MongoDB "root" user
Asked Answered
B

8

92

Is there a super UNIX like "root" user for MongoDB? I've been looking at http://docs.mongodb.org/manual/reference/user-privileges/ and have tried many combinations, but they all seem to lack in an area or another. Surely there is a role that is above all the ones listed there.

Batchelor answered 21/11, 2013 at 9:32 Comment(0)
S
105

While out of the box, MongoDb has no authentication, you can create the equivalent of a root/superuser by using the "any" roles to a specific user to the admin database.

Something like this:

use admin
db.addUser( { user: "<username>",
          pwd: "<password>",
          roles: [ "userAdminAnyDatabase",
                   "dbAdminAnyDatabase",
                   "readWriteAnyDatabase"

] } )

Update for 2.6+

While there is a new root user in 2.6, you may find that it doesn't meet your needs, as it still has a few limitations:

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase and clusterAdmin roles combined.

root does not include any access to collections that begin with the system. prefix.

Update for 3.0+

Use db.createUser as db.addUser was removed.

Update for 3.0.7+

root no longer has the limitations stated above.

The root has the validate privilege action on system. collections. Previously, root does not include any access to collections that begin with the system. prefix other than system.indexes and system.namespaces.

Simon answered 21/11, 2013 at 12:9 Comment(4)
addUser is deprecated since 2.6 on 3.2.3 I used db.createUserOrlena
from this linkChanged in version 3.0.7: The root has validate action on system. collections. Previously, root does not include any access to collections that begin with the system. prefix other than system.indexes and system.namespaces.Nett
Some error : db.createUser({ user: "dev1", pwd: "pass", roles: [ { role: "userAdminAnyDatabase", db: "xxxxxxx" } ] }); 2018-02-26T16:59:28.688+0500 E QUERY [thread1] Error: couldn't add user: No role named userAdminAnyDatabase@xxxxxx : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DB.prototype.createUser@src/mongo/shell/db.js:1267:15 @(shell):1:1Microsporophyll
I'd prefer @Tillett 's answer over this.Yoke
T
120

The best superuser role would be the root.The Syntax is:

use admin

db.createUser(
{
    user: "root",
    pwd: "password",
    roles: [ "root" ]
})

For more details look at built-in roles.

Tillett answered 17/3, 2015 at 3:50 Comment(4)
thanks - the admin database is the connection database hereLecce
I see some people use 'db' in 'roles' property. So, what if we don't have 'db' ? I created user and I assigned role 'root' but db : 'admin' and now I cannot access to other collection using mongoose. can you show how to solve that since I am fresh to this kind of technology.Warring
Also, if running the command from --eval, you have to use db.getSiblingDB("admin") before createUser, otherwise it will create the admin root user in default test database, which is not what we usually would want.Southeastwards
you need to be in the database admin when using the createUser method to create a root user, so first type into the mongo shell "use admin" then you can use the createUser method, if you don't you might get this error: "uncaught exception: Error: couldn't add user: No role named root@something"Whitleywhitlock
S
105

While out of the box, MongoDb has no authentication, you can create the equivalent of a root/superuser by using the "any" roles to a specific user to the admin database.

Something like this:

use admin
db.addUser( { user: "<username>",
          pwd: "<password>",
          roles: [ "userAdminAnyDatabase",
                   "dbAdminAnyDatabase",
                   "readWriteAnyDatabase"

] } )

Update for 2.6+

While there is a new root user in 2.6, you may find that it doesn't meet your needs, as it still has a few limitations:

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase and clusterAdmin roles combined.

root does not include any access to collections that begin with the system. prefix.

Update for 3.0+

Use db.createUser as db.addUser was removed.

Update for 3.0.7+

root no longer has the limitations stated above.

The root has the validate privilege action on system. collections. Previously, root does not include any access to collections that begin with the system. prefix other than system.indexes and system.namespaces.

Simon answered 21/11, 2013 at 12:9 Comment(4)
addUser is deprecated since 2.6 on 3.2.3 I used db.createUserOrlena
from this linkChanged in version 3.0.7: The root has validate action on system. collections. Previously, root does not include any access to collections that begin with the system. prefix other than system.indexes and system.namespaces.Nett
Some error : db.createUser({ user: "dev1", pwd: "pass", roles: [ { role: "userAdminAnyDatabase", db: "xxxxxxx" } ] }); 2018-02-26T16:59:28.688+0500 E QUERY [thread1] Error: couldn't add user: No role named userAdminAnyDatabase@xxxxxx : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DB.prototype.createUser@src/mongo/shell/db.js:1267:15 @(shell):1:1Microsporophyll
I'd prefer @Tillett 's answer over this.Yoke
E
31

