Manage Users and Roles

Overview

This tutorial provides examples for user and role management under the MongoDB’s authorization model. Add Users describes how to add a new user to MongoDB.

Prerequisites

Important

If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. A user administrator with the userAdminAnyDatabase role, or userAdmin role in the specific databases, provides the required privileges to perform the operations listed in this tutorial. See Enable Auth for details on adding user administrator as the first user.

Create a User-Defined Role

Roles grant users access to MongoDB resources. MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.

Except for roles created in the admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.

A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.

To create a new role, use the db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.

MongoDB uses the combination of the database name and the role name to uniquely define a role. Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the admin.system.roles collection in the admin database.

Prerequisites

To create a role in a database, you must have:

Built-in roles userAdmin and userAdminAnyDatabase provide createRole and grantRole actions on their respective resources.

To create a role with authenticationRestrictions specified, you must have the setAuthenticationRestriction action on the database resource which the role is created.

Create a Role to Manage Current Operations

The following example creates a role named manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp(). [1]

Note

Changed in version 3.2.9: On mongod instances, users do not need any specific privileges to view or kill their own operations. See db.currentOp() and db.killOp() for details.

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the Prerequisites section.

The following procedure uses the myUserAdmin created in Enable Auth.

mongo --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to manage current operations.

manageOpRole has privileges that act on multiple databases as well as the cluster resource. As such, you must create the role in the admin database.

use admin
db.createRole(
   {
     role: "manageOpRole",
     privileges: [
       { resource: { cluster: true }, actions: [ "killop", "inprog" ] },
       { resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
     ],
     roles: []
   }
)

The new role grants permissions to kill any operations.

Warning

Terminate running operations with extreme caution. Only use the db.killOp() method or killOp command to terminate operations initiated by clients and do not terminate internal database operations.

[1] The built-in role clusterMonitor also provides the privilege to run db.currentOp() along with other privileges, and the built-in role hostManager provides the privilege to run db.killOp() along with other privileges.

Create a Role to Run mongostat

The following example creates a role named mongostatRole that provides only the privileges to run mongostat. [2]

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the Prerequisites section.

The following procedure uses the myUserAdmin created in Enable Auth.

mongo --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to manage current operations.

mongostatRole has privileges that act on the cluster resource. As such, you must create the role in the admin database.

use admin
db.createRole(
   {
     role: "mongostatRole",
     privileges: [
       { resource: { cluster: true }, actions: [ "serverStatus" ] }
     ],
     roles: []
   }
)
[2] The built-in role clusterMonitor also provides the privilege to run mongostat along with other privileges.

Create a Role to Drop system.views Collection across Databases

The following example creates a role named dropSystemViewsAnyDatabase that provides the privileges to drop the system.views collection in any database.

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the Prerequisites section.

The following procedure uses the myUserAdmin created in Enable Auth.

mongo --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to drop the