Reputation: 61
MongoDB - User privileges
This is probably a stupid newbie question. I scoured the Google-scape for answers and found a few things on stackoverflow, but nothing really works yet.
I am trying to create a database, and a user who can insert entries to the db.
So far I managed to create the following users & associated privileges:
$ ./mongo localhost:29525/admin -username admin -password "somesecret"
MongoDB shell version: 2.4.9
connecting to: localhost:29525/admin
> db.system.users.find()
{ "_id" : ObjectId("533dc34753178fa1d0707308"), "user" : "admin", "pwd" : "145efb041abb3f9dd2531b26c90f2a4c", "roles" : [ "userAdminAnyDatabase" ] }
{ "_id" : ObjectId("533dc9c03eb5b535e9691f21"), "user" : "node", "pwd" : "a2cbb645cec16dedd4a4f9ee53a332a7", "roles" : [ "readWrite", "dbAdmin" ] }
{ "_id" : ObjectId("533dd1c52d0f16b6fae61188"), "user" : "node2", "pwd" : "488fba587da677d48825b425ebf7031e", "roles" : [ "userAdminAnyDatabase", "userAdmin", "clusterAdmin", "dbAdminAnyDatabase" ] }
I ideally wanted to give the "admin" user full privileges, but unfortunately admin's 'userAdminAnyDatabase' privilege is not enough to enable this:
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
I wondered if maybe I just wasn't actually executing the command as "admin", so I re-authenticated as user admin. Still no joy:
> db.auth("admin", "somesecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
So I tried the "node2" user - I had created that with more privileges (dbAdminAnyDatabase, clusterAdmin, ..), so maybe that would work? But alas it also fails:
> db.auth("node2", "anothersecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
That aside, I tried to create a database 'mynewdb', and add a collection 'users'. As the user with most privileges is "node2", I switched to that user first. But that user cannot insert records into the new database's new collection:
> db.auth("node2", "anothersecret")
1
> use mynewdb
switched to db mynewdb
> db.users.save( {username: "philipp"})
not authorized for insert on testapp.users
Nor for that matter can "admin".
Sorry for my ignorance, I have spent some hours Googling here and am still struggling to piece together jigsaw pieces presented by the many disparit bits of info on the MongoDB docs.
Thanks for any help!
Upvotes: 3
Views: 7067
Answers (1)
Reputation: 3696
This answer ONLY pertains to MongoDB 2.4.X and lower. The methods for doing this are significantly different under MongoDB 2.6
You are correctly querying the "system.users" collection in your examples:
db.system.users.find()
But your updates are to the "users" collection, which the admin user cannot access as it only has "userAdminAnyDatabase". Can you try running your update against "system.users" instead? ie
db.system.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}})
Upvotes: 5
Related Questions
- Mongo access DB user rights
- MongoDb - Give user access to specific database
- Cannot guarantee the granted role of user
- Mongodb user permission read only issue
- Mongo user privilege to read and write to any database
- How do Roles work in MongoDB?
- Create Superuser in mongo
- mongodb: how to set correctly roles and privileges?
- How do you change MongoDB user permissions?
- How can I create one user that have complete access to MongoDB?