Mongodb – Why is MongoDB user with the only privilege as “find” able to insert and update collection

I want my user to have only find action privilege on a specific collection. However, when I create the user with the privilege, restart the mongod server and run the mongo shell again with -u -p and --authenticationDatabase parameters and run insert command on the collection, it successfully inserts the document in collection. Similarly, update command also works seamlessly for this user and the corresponding collection.

Here's the code for creating the user-

use testauth
db.createUser({user: "user", pwd: "password", roles: [{role: "readWrite", db: "testauth", privileges: [{resource: {db: "testauth", collection: "readonlycol"}, actions: ["find"]}]}]})

Followed by this, I restart the mongod server with --auth and run the mongo shell with authentication parameters.
When I go ahead and try to insert a document in the collection, it works –

> use testauth
> db.readonlycol.insert({"key": "value"})
WriteResult({ "nInserted" : 1 })

update also seems to work. The only command which doesn't work is remove. What am I doing wrong?

Best Answer

according to https://docs.mongodb.com/manual/reference/built-in-roles/

the "readwrite" is to blame ...

readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.

The role provides the following actions on those collections:

collStats
convertToCapped
createCollection
dbHash
dbStats
dropCollection
createIndex
dropIndex
find
insert
killCursors
listIndexes
listCollections
remove
renameCollectionSameDB
update

Although the list also contains the remove - right .

Best Answer

Related Solutions

Mongodb update conditional set operator ($set only when it is insert )

MongoDB duplicate “_id ” for an array “_id”

Related Question