How to set up a user who doesn't have `admin` database access but use it as authentication database?

Question

I want to setup a user in MongoDB. This user will not have admin database access. But it uses admin as authentication database. It will fail to connect the mongoDB by this command mongo --host localhost admin. Instead, it can use this command to connect to test database: mongo --host localhost --authenticationDatabases admin test. How can I restrict the permission in this case?

I tried below command to create an user:

db.createUser({user: 'testUser', pwd: '123456', roles: [{role:'readWrite', db: 'SampleCollections'}]})

when I use that user account to login mongo shell, I am able to list the collections under admin database. How can I restrict the user only on SampleCollections database not admin?

Answer 1

Not need. You just give user needed rights to the wanted non-admin database. User can use admin database as authentication database even user doesn't have read/write access to admin database.

use products
db.grantRolesToUser("productsUser",[ "readWrite" ])

grantRolesToUser documentation.

UPDATE

Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.

#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
    "user" : "test",
    "roles" : [
        {
            "role" : "readWrite",
            "db" : "test"
        }
    ]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017-09-11T19:06:22.001+0300 E QUERY    [thread1] Error: listCollections failed: {
    "ok" : 0,
    "errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
    "code" : 13,
    "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>  

And same from outside:

#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017-09-11T19:17:48.614+0300 E QUERY    [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo> 

Answer 2

@Zhao Yi,what you are looking ? I hope so that you shall find out your solution Here

For example i am attaching a one example as shown below

The Explanation of the code is :

1. The first step is to specify the username and password which needs to be created.
2. The second step is to assign a role for the user which in this case since it needs to be a database administrator is assigned to the userAdmin role. This role allows the user to have administrative privileges only to the database specified in the db option.
3. The db parameter specifies the database to which the user should have administrative privileges on.

Note: The output shows that a user called Employeeadmin was created and that user has privileges only on the Employee database.