snippetMinor
How to set up a user who doesn't have `admin` database access but use it as authentication database?
Viewed 0 times
adminhaveuserwhobutauthenticationdatabasedoesnaccesshow
Problem
I want to setup a user in MongoDB. This user will not have admin database access. But it uses admin as authentication database. It will fail to connect the mongoDB by this command
I tried below command to create an user:
when I use that user account to login mongo shell, I am able to list the collections under
mongo --host localhost admin. Instead, it can use this command to connect to test database: mongo --host localhost --authenticationDatabases admin test. How can I restrict the permission in this case? I tried below command to create an user:
db.createUser({user: 'testUser', pwd: '123456', roles: [{role:'readWrite', db: 'SampleCollections'}]})when I use that user account to login mongo shell, I am able to list the collections under
admin database. How can I restrict the user only on SampleCollections database not admin?Solution
Not need. You just give user needed rights to the wanted non-admin database. User can use admin database as authentication database even user doesn't have read/write access to admin database.
grantRolesToUser documentation.
UPDATE
Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.
And same from outside:
use products
db.grantRolesToUser("productsUser",[ "readWrite" ])grantRolesToUser documentation.
UPDATE
Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.
#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017-09-11T19:06:22.001+0300 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>And same from outside:
#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017-09-11T19:17:48.614+0300 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo>Code Snippets
use products
db.grantRolesToUser("productsUser",[ "readWrite" ])#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017-09-11T19:06:22.001+0300 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017-09-11T19:17:48.614+0300 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo>Context
StackExchange Database Administrators Q#185518, answer score: 3
Revisions (0)
No revisions yet.