I want each MongoDB [sub] database to have access to a specific database (central); as well as access to query anything within their own database/namespace.
How do I set this up? - I am using mongoengine BTW.
You can use collection level authentication as outlined here: http://docs.mongodb.org/manual/core/authentication/
Specifically this section of the authentication manual:
http://docs.mongodb.org/manual/reference/system-roles-collection/#a-user-defined-role-specifies-privileges
You can set permissions with documents:
{
_id: "myApp.appUser",
role: "appUser",
db: "myApp",
privileges: [
{ resource: { db: "myApp", collection: "data" },
actions: [ "insert", "update", "remove", "compact" ] },
{ resource: { db: "myApp", collection: "system.indexes" },
actions: [ "find" ] }
]
}
Related
How to create a mongodb user who can read write but not delete a document.
As mistakes can happen so some people may want to disable delete option for users. which can be achieved using the below tutorial.
It took me few minutes to find so sharing so it may reduce some peoples time in searching.
In order to do that we have to create a role.
Go to admin db
use admin
then execute the below command
db.createRole(
{
role: "customROle",
privileges: [
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert"] },
{ resource: { db: "", collection: "" }, actions: [ "update", "insert", "find" ] }
],
roles: [
{ role: "readWrite", db: "admin" }
]
},
{ w: "majority" , wtimeout: 5000 }
)
Note: You can give a specific db access too and give only read access or something like that.
Then we can add the role to a user by using the below command.
db.createUser(
{ user: "gokul",
pwd: "gokul123",
roles:[{role: "customROle" , db:"admin"}]})
I am trying to create a new role in mongodb but It is giving me error:
> use Admin
switched to db Admin
> db.createRole( { role: "executeFunctions", privileges: [ { resource: { anyResource: true }, actions: [ "anyAction" ] } ], roles: [] } );
2018-03-13T19:59:25.114+0500 E QUERY [thread1] Error: Roles on the 'Admin' database cannot be granted privileges that target other databases or the cluster :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createRole#src/mongo/shell/db.js:1541:1
#(shell):1:1
Some time mongo work with the wrong spell and create the problem later.
So check:
use admin
switched to db admin
> db.createRole( { role: "executeFunctions", privileges: [ { resource: { anyResource: true }, actions: [ "anyAction" ] } ], roles: [] } );
I have database traffic and in that two collections readMe and readWriteMe.
I want to create a user in mongoDB that can do the following -
read the readMe collection.
read and write to the readWriteMe collection.
can create new collection and have readWrite authorization to that collection.
I have role say myRole - I tried giving following privileges to this role
privileges: [
{ resource: { db: "traffic", collection: "" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]},
]
but it allows to insert in readMe collection too!
This raises the question - what happens in the case of conflicting privileges. Which is given more priority etc.
I think it's because you are not specifying the collection name on the first permission. Try:
privileges: [
{ resource: { db: "traffic", collection: "readWriteMe" }, actions: [ "find", "insert", "remove" ] },
{ resource: { db: "traffic", collection: "readMe"}, actions: ["find"]}
]
If you want the same user to create collections and be able to readWrite them, I think it's impossible to not grant enough privileges without him being able to somehow read and write your readMe collection. You could try applying the createCollection along with grantRole but this would allow the user to self assign the readWrite role to itself for the readMe collection too
Created a MongoDB user with readWrite access to a collection. But I don't want to give dropCollection access right to that user. How can I implement that.
Thanks.
You can define your custom role for your purpose.
You can also extend existing roles, by inheriting with the admin.system.roles.roles field of your custom role.
Here is an example custom role
{
role: "YourRole",
db: "YourDatabase",
privileges:
[
{
resource: {db: "YourDatabase", collection: "OneOfCollections"},
actions: ["find", "insert", "update", "remove", "createIndex" ...]
},
{
resource: {db: "YourDatabase", collection: "AnotherCollection"},
actions: ["find", "insert", "update", "remove", "createIndex" ...]
},
.
.
.
],
roles:
[
{ role: "RoleYouWantToInherit", db: "TheDatabaseRoleIsDefinedFor" },
...
]
}
#n9code.
Running following query on admin collection gives an error.
db.runCommand({
createRole:"mynew",
priviliges : [..],
roles: [
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
})
showing "error msg:no such cmd creareRole"
First I tried db.eval() for my local mogodb server.It is working fine.I used this example
Then I tried the same thing with MongoLab.But I got this error message.
The error say not authorized to execute command.Can you explain why this error message.thanks
Eval is a powerfull, dangerous and deprecated action that mLab don't give.
In a local mongo db you should create a role:
use admin
db.createRole(
{
role: "dangerEval",
privileges : [
{ resource: {anyResource: true }, actions : ["anyAction"] },
// or this for grant anyAction only on a single db:
{ resource: {db: "myDb", collection: "" }, actions: [ "anyAction" ] }
],
roles: []
}
)
Then you can assign this role to a user:
db.createUser({
user: "temporaneyEvalUser",
pwd: "psw",
roles: [ { role: "dangerEval", db: "myDb" } ]
});
So you have to choose another way to archive your target or change mongo installation.