.getCollectionNames#src/mongo/shell/db.js:769:12
shellHelper.show#src/mongo/shell/utils.js:695:9
shellHelper#src/mongo/shell/utils.js:594:15
#(shellhelp2):1:1
"errmsg" : "not authorized on student to execute command { listCollectio
ns: 1.0, filter: {} }",
P.S. : I'm using mongoDB 3.2
The userAdmin built-in role only provides the ability to create and modify roles and users on a database. If you need access to the database, you would need to either assign database roles, or other roles that has database access such as dbOwner.
Please see Built-in Roles for more detailed information.
You may also find these useful:
Manage users and roles.
Enable client access control.
If you are using version 5 or befor DataBase MongoDB, pay attention to this point. You should not write anything in the mongod.conf file in the /etc/mongod.conf path. Use the following two commands to update the dependencies.
install dependencies :
sudo apt install libgconf-2-4
sudo add-apt-repository universe
In MongoDB 2.6.1 I've setup a user with dbAdmin rights:
{
"_id" : "mydbname.myusername",
"user" : "myusername",
"db" : "mydbname",
"credentials" : {
"MONGODB-CR" : "<some credentials>"
},
"roles" : [
{
"role" : "dbAdmin",
"db" : "mydbname"
}
]
}
When I use the mongo shell to connect to the database (using -u and -p on command line) and run a query like this:
db.mycollectionname.find()
I get this error:
error: { "$err" : "not authorized for query on mydbname.request", "code" : 13 }
Any ideas what can be happening?
So far I've tried adding every role I can find to the user but that hasn't helped.
You need to assign the read role to the user in question.
The dbAdmin role does not include read access on non-system collections.
For anybody running into this problem against Mongo 3.0.6, I fixed by adding
?authMode=scram-sha1
at the end of my mongodb uri.
Here are some docs explaining the purpose of scram-sha1
In addition to #Sebastian's answer, that means explicitely:
Grant a Role
Grant a role using the db.grantRolesToUser() method. For example, the
following operation grants the reportsUser user the read role on the
accounts database:
db.grantRolesToUser(
"your_user",
[
{ role: "read", db: "your_db" }
]
)
I’m posting this because I had trouble finding this solution online. The problem is embarrassing but the error message and scenario make it somewhat difficult to figure out so I'm hoping to save someone some pain.
My application was able to establish a database connection, start and serve static pages but every time it tried to execute a query I got this error.
MongoError: not authorized on mydb to execute command { count: "urls", query: {} }
This error was caused by a userid and password with the wrong separator
mongodb://myuserid/mypassword#ds112345.mlab.com:12345/mydb [wrong]
mongodb://myuserid:mypassword#ds112345.mlab.com:12345/mydb [right]
While the node application was able to successfully connect to MongoDB, the incorrectly formatted URI caused the driver to skip authentication prior to issuing database commands.
Thanks and a hat tip to the people at mLab support.
In my case helped to add ?authSource=admin to uri.
So the uri looked like this:
spring.data.mongodb.uri=mongodb://user:password#host:port/database?authSource=admin
I was getting error like
err { MongoError: not authorized on XXXX to execute command { $eval: function(){ return db.tbl_user.find( {
For me role executeFunctions worked. Once you give role your user should look like following...
{
"_id" : "XXXXX",
"user" : "USERXXX",
"db" : "DBXXXX",
"roles" : [
{
"role" : "executeFunctions",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "fryendsapp"
}
]
}
I had the same problem, after a lot of trial and error I solved it by adding the role "read" to my user but indicating the database as well:
db.grantRolesToUser("myUserName",
[{ role: "read", db: "myDataBaseName"}] );
Greetings
I was having the same problem until I realized I made a mistake. I was inheriting a mongo client pointing to a different database from a parent Perl class without realizing it. Maybe something you can check.
So, I have a user for mongo db with the following roles:
% mongo --username userw --password password --authenticationDatabase admin --host host
...
> use admin
switched to db admin
> show users
{
"_id" : ObjectId("525d880dcd6e5e57f9431e16"),
"user" : "userw",
"pwd" : "****************",
"roles" : [
"readWriteAnyDatabase",
"listDatabases"
]
}
The user can read and write successfully to any database, but if I do:
> show dbs
Thu Oct 17 08:46:27.523 listDatabases failed:{ "ok" : 0, "errmsg" : "unauthorized" } at src/mongo/shell/mongo.js:46
I seem to be missing a role that lets me list databases. Which role do I need? (clusterAdmin fixes this, but seems overkill).
According to the documentation, the user must be granted the clusterAdmin role for the listDatabases privilege