MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is granted one or more roles that determine the user's access to database resources and operations. Outside of role assignments, the user has no access to the system.
Enable Access Control
MongoDB does not enable access control by default. You can enable authorization using the --auth or the security.authorization setting. Enabling internal authentication also enables client authorization.
Once access control is enabled, users must authenticate themselves.
Roles
A role grants privileges to perform the specified actions on resource. Each privilege is either specified explicitly in the role or inherited from another role or both.
Privileges
A privilege consists of a specified resource and the actions permitted on the resource.
A resource is a database, collection, set of collections, or the cluster. If the resource is the cluster, the affiliated actions affect the state of the system rather than a specific database or collection.
An action specifies the operation allowed on the resource.
Inherited Privileges
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.
A role can inherit privileges from other roles in its database. A role created on the admin database can inherit privileges from roles in any database.
View Role's Privileges
You can view the privileges for a role by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.
Users and Roles
You can assign roles to users during the user creation. You can also update existing users to grant or revoke roles.
A user assigned a role receives all the privileges of that role. A user can have multiple roles. By assigning to the user roles in various databases, a user created in one database can have permissions to act on other databases.
The first user created in the database should be a user administrator who has the privileges to manage other users
Built-In Roles and User-Defined Roles
MongoDB provides built-in roles that provide set of privileges commonly needed in a database system
If these built-in-roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify user-defined roles.
User-Defined Roles¶
To add a role, MongoDB provides the db.createRole() method. MongoDB also provides methods to update existing user-defined roles.
Scope
When adding a role, you create the role in a specific database. MongoDB uses the combination of the database and the role name to uniquely define a role.
Except for roles created in the admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.
Centralized Role Data
MongoDB stores all role information in the system.roles collection in the admin database
Do not access this collection directly but instead use the role management commands to view and edit custom roles.
Manage Users and Roles
If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. A user administrator with the userAdminAnyDatabase role, or userAdmin role in the specific database can manage mostly all the role management operations
Create a User-Defined Role
Roles grant users access to MongoDB resources. MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.
Prerequisites
To create a role in a database, you must have:
the createRole action on that database resource.
the grantRole action on that database to specify privileges for the new role as well as to specify roles to inherit from.
Built-in roles userAdmin and userAdminAnyDatabase provide createRole and grantRole actions on their respective resources.
To create a role with authenticationRestrictions specified, you must have the setAuthenticationRestriction action on the database resource which the role is created.
Create a Role to Manage Current Operations
The following example creates a role named manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp()
Step 1: Login
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.
Step 2: Create a new role to manage current operations.
manageOpRole has privileges that act on multiple databases as well as the cluster resource. As such, you must create the role in the admin database.
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)
Create a Role to Run mongostat
The following example creates a role named mongostatRole that provides only the privileges to run
Step 1: Connect to MongoDB with the appropriate privileges.
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Step 2: Create a new role to drop the system.views collection in any database.¶
Create a new role to drop the system.views collection in any database.
For the role, specify a privilege that consists of:
an actions array that contains the dropCollection action, and
a resource document that specifies an empty string ("") for the database and the string "system.views" for the collection. See Specify Collections Across Databases as Resource for more information.
use admin
db.createRole(
{
role: "dropSystemViewsAnyDatabase",
privileges: [
{
actions: [ "dropCollection" ],
resource: { db: "", collection: "system.views" }
}
],
roles: []
}
)
references:
https://docs.mongodb.com/manual/core/authorization/