How to create a user with collection specific access in MongoDB
Today I will show you how to create a user with access to only one collection in a specific database in mongodb.
Step 1. Create a new role.
db.createRole(
{
role: "specialcollectionReadOnly",
privileges: [
{
resource: {
role: 'read',
db: 'sandbox',
collection: 'specialcollection'
}, actions: ["find"]
}
],
roles: []
}
)
role: name of the new role
privileges:
— resource
— — role: this is mongodb database user roles the two most common is read
or readWrite
— — db: the name of your database
— — collection: the name of your collection
— roles: any other roles you want inherited
If you want more collections or databases just create more of the same objects inside privileges since it’s an array of objects.
The above will create a new role named specialcollectionReadOnly
with limited access to specifically the sandbox
database and specifically the specialcollection
collection where that user with that role can only execute find operations.
MongoDB Response — just repeats it back to you
{
"role" : "suggestionReadOnly",
"privileges" : [
{
"resource" : {
"role" : "read",
"db" : "sandbox",
"collection" : "suggestions"
},
"actions" : [
"find"
]
}
],
"roles" : []
}
Step 2. Attach this role to a user
# switch to this database
use sandboxdb.createUser({user: 'test-specialcollection',
pwd: 's0m3*s3cur3&p@ssw0rd',
roles: [
{ role: 'suggestionsReadOnly', db: 'sandbox'}
]})
MongoDB Response — will say successfully added user
Successfully added user: {
"user" : "test-specialcollection",
"roles" : [
{
"role" : "specialcollectionReadOnly",
"db" : "sandbox"
}
]
}
Step 3. Don’t skip this step and verify that the login works and that you can’t do anything else!
Test Case 1. Make sure you can access specialcollection
inside sandbox
database.
sandbox-mongo:PRIMARY> db.specialcollection.find(){... your data ...}Type "it" for more
Test Case 2. Make sure that you can’t access any other collection
sandbox-mongo:PRIMARY> db.secure.find()Error: error: {"ok" : 0,"errmsg" : "not authorized on sandbox to execute command { find: \"threads\", filter: {} }","code" : 13,"codeName" : "Unauthorized"}
Test Case 3. Make sure that other db admin functions are disabled
sandbox-mongo:PRIMARY> show collections2019-10-02T19:12:34.306-0400 E QUERY [thread1] Error: listCollections failed: {"ok" : 0,"errmsg" : "not authorized on sandbox to execute command { listCollections: 1.0, filter: {} }","code" : 13,"codeName" : "Unauthorized"} :_getErrorWithCode@src/mongo/shell/utils.js:25:13DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16shellHelper.show@src/mongo/shell/utils.js:775:9shellHelper@src/mongo/shell/utils.js:672:15@(shellhelp2):1:1