I created a user with full privileges in it's own database (dbOwner
) and read-only access to administrative commands (clusterMonitor
)
use customerdb
(mongod-3.4.7) customerdb> db.createUser( { user: "customer",
... pwd: "customerpw",
... roles: [ { role: "clusterMonitor", db: "admin" },
... { role: "dbOwner", db: "customerdb" }] },
... { w: "majority" , wtimeout: 5000 } )
Successfully added user: {
"user": "customer",
"roles": [
{
"role": "clusterMonitor",
"db": "admin"
},
{
"role": "dbOwner",
"db": "customerdb"
}
]
}
Enabled auth and logged in with the new user. It's a Homebrew installed MongoDB single instance with latest release.
$ mongo -u customer -p customerpw localhost --authenticationDatabase=customerdb
Why getRoles()
shows me enableSharding
role? I didn't found explanation in docs
> db.getRoles(
... {
... rolesInfo: 1,
... showPrivileges:false,
... showBuiltinRoles: true
... }
... )
[
{
"role": "dbAdmin",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
},
{
"role": "dbOwner",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
},
{
"role": "enableSharding",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
},
{
"role": "read",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
},
{
"role": "readWrite",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
},
{
"role": "userAdmin",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ]
}
]
the privleges for enableSharding role
{
"role": "enableSharding",
"db": "customerdb",
"isBuiltin": true,
"roles": [ ],
"inheritedRoles": [ ],
"privileges": [
{
"resource": {
"db": "",
"collection": ""
},
"actions": [
"enableSharding"
]
}
],
"inheritedPrivileges": [
{
"resource": {
"db": "",
"collection": ""
},
"actions": [
"enableSharding"
]
}
]
}
I tested this in a sharded cluster on mongos with version:
MongoDB Enterprise mongos> db.version()
3.2.11
and also on MacBook with single mongod and version 3.4.7
I guess I am doing something wrong how I create users and grant roles?
Best Answer
You get that "role" : "enableSharding" for customerdb because of "role" : "dbAdmin". So, that use can shard customerdb, but nothing else.