I'm using MongoDB Community version 7.0. The problem is, a user to whom I've only granted the 'read' permission can drop collections and perform write operations. I can't understand exactly where the problem is occurring. Has anyone encountered this?
Below are the steps I follow when creating a user.
use admin
db.createRole({
role: "findRole",
privileges: [
{ resource: { db: "example", collection: "" }, actions: ["find"] }
],
roles: []
})
db.createUser({user: 'emre', pwd: 'password123', roles: [{role: 'findRole', db: 'example'}]})
After defining the user, I log in with MongoDB Compass. When I run the 'db.test.drop()' command, it is able to drop the collection. I'm waiting for your assistance
I tried to create a read-only user in MongoDB, but the user I created can still perform write operations. I want to resolve this issue.
First of all, did you enable authentication? By default it is disabled.
To enable authentication you need three steps:
security.authorization: enabled
mongod
serviceroot
or userAdminAnyDatabase
Second, you executed use admin
, thus role findRole
is scoped to admin
database. You must grant
roles: [{role: 'findRole', db: 'admin'}]
Instead of creating user-defined role, you can also grant the built-in role:
roles: [{role: 'read', db: 'example'}]
Which is (more or less) the same.