I have created application using mongodb+nodejs
I have added new user with following roles in mongodb
{
"_id" : "testdb.testdbuser",
"user" : "testdbuser",
"db" : "testdb",
"roles" : [
{
"role" : "read",
"db" : "testdb"
},
{
"role" : "readWrite",
"db" : "testdb"
}
]
}
Started server using --auth option.
And also started node application using mongodb user credentials.
But, I am not able to read data from user collection in testdb database.
Getting this error :
MongoError: not authorized for query on testdb.user
Please any suggestion? Anything I am missing?
You need to assign the read role to the user testdbuser.
testsdbuser role does not include read access on non-system collections.
You can give it like this, it seems,
db.grantRolesToUser(
"testdbuser",
[
{ role: "read", db: "testdb" }
]
)
Related
Does Cosmos DB return updated fields in its change feed similar to the way Mongo DB does in its Change Events
Below is a change stream response document from Mongo DB. The updateDescription includes the updateFields. Does Cosmos DB provide a similar feature or are you expected to roll out your own implementation by comparing the previous documents to find out what fields have changed.
{
_id : { <BSON Object> },
"operationType" : "<operation>",
"fullDocument" : { <document> },
"ns" : {
"db" : "<database>",
"coll" : "<collection>"
},
"to" : {
"db" : "<database>",
"coll" : "<collection>"
},
"documentKey" : { "_id" : <value> },
"updateDescription" : {
"updatedFields" : { <document> },
"removedFields" : [ "<field>", ... ],
"truncatedArrays" : [
{ "field" : <field>, "newSize" : <integer> },
...
]
},
"clusterTime" : <Timestamp>,
"txnNumber" : <NumberLong>,
"lsid" : {
"id" : <UUID>,
"uid" : <BinData>
}
}
Cosmos DB does support updates in the API for MongoDB change streams: Change streams in Azure Cosmos DB’s API for MongoDB | Microsoft Docs
Change streams in Azure Cosmos DB’s API for MongoDB
Learn how to use change streams n Azure Cosmos DB’s API for MongoDB to get the changes made to your data.
The insert, update, and replace operations types are currently supported. However, the delete operation or other events are not yet supported.
I am having a user root in admin DB, also have authentication enabled.
After authentication on admin DB as root user, if i enter show users
I can see the below the output
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin"
}
]
}
I have another database my_test_db
I was trying to create a new user in my_test_db using the below command
use my_test_db
db.createUser({
... user: 'tesuser',
... pwd: 'passwor123',
... roles: [{role: 'read', db: 'my_test_db'}]
... })
But i got unauthorised error.
If i am userAdminAnyDatabase should i have createUser access to all the DBs ?
Or i am doing something wrong ?
Please help....
Whatever you are doing is correct. To confirm I tried the same and its working fine for me.
Possible errors:
You may be not logged in as user root
What version of MongoDB you are using?
Other than this I don't see any other possibilities.
If possible please post your error as well.
I have upgraded my MongoDB to 3.0.2 from 2.4.10. I am having the database "abc" with user as "xt". I can able to do crud operation after authenticating using db.authenticate() but I am not able to run the eval command. It throws the error as
Unauthorized not authorized on abc to execute command { $eval: "deleteDetails()" }
When I check the admin database system.users collection for the database user is
{
"_id" : "abc.xt",
"user" : "xt",
"db" : "abc",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "mydgFCRFo05wh616qw6g1g==",
"storedKey" : "c8YfzCZZ1qqw2EM8MRDQugQFk4s=",
"serverKey" : "4JVLAIevhbJI6PtdDRRbelJa4pU="
}
},
"roles" : [
{
"role" : "dbOwner",
"db" : "abc"
}
]
}
Can anyone tell, what may be the problem and also I saw that eval is deprecated, if so what can be the alternative for using in both mongo shell and node js.
As of 2.6 they made the eval command require superuser access to the database so as a dbOwner you don't have enough access. I'm researching this myself and I believe the command/runCommand might work to replace eval since it is now deprecated.
This is a userAdmin vs. userAdminAnyDatabase question.
In the system.users I have the following users (password 1234 for both):
> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [ "userAdmin", "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [ "userAdminAnyDatabase", "dbAdminAnyDatabase" ] }
Connecting with a wrong user:
$ mongo mono -u admin -p 1234
connecting to: mono
Thu Dec 12 10:09:00.733 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228
which is OK.
Connecting with the db admin:
$ mongo mono -u admin_one -p 1234
connecting to: mono
> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [ "userAdmin", "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [ "userAdminAnyDatabase", "dbAdminAnyDatabase" ] }
which is also OK.
Now, connecting with the "AnyDatabase" admin I get an error:
$ mongo mono -u admin_two -p 1234
connecting to: mono
> db.system.users.find()
error: { "$err" : "not authorized for query on mono.system.users", "code" : 16550 }
Why?
It appears that you're attempting to allocate the userAdminAnyDatabase role on the mono database, not the admin database. The anyDatabase role is only available for users that authenticate to the admin database.
See the documentation of the anyDatabase Role for more information.
I ran to similar problems after creating the admin user in mongodb.
You may want to check:
The admin user has to be in the admin database in the system
Check the roles of you admin user the role that allows you to "see" all the databases would be "clusterAdmin" I would check the roles and add those that you need for the amdin role.
this
may help
Users roles explained: http://docs.mongodb.org/manual/reference/method/db.grantRolesToUser/#db.grantRolesToUser
userAdminAnyDatabase and userAdmin do not explicitly authorize a user for any privileges beyond user administration.
You will also have to add the "clusterAdmin" role for the list databases command: http://docs.mongodb.org/manual/reference/user-privileges/#clusterAdmin
If you want you user to read/write from the database and collections, you will need to add another role, the "readWrite"
Additionally, you may want to check your mongod terminal to see what errors are popping in the back.
Good luck,
i start a new mongodb instance and local connect use mongo shell,add a user with userAdminAnyDatabase role,but when i exit the shell,start another shell,i can not find
the record of db.system.user which i insert the first time,why?
# mongo --port 27017
> db.getSiblingDB('admin')
admin
> db.addUser({user:"sa",pwd:"sa",roles:["userAdminAnyDatabase"]})
{
"user" : "sa",
"pwd" : "75692b1d11c072c6c79332e248c4f699",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("519ddd610b4ea57201ceb000")
}
> db.system.users.find()
{ "_id" : ObjectId("519ddd610b4ea57201ceb000"), "user" : "sa", "pwd" : "75692b1d11c072c6c79332e248c4f699", "roles" : [ "userAdminAnyDatabase" ] }
> exit
bye
# mongo --port 27017
> db.system.users.find()
> use admin
switched to db admin
> db.system.users.find()
This is a security feature as of MongoDB 2.4.x. You don't want other users to be able to see the hashed passwords.
A user would need to have the userAdmin role and be logged in to view the collection.