Role Based Authorization In MongoDB

Posted By :Ankit Kumar |25th April 2019

Roles give users access to MongoDB resources.MongoDB provides a number of built-in roles that DBadmins can use to control access to a MongoDB system. However, if these roles do not match the desired set of permissions, we can create new roles in a particular database.

MongoDB uses the combination of the DB name and the role name to uniquely define a role. Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the admin.system.roles collection in the admin DB. The first user created in the DB should be a user admin who has the privileges to manage other users. We can assign roles to users during user creation. We can also update existing users to grant or revoke roles.

A user assigned a role receives all the privileges of that assigned role. A user can have multiple roles assigned to it. By assigning to the user roles in different databases, a user created in one database can have permissions to act on the other databases.

#View All The User Defined and Built-In Roles for a Database

 

db.runCommand(
    {
      rolesInfo: 1,
      showBuiltinRoles: true
    }
)

 

#Now Lets create a user for nycdb database and assign it a built in role:

username: "nycdevd" 
database: "nycdb" 
Rolename: "readWrite"

// ensure the new user is created under nycdb database

>use nycdb

//add some entry to nycdb

>db.movie.insert({"name":"hacker_man"})

// create new user and assign a role to it:

db.createUser({ 
    user:"nycdevd", 
    pwd:"pass321",
    roles:[{ role: "readWrite", db: "nycdb"  }]  
})

Creating a user-defined role:
.............................................
To create a role you must be inside the database for  which the role will be created.

>use nycdb
db.createRole(
   {
     role: "myxrole",
     privileges: [
       { resorce: { db: "nycdb", collection: "" }, actions: [ "find", "update", "insert", "remove" ] }
     ],
     roles: [     ]
   }
)

verifying roles:
~~~~~~~~~~~~~~~~~~
//navigate inside the db to get all roles associated to that db 

>db.getRoles()

# see the role with all assigned privileges

>db.getRoles(
     {
       rolesInfo: 1,
       showPrivileges:true,
       showBuiltinRoles: true
     }
 )

GRANT A ROLE
`~~~~~~~~~~~~
Assigning the newly created role to nycdevd user. Note: we can assign multiple roles to a user.

 

>use nycdb

//See available users:

>db.getUsers()

#Grant a role using the db.grantRolesToUser() method. For example, the following operation grants the "nycdevd" user the "myxrole" role on the database "nycdb":

>db.grantRolesToUser(
     "nycdevd",
     [
       { role: "myxrole", db: "nycdb" }
     ]
 )

now verify the user and its assigned role.

>db.getUsers()

#View All User-Created Roles for a Database:The following operation returns all user-defined roles for "nyc database"

 

>use nycdb
>db.runCommand(
     {
       rolesInfo: 1,
       showPrivileges: true
     }
 )

#Revoke a Role:
Revoke a role with the db.revokeRolesFromUser() method. The following example operation removes the "myxrole" role on the "nycdb" database from the user "nycdevd":

>use nycdb
>db.revokeRolesFromUser(
     "nycdevd",
     [
       { role: "myxrole", db: "nycdb" }
     ]
 )

#Now verify the user and its assigned role again:

 

>db.getUsers()
 

 


About Author

Ankit Kumar

RedHat certified in System Administration as well as Ansible Automation. A self-motivated professional with excellent research skill, enthusiasm to learn new things and always try to do his best

Request For Proposal

Sending message..

Ready to innovate ? Let's get in touch

Chat With Us