How to create a database admin that will manage its database users

Question

I'm using MongoDB ver2.6.2 and want to create a database admin that will able to manage its users (add and remove them). I have two databases - admin and books. The user admin_books is supposed to be a dbOwner and be able to create and remove users from books database:

/* creating admin db */
> use admin;
switched to db admin
> db.createUser( { "user" : "admin_root", "pwd": "pass", "roles" : ["root"] } )
Successfully added user: { "user" : "admin_root", "roles" : [ "root" ] }

/* creating books db */
> use books;
switched to db books
> db.createUser( { "user" : "admin_books", "pwd": "pass", "roles" : ["dbOwner"] } )
Successfully added user: { "user" : "admin_books", "roles" : [ "dbOwner" ] }
> db.createUser( { "user" : "logger", "pwd": "pass", "roles" : ["readWrite"] } )
Successfully added user: { "user" : "logger", "roles" : [ "readWrite" ] }

I found that all users are actually stored in admin db starting from version 2.6. When I try to query db users when logging in to books db as admin_books I'm getting the following error:

> use books
switched to db books
> db.auth("admin_books", "pass")
1
> db.system.users.find()
error: { "$err" : "not authorized for query on books.system.users", "code" : 13 }

Is there any roles and privileges I need to add to admin_books to allow him to manage users? Or what would be the correct way of doing this?

I know there was a similar question, but the answer suggests to add a 'userAdminAnyDatabase' privilege to user even though the admin has to manage only single db.

Answer 1

Not sure if this was answered straighforwardly enough but here's how you do it:

db.createUser({user: "USERNAME", pwd: "PASSWORD", roles: [{role: "dbOwner", db: "DATABASE"}]});

Where USERNAME, PASSWORD, and DATABASE are to be filled in with your fields.

http://docs.mongodb.org/manual/reference/method/db.createUser/

Answer 2

The db.system.users collection is no longer used for user management - it was deprecated in version 2.6 of MongoDB:

system.users Privilege Documents

Deprecated since version 2.6: MongoDB 2.6 introduced a new model for user credentials and privileges and no longer uses privilege documents.

http://docs.mongodb.org/manual/reference/privilege-documents/

As of version 2.6 all the user access information is stored in the admin.system.users collection:

system.users Collection

Changed in version 2.6.

The system.users collection in the admin database stores user authentication and authorization information.

So the way to test if a user has the privilege to add other users is not to query the system.users collection in that database. Instead, you should log in as that user and run one of the user or role management commands:

User Management Commands

• createUser Creates a new user.

• updateUser Updates a user’s data.

• dropUser Removes a single user.

• dropAllUsersFromDatabase Deletes all users associated with a database.

• grantRolesToUser Grants a role and its privileges to a user.

• revokeRolesFromUser Removes a role from a user.

• usersInfo Returns information about the specified users.

Role Management Commands

• createRole Creates a role and specifies its privileges.

• updateRole Updates a user-defined role.

• dropRole Deletes the user-defined role.

• dropAllRolesFromDatabase Deletes all user-defined roles from a database.

• grantPrivilegesToRole Assigns privileges to a user-defined role.

• revokePrivilegesFromRole Removes the specified privileges from a user-defined role.

• grantRolesToRole Specifies roles from which a user-defined role inherits privileges.

• revokeRolesFromRole Removes specified inherited roles from a user-defined role.

• rolesInfo Returns information for the specified role or roles.

• invalidateUserCache Flushes the in-memory cache of user information, including credentials and roles.

http://docs.mongodb.org/manual/reference/command/#user-management-commands