How to set up a user who doesn't have `admin` database access but use it as authentication database?
-
09-10-2020 - |
Question
I want to setup a user in MongoDB. This user will not have admin database access. But it uses admin as authentication database. It will fail to connect the mongoDB by this command mongo --host localhost admin
. Instead, it can use this command to connect to test
database: mongo --host localhost --authenticationDatabases admin test
. How can I restrict the permission in this case?
I tried below command to create an user:
db.createUser({user: 'testUser', pwd: '123456', roles: [{role:'readWrite', db: 'SampleCollections'}]})
when I use that user account to login mongo shell, I am able to list the collections under admin
database. How can I restrict the user only on SampleCollections
database not admin
?
Solution
Not need. You just give user needed rights to the wanted non-admin database. User can use admin database as authentication database even user doesn't have read/write access to admin database.
use products
db.grantRolesToUser("productsUser",[ "readWrite" ])
grantRolesToUser documentation.
UPDATE
Let's create mongodb instance with --auth. Login as admin, create user what can readWrite ONLY test -db, authenticate with that user, check can use list admin database collections and what this user can do with test database.
#> mlaunch init --single --auth
launching: mongod on port 27017
Username "user", password "password"
#> mongo -u user -p password admin
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.4.6
Mongo> db.createUser({user:"test", pwd:"testpwd", roles:[{role:"readWrite", db:"test"}]})
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
Mongo> db.auth("test","testpwd")
1
Mongo> db
admin
Mongo> show collections
2017-09-11T19:06:22.001+0300 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {} }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16
shellHelper.show@src/mongo/shell/utils.js:762:9
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1
Mongo> use test
switched to db test
Mongo> db.coll.insert({})
WriteResult({ "nInserted" : 1 })
Mongo> show collections
coll
Mongo>
And same from outside:
#> mongo -u test -p testpwd --authenticationDatabase test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.6
2017-09-11T19:17:48.614+0300 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):6:1
@(auth):1:2
exception: login failed
#> mongo -u test -p testpwd --authenticationDatabase admin test
MongoDB shell version v3.4.6
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.6
Mongo>
OTHER TIPS
@Zhao Yi,what you are looking ? I hope so that you shall find out your solution Here
For example i am attaching a one example as shown below
The Explanation of the code is :
- The first step is to specify the
username
andpassword
which needs to be created. - The second step is to assign a role for the user which in this case
since it needs to be a database administrator is assigned to the
userAdmin
role. This role allows the user to have administrative privileges only to the database specified in the db option. - The db parameter specifies the database to which the user should have administrative privileges on.
Note: The output shows that a user called Employeeadmin was created and that user has privileges only on the Employee database.