Mongodb – Users and Roles in MongoDB

mongodbpermissionsusers

Following users are created in MongoDB.

First user created with name "user" having read write role for "project" database use project.

db.createUser(
    {
      user: "user",
      pwd: "user123",
      roles: [
         { role: "readWrite", db: "project" },
         { role: "readAnyDatabase", db:"admin" }
      ]
    }
)

Second user created with name "stud" having read write role for "student" database use student.

db.createUser(
    {
      user: "stud",
      pwd: "stud123",
      roles: [
         { role: "readWrite", db: "stud" },
         { role: "readAnyDatabase", db:"admin" }
      ]
    }
)

When I connected to database having name project using "user" I am getting the project as well as the student database and I'm also able to create new collection in the student database. I haven't give any permission to "user" to access the student database.

Still it is possible to access the student database. How can I avoid this?

Best Answer

You've given 'user' the readAnyDatabase permission. This means it has read access for every database in the cluster. Change the permission to readOnly so user will have read permission on admin DB only.

Related Solutions

Postgresql – Postgres Access Roles

You don't need to GRANT only on a schema. You can get more specific and GRANT specifically to a table, like this:

GRANT ALL ON TABLE xyz.items TO admin_role;

but note that GRANT ALL and REVOKE ALL are very large sledgehammers for building very small spice racks.

Consider reviewing the excellent GRANT documentation which covers this in detail.

For your specific case, you could do something as simple as:

REVOKE CREATE ON SCHEMA public FROM admin_role;

which would remove the right to create new objects in the schema.

MongoDB: Privileges on objects created by me only

A database does not need to exist at the time you grant a user permissions on it.

So the solution to this is simply to pre-grant a superset of all permissions you expect might be needed in the future. Then they will just sit there unless and until needed.

In my case the list of permissions needed changes fairly frequently, but the prefix-style patterns are predictable. (Namely, the user's name matches the first part of its databases' names.) So I use a config file like this, to which I add entries before they are needed. The script runs regularly, and grants new permissions, which just sit there until they are actually used.

[ { 'replica_set' : 'cluster0',
    'members' : [ 'server0', 'server1', ... 'serverN' ],
    'permissions' : [ 'user' : 'lizard_user', 'db_patterns' : [ 'lizard_' ] },
    ...
  },
  { 'replica_set' : 'cluster1',
  ...
  }
]

_{I'm posting this workaround primarily to note the misconception I had about granting permissions on not-yet-existent objects, in case others share it. It would still be cool if there were a privilege like 'readWriteAllMyDatabases'.}

Best Answer

Related Solutions

Postgresql – Postgres Access Roles

MongoDB: Privileges on objects created by me only

Related Question