Mongodb user management:

roles list:

read
readWrite
dbAdmin
userAdmin
clusterAdmin
readAnyDatabase
readWriteAnyDatabase
userAdminAnyDatabase
dbAdminAnyDatabase

create user:

db.createUser(user, writeConcern)

db.createUser({ user: "user",
  pwd: "pass",
  roles: [
    { role: "read", db: "database" } 
  ]
})

update user:

db.updateUser("user",{
  roles: [
    { role: "readWrite", db: "database" } 
  ]
})

drop user:

db.removeUser("user")

or

db.dropUser("user")

view users:

db.getUsers();

more information: https://docs.mongodb.com/manual/reference/security/#read

Epos answered 2/12, 2016 at 5:28 Comment(3)
db.createUser({ user: "dev1", pwd: "pass", roles: [ { role: "userAdminAnyDatabase", db: "xxxxxxx" } ] }); 2018-02-26T16:59:28.688+0500 E QUERY [thread1] Error: couldn't add user: No role named userAdminAnyDatabase@xxxxxx : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DB.prototype.createUser@src/mongo/shell/db.js:1267:15 @(shell):1:1Microsporophyll
query: db.createUser({ user: "dev1", pwd: "pass", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] }); result: Successfully added user: { "user" : "user", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }Epos
Have you created userAdminAnyDatabase rule in your system or It was already there ? Why It is not in my system. I am using centOS 7Microsporophyll
E
10

There is a Superuser Roles: root, which is a Built-In Roles, may meet your need.

Epithalamium answered 27/5, 2014 at 4:1 Comment(1)
Yes, and just for the record, the root role was introduced in MongoDB 2.6.Vanderhoek
H
4

I noticed a lot of these answers, use this command:

use admin

which switches to the admin database. At least in Mongo v4.0.6, creating a user in the context of the admin database will create a user with "_id" : "admin.administrator":

> use admin
> db.getUsers()
[ ]
> db.createUser({ user: 'administrator', pwd: 'changeme', roles: [ { role: 'root', db: 'admin' }  ] })
> db.getUsers()
[
    {
        "_id" : "admin.administrator",
        "user" : "administrator",
        "db" : "admin",
        "roles" : [
            {
                "role" : "root",
                "db" : "admin"
            }
        ],
        "mechanisms" : [
            "SCRAM-SHA-1",
            "SCRAM-SHA-256"
        ]
    }
]

I emphasize "admin.administrator", for I have a Mongoid (mongodb ruby adapter) application with a different database than admin and I use the URI to reference the database in my mongoid.yml configuration:

development:
  clients:
    default:
      uri: <%= ENV['MONGODB_URI'] %>
      options:
        connect_timeout: 15
        retry_writes: false

This references the following environment variable:

export MONGODB_URI='mongodb://administrator:[email protected]/mysite_development?retryWrites=true&w=majority'

Notice the database is mysite_development, not admin. When I try to run the application, I get an error "User administrator (mechanism: scram256) is not authorized to access mysite_development".

So I return to the Mongo shell delete the user, switch to the specified database and recreate the user:

$ mongo
> db.dropUser('administrator')
> db.getUsers()
[]
> use mysite_development
> db.createUser({ user: 'administrator', pwd: 'changeme', roles: [ { role: 'root', db: 'admin' }  ] })
> db.getUsers()
[
    {
        "_id" : "mysite_development.administrator",
        "user" : "administrator",
        "db" : "mysite_development",
        "roles" : [
            {
                "role" : "root",
                "db" : "admin"
            }
        ],
        "mechanisms" : [
            "SCRAM-SHA-1",
            "SCRAM-SHA-256"
        ]
    }
]

Notice that the _id and db changed to reference the specific database my application depends on:

"_id" : "mysite_development.administrator",
"db" : "mysite_development",

After making this change, the error went away and I was able to connect to MongoDB fine inside my application.

Extra Notes:

In my example above, I deleted the user and recreated the user in the right database context. Had you already created the user in the right database context but given it the wrong roles, you could assign a mongodb built-in role to the user:

db.grantRolesToUser('administrator', [{ role: 'root', db: 'admin' }])

There is also a db.updateUser command, albiet typically used to update the user password.

Her answered 23/2, 2020 at 22:49 Comment(0)
T
0

It is common practice to have a single db that is used just for the authentication data for a whole system. On the connection uri, as well as specifying the db that you are connecting to use, you can also specify the db to authenticate against.

"mongodb://usreName:[email protected]:27017/enduserdb?authSource=myAuthdb"

That way you create all your user credentions AND roles in that single auth db. If you want a be all and end all super user on a db then, you just givem the role of "root@thedbinquestion" for example...

use admin
db.runCommand({ 
"updateUser" : "anAdminUser", 
"customData" : {

}, 
"roles" : [
    {
        "role" : "root", 
        "db" : "thedbinquestion"
    } ] });
Territorialism answered 14/7, 2021 at 13:7 Comment(0)
R
0

now you can change your built-in role to atlas admin in the console; this fixed my issue.

Atlas admin location

Reinhart answered 23/10, 2022 at 19:7 Comment(0)
H
-1

"userAdmin is effectively the superuser role for a specific database. Users with userAdmin can grant themselves all privileges. However, userAdmin does not explicitly authorize a user for any privileges beyond user administration." from the link you posted

Hinkel answered 21/11, 2013 at 9:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.