mongodbnosqlmongodb-compassmongodb-replica-set

In MongoDB version 7.0, a role created with only the 'find' permission can perform drop and write operations. How can I prevent this?


I'm using MongoDB Community version 7.0. The problem is, a user to whom I've only granted the 'read' permission can drop collections and perform write operations. I can't understand exactly where the problem is occurring. Has anyone encountered this?

Below are the steps I follow when creating a user.

use admin
db.createRole({
   role: "findRole",
   privileges: [
     { resource: { db: "example", collection: "" }, actions: ["find"] }
   ],
   roles: []
})

db.createUser({user: 'emre', pwd: 'password123', roles: [{role: 'findRole', db: 'example'}]})

After defining the user, I log in with MongoDB Compass. When I run the 'db.test.drop()' command, it is able to drop the collection. I'm waiting for your assistance

I tried to create a read-only user in MongoDB, but the user I created can still perform write operations. I want to resolve this issue.


Solution

  • First of all, did you enable authentication? By default it is disabled.

    To enable authentication you need three steps:

    1. Set parameter security.authorization: enabled
    2. Restart the mongod service
    3. Create an admin user, i.e. a user with role root or userAdminAnyDatabase

    Second, you executed use admin, thus role findRole is scoped to admin database. You must grant

    roles: [{role: 'findRole', db: 'admin'}] 
    

    Instead of creating user-defined role, you can also grant the built-in role:

    roles: [{role: 'read', db: 'example'}] 
    

    Which is (more or less) the same.