Mongodb – created a user with clusterMonitor and dbOwner role, but db.getRoles() shows enableSharding role

mongodbmongodb-3.4permissionsroleusers

I created a user with full privileges in it's own database (dbOwner) and read-only access to administrative commands (clusterMonitor)

use customerdb           
(mongod-3.4.7) customerdb> db.createUser( { user: "customer",
...                  pwd: "customerpw",
...                  roles: [ { role: "clusterMonitor", db: "admin" },
...                           { role: "dbOwner", db: "customerdb" }] },
...                { w: "majority" , wtimeout: 5000 } )        
Successfully added user: {
  "user": "customer",
  "roles": [
    {
      "role": "clusterMonitor",
      "db": "admin"
    },
    {
      "role": "dbOwner",
      "db": "customerdb"
    }
  ]
}

Enabled auth and logged in with the new user. It's a Homebrew installed MongoDB single instance with latest release.

$ mongo -u customer -p customerpw localhost --authenticationDatabase=customerdb

Why getRoles() shows me enableSharding role? I didn't found explanation in docs 

> db.getRoles(
...     {
...       rolesInfo: 1,
...       showPrivileges:false,
...       showBuiltinRoles: true
...     }
... )      
[
  {
    "role": "dbAdmin",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  },
  {
    "role": "dbOwner",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  },
  {
    "role": "enableSharding",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  },
  {
    "role": "read",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  },
  {
    "role": "readWrite",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  },
  {
    "role": "userAdmin",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ]
  }
]

the privleges for enableSharding role

  {
    "role": "enableSharding",
    "db": "customerdb",
    "isBuiltin": true,
    "roles": [ ],
    "inheritedRoles": [ ],
    "privileges": [
      {
        "resource": {
          "db": "",
          "collection": ""
        },
        "actions": [
          "enableSharding"
        ]
      }
    ],
    "inheritedPrivileges": [
      {
        "resource": {
          "db": "",
          "collection": ""
        },
        "actions": [
          "enableSharding"
        ]
      }
    ]
  }

I tested this in a sharded cluster on mongos with version:

MongoDB Enterprise mongos> db.version()
3.2.11

and also on MacBook with single mongod and version 3.4.7

I guess I am doing something wrong how I create users and grant roles?

Best Answer

You get that "role" : "enableSharding" for customerdb because of "role" : "dbAdmin". So, that use can shard customerdb, but nothing else.

Related Question