How to create a user with collection specific access in MongoDB

John Jung
John Jung
Oct 2 · 2 min read

Today I will show you how to create a user with access to only one collection in a specific database in mongodb.

Step 1. Create a new role.

db.createRole(
{
role: "specialcollectionReadOnly",
privileges: [
{
resource: {
role: 'read',
db: 'sandbox',
collection: 'specialcollection'
}, actions: ["find"]
}
],
roles: []
}
)

role: name of the new role

privileges:

— resource

— — role: this is mongodb database user roles the two most common is read or readWrite

— — db: the name of your database

— — collection: the name of your collection

— roles: any other roles you want inherited

If you want more collections or databases just create more of the same objects inside privileges since it’s an array of objects.

The above will create a new role named specialcollectionReadOnly with limited access to specifically the sandbox database and specifically the specialcollectioncollection where that user with that role can only execute find operations.

MongoDB Response — just repeats it back to you

{ 
"role" : "suggestionReadOnly",
"privileges" : [
{
"resource" : {
"role" : "read",
"db" : "sandbox",
"collection" : "suggestions"
},
"actions" : [
"find"
]
}
],
"roles" : []
}

Step 2. Attach this role to a user

# switch to this database
use sandbox
db.createUser({user: 'test-specialcollection',
pwd: 's0m3*s3cur3&p@ssw0rd',
roles: [
{ role: 'suggestionsReadOnly', db: 'sandbox'}
]})

MongoDB Response — will say successfully added user

Successfully added user: {
"user" : "test-specialcollection",
"roles" : [
{
"role" : "specialcollectionReadOnly",
"db" : "sandbox"
}
]
}

Step 3. Don’t skip this step and verify that the login works and that you can’t do anything else!

Test Case 1. Make sure you can access specialcollection inside sandbox database.

sandbox-mongo:PRIMARY> db.specialcollection.find(){... your data ...}Type "it" for more

Test Case 2. Make sure that you can’t access any other collection

sandbox-mongo:PRIMARY> db.secure.find()Error: error: {"ok" : 0,"errmsg" : "not authorized on sandbox to execute command { find: \"threads\", filter: {} }","code" : 13,"codeName" : "Unauthorized"}

Test Case 3. Make sure that other db admin functions are disabled

sandbox-mongo:PRIMARY> show collections2019-10-02T19:12:34.306-0400 E QUERY    [thread1] Error: listCollections failed: {"ok" : 0,"errmsg" : "not authorized on sandbox to execute command { listCollections: 1.0, filter: {} }","code" : 13,"codeName" : "Unauthorized"} :_getErrorWithCode@src/mongo/shell/utils.js:25:13DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:807:1DB.prototype.getCollectionInfos@src/mongo/shell/db.js:819:19DB.prototype.getCollectionNames@src/mongo/shell/db.js:830:16shellHelper.show@src/mongo/shell/utils.js:775:9shellHelper@src/mongo/shell/utils.js:672:15@(shellhelp2):1:1

johnjjung

John Jung — CTO of June.ai

John Jung

Written by

John Jung

Co-founder & CTO @ June.ai

johnjjung

johnjjung

John Jung — CTO of June.ai

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade