Edgaras Karka
Reputation: 7852
Mongodb user is able use databases without privileges
I have two databases (staging and production). Also, I have 2 users (staging_user and production_user). But User staging_user can use the production database after login.
mongo --authenticationDatabase staging -u staging_user -p ***********
> use production
switched to db production
>db.getName()
production
> show collections
accounts
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "staging_user",
"db" : "staging"
}
],
"authenticatedUserRoles" : [
{
"role" : "readWrite",
"db" : "staging"
}
]
},
"ok" : 1
}
getSiblingDb result:
{
"role" : "readWrite",
"db" : "gepick_staging",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "staging",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.indexes"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.namespaces"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "staging",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.indexes"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "staging",
"collection" : "system.namespaces"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}
How don`t allow staging_user to use the production database?
Upvotes: 0
Views: 138
Answers (1)
ROHIT KHURANA
Reputation: 983
make sure, you have enabled auth in config and restart mongodb.
For more details, Please follow below link: https://docs.mongodb.com/manual/reference/configuration-options/index.html#security.authorization
Upvotes: 1
Related Questions
- MongoDB - admin user not authorized
- A MongoDB "userAdminAnyDatabase" user cannot admin users in "any database". Why?
- Mongo access DB user rights
- Creating a user gives it admin permissions everywhere
- MongoDb - Give user access to specific database
- Mongo user privilege to read and write to any database
- MongoDB unauthorized users can create databases
- Create mongo user with right to read local database
- MongoDB - User privileges
- Can not access other dbs for user who created as "userAdminAnyDatabase" role