Below are the privileges for my account svc-mydbuser user
{
privileges: [
{
actions: ["dropRole", "createRole", "grantRole", "find", "viewRole"],
resource: { db: "admin", collection: "" }
},
{
actions: [
"changeStream", "collStats", "createIndex", "dbHash",
"dbStats", "dropIndex", "find", "killCursors", "listCollections",
"listIndexes", "planCacheRead", "insert", "update", "remove"
],
resource: { db: "admin", collection: "system.roles" }
},
{
actions: ["dropDatabase", "createDatabase"],
resource: { db: "core-POC", collection: "" }
}],
roles: [
{ role: "readWrite", db: "core-POC" },
{ role: "userAdmin", db: "admin" }
]
}
I'm getting the below error after login to the mongo database and trying the createRole command:
MongoDB Enterprise REP062:PRIMARY> use admin;
MongoDB Enterprise REP062:PRIMARY> db.adminCommand(
{
createRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
privileges: [],
roles: [
{ role: "read", db: "core-POC" }
]
}
);
{
"operationTime" : Timestamp(1691051515, 106),
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { createRole: \"CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com\", privileges: [], roles: [ { role: \"read\", db: \"core-POC\" } ], lsid: { id: UUID(\"0174cbc1-0595-40f2-9609-bd43927c06f4\") }, $clusterTime: { clusterTime: Timestamp(1691048964, 1), signature: { hash: BinData(0, 2B98A040357462EBE5CB97642C569DC3A6958C81), keyId: 7216972790308536321 } }, $db: \"admin\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1691051515, 106),
"signature" : {
"hash" : BinData(0,"ygtzgwKkaNXmNzIXYCzbk9yprbk="),
"keyId" : NumberLong("7216972790308536321")
}
}
}
Can you suggest what priviledges should be provided to my account without providing admin rights so that I can successfully execute the createRole and dropRole commands.
Problem is not the createRole command, it is the role you like to grant. You can create the role, this command works fine:
db.adminCommand(
{
createRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
privileges: [],
roles: []
}
);
The error appears at this command:
db.getSiblingDB('admin').grantRolesToRole(
"CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
[{ role: "read", db: "core-POC" }]
)
MongoServerError: not authorized on admin to execute command { grantRolesToRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com", roles: [ { role: "read", db: "core-POC" } ], lsid: { id: UUID("a7b88755-3bbc-4695-8dcf-64799f9fa2cc") }, $db: "admin" }
You could grant role { role: "userAdminAnyDatabase", db: "admin" }.
However, the userAdminAnyDatabase role does not restrict the privileges that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration.
So, better create a custom role and grant it to the user:
db.adminCommand(
{
createRole: "svc-role",
privileges: [{
resource: { db: "core-POC", collection: "" },
actions: ["createRole", "dropRole", "find", "grantRole", "viewRole"]
}],
roles: [],
}
)
db.getSiblingDB('admin').grantRolesToUser(
'svc-mydbuser',
[{ role: "svc-role", db: "admin" }]
)
db.getSiblingDB('admin').grantRolesToRole(
"CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
[{ role: "read", db: "core-POC" }]
)
{ ok: 1 }