For instance, if I have this user:
> db.system.users.find()
{ "user" : "testAdmin", "pwd" : "[some hash]", "roles" : [ "clusterAdmin" ], "otherDBRoles" : { "TestDB" : [ "readWrite" ] } }
And I want to give that user the dbAdmin permissions on the TestDB database, I can remove the user record then add it back with the new permissions:
> db.system.users.remove({"user":"testAdmin"})
> db.addUser( { user: "testAdmin",
pwd: "[whatever]",
roles: [ "clusterAdmin" ],
otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] } } )
But that seems hacky and error-prone.
And I can update the table record itself:
> db.system.users.update({"user":"testAdmin"}, {$set:{ otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] }}})
But I'm not sure if that really creates the correct permissions - it looks fine but it may be subtly wrong.
Is there a better way to do this?
If you want to just update Role of User. You can do in the following way
db.updateUser( "userName",
{
roles : [
{ role : "dbAdmin", db : "dbName" },
{ role : "readWrite", db : "dbName" }
]
}
)
Note:- This will override only roles for that user.
See array update operators.
> db.users.findOne()
{
"_id" : ObjectId("51e3e2e16a847147f7ccdf7d"),
"user" : "testAdmin",
"pwd" : "[some hash]",
"roles" : [
"clusterAdmin"
],
"otherDBRoles" : {
"TestDB" : [
"readWrite"
]
}
}
> db.users.update({"user" : "testAdmin"}, {$addToSet: {'otherDBRoles.TestDB': 'dbAdmin'}}, false, false)
> db.users.findOne()
{
"_id" : ObjectId("51e3e2e16a847147f7ccdf7d"),
"user" : "testAdmin"
"pwd" : "[some hash]",
"roles" : [
"clusterAdmin"
],
"otherDBRoles" : {
"TestDB" : [
"readWrite",
"dbAdmin"
]
},
}
Update:
MongoDB checks permission on every access. If you see operator db.changeUserPassword:
> db.changeUserPassword
function (username, password) {
var hashedPassword = _hashPassword(username, password);
db.system.users.update({user : username, userSource : null}, {$set : {pwd : hashedPassword}});
var err = db.getLastError();
if (err) {
throw "Changing password failed: " + err;
}
}
You will see — operator changes user's document.
See also system.users Privilege Documents and Delegated Credentials for MongoDB Authentication
Related
is that possible to create a user in MongoDB that is only able to view a specific collection with reading permission only, no other privileges are granted?
Yes it is possible, You'll need to create a customized role. Then assign it to a new User in the DB.
Custom Role Command:
use testdb
db.createRole(
{
createRole: "readTestColOnly",
privileges: [
{ resource: { db: "testdb", collection: "testcollection" },
actions: [ "find" ] }
],
roles: []
})
New User Command:
use testdb
db.runCommand({
"createUser" : "testuser",
"customData" : {
},
"roles" : [
{
"role" : "readTestColOnly",
"db" : "testdb"
}
]
});
Hope This helps.
How can I fix the situation where I can not add a password?
db.createUser({user:'root',pwd:'hello!0.', roles:[{role:'userAdminAnyDatabase', db:'admin'}]})
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}`
Mongodb defaults without permission access so you need to open access access auth = ture
I added an 'admin' user in the admin db, with roles on admin db and another db :
[admin] user: yves>db.auth("isabelle", "abc123")
1
[admin] user: isabelle>db.getUser("isabelle")
{
"_id" : "admin.isabelle",
"user" : "isabelle",
"db" : "admin",
"roles" : [
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "cockpit"
}
]
}
I am testing that this user cannot admin the 'test' database ( updating a tester user email )
[admin] user: isabelle>use test
switched to db test
[test] user: isabelle>db.updateUser(
... "myTester",
... {
... customData: {email: "mytester#example.com"}
... }
... )
As 'isabelle' has no roles on 'test' db , she should not be allowed to update any user on this db ... (?)
but it is ...
[test] user: isabelle>db.getUser("myTester")
{
"_id" : "test.myTester",
"user" : "myTester",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "reporting"
}
],
"customData" : {
"email" : "mytester#example.com"
}
}
what am I missing ?
do the isabelle' role 'userAdmin' on 'admin' db allow it ?
I tried to remove it, but it deosn(t change anything ...
I also tried to move isabelle in the cockpit database, with dbOwner role, it doesn't change anything... isabelle is still able to update myTester user in the test database...
how can I restrict isabelle to admin only the 'cockpit' db ( managing users and roles for this db ..?
thanks for enlightment ...
Add to your mongod.conf
security:
authorization: enabled
Also check this mongodb link.
> use failsafereports;
> db.createUser({ user : 'readonly', pwd: 'readonly', roles : ['read']})
Successfully added user: { "user" : "readonly", "roles" : [ "read" ] }
> show users;
{
"_id" : "failsafereports.readonly",
"user" : "readonly",
"db" : "failsafereports",
"roles" : [
{
"role" : "read",
"db" : "failsafereports"
}
]
}
> db.auth('readonly','readonly')
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
I am creating a new user.
It shows when I use show users
But when I try to auth, it fails.
any ideas?
I've read around the internet about this problem occurring from the command line, but couldn't find one that happens from mongo shell.
I'm using MMS to manage my a typical sharding cluster with just one shard (at the moment): 3 mongod for shard000 (2 servers + 1 arbiter) + 1 config server + 2 mongos instances.
Auth is enabled and it's working well. I've added a user-defined role in the MMS admin console, and I can see it in mongo shell.
db.system.roles.findOne()
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"changeCustomData",
"changePassword",
...
I want to change it to AnyAction on AnyResource (as doEval action requires). So, I'm trying to execute this:
db.runCommand({ "updateRole": "myrole", "privileges": [ { resource: { anyResource: true}, actions: [ "anyAction" ] } ] }); db.system.roles.findOne()`
and for one second, I get the result I want:
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"anyResource" : true
},
"actions" : [
"anyAction"
]
}
],
"roles" : [ ]
}
But, about two seconds later:
the role got restored:
configsvr> db.system.roles.findOne()
{
"_id" : "admin.myrole",
"role" : "myrole",
"db" : "admin",
"privileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"changeCustomData",
"changePassword",
...
and I don't know "who" is restoring it.
I've tried the above commands from the PRIMARY and from CONFIG server in admin database.
How can I get the role stored?
P.S: I know that "eval" is deprecated in 3.0, but what I'm asking is the reason I can't update the role.