4

I want to setup a user in MongoDB. This user will not have admin database access. But it uses admin as authentication database. It will fail to connect the mongoDB by this command mongo --host localhost admin. Instead, it can use this command to connect to test database: mongo --host localhost --authenticationDatabases admin test. How can I restrict the permission in this case?

I tried below command to create an user:

db.createUser({user: 'testUser', pwd: '123456', roles: [{role:'readWrite', db: 'SampleCollections'}]})

when I use that user account to login mongo shell, I am able to list the collections under admin database. How can I restrict the user only on SampleCollections database not admin?

asked Sep 10, 2017 at 1:34

2 Answers 2

3

Not need. You just give user needed rights to the wanted non-admin database. User can use admin database as authentication database even user doesn't have read/write access to admin database.

use products
db.grantRolesToUser("productsUser",[ "readWrite" ])

grantRolesToUser documentation.

UPDATE

Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.

#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
 "user" : "test",
 "roles" : [
 {
 "role" : "readWrite",
 "db" : "test"
 }
 ]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017年09月11日T19:06:22.001+0300 E QUERY [thread1] Error: listCollections failed: {
 "ok" : 0,
 "errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
 "code" : 13,
 "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>

And same from outside:

#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017年09月11日T19:17:48.614+0300 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo>
answered Sep 10, 2017 at 11:23
4
  • I tried to create an user with this role but the user can view the admin database. Please see the command I used on my post. Commented Sep 10, 2017 at 12:28
  • Remember to change that DB first, with that use xxxx, because that command gives rights to currently selected DB. Commented Sep 10, 2017 at 17:12
  • I have tried that. In this case, I need to use the xxxx as the authentication database. But what I want is to use admin as the authentication database. Commented Sep 11, 2017 at 12:22
  • @ZhaoYi check my edits at my answer.. There is step by step example. It works! Commented Sep 11, 2017 at 16:13
1

@Zhao Yi,what you are looking ? I hope so that you shall find out your solution Here

For example i am attaching a one example as shown below

enter image description here

The Explanation of the code is :

  1. The first step is to specify the username and password which needs to be created.
  2. The second step is to assign a role for the user which in this case since it needs to be a database administrator is assigned to the userAdmin role. This role allows the user to have administrative privileges only to the database specified in the db option.
  3. The db parameter specifies the database to which the user should have administrative privileges on.

Note: The output shows that a user called Employeeadmin was created and that user has privileges only on the Employee database.

answered Sep 10, 2017 at 13:06
2
  • Thanks for your reply. I can create a user with the role based on your command. But that user has access to admin database. I am able to use admin and run show collections. What I need is to use admin as an authentication database but restrict users only on Employee database. So I want this command for user to login: mongo --username Employeeadmin --password 123456 --authenticationDatabase admin SampleCollections Commented Sep 10, 2017 at 23:27
  • @Zhao Yi, As per mongodb documentation docs.mongodb.com/manual/tutorial/manage-users-and-roles Except for roles created in the admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database. Commented Sep 11, 2017 at 12:54

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.