forbbid dbStats/collStats commands for a user
60 views
Skip to first unread message
Yann D'Isanto
Jul 31, 2015, 9:47:56 PM7/31/15
to mongodb-user
Hi guys,
I'd like to create a user that can't run the "collStats" and "dbStats" commands.
I tried to create a user with a custom role having only the "find" action privilege (see user/role documents below) but the user can still perform the dbStats/collStats commands.
So my question is: how should I configure the user to forbbid running those commands?
user document
{
_id : "mydb.myuser",
user : "myuser",
db : "mydb",
credentials : {...} ,
roles : [
{
role : "mydbFind",
db : "mydb"
}
]
}role document
{
_id : "mydb.mydbFind",
role : "mydbFind",
db : "mydb",
privileges : [
{
resource : {
db : "mydb",
collection : "",
},
actions : [ "find" ]
}
] ,
roles : [ ]
}Thanks in advance for your help.
Regards,
Yann
Asya Kamsky
Aug 3, 2015, 2:24:11 AM8/3/15
to mongodb-user
Can you explain exactly why you want to prevent stats command?
If they can run "find" then they can get pretty much most of the
information that stats gives them - would take a bit longer.
Asya
> --
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to the Google Groups
> "mongodb-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mongodb-user/93e8b1c7-6248-4d18-96e1-1a5e5b16e213%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
If they can run "find" then they can get pretty much most of the
information that stats gives them - would take a bit longer.
Asya
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to the Google Groups
> "mongodb-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mongodb-user/93e8b1c7-6248-4d18-96e1-1a5e5b16e213%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Yann D'Isanto
Aug 3, 2015, 3:57:39 AM8/3/15
to mongodb-user
Hi Asya,
I'm working on the Netbeans plugin to access mongodb and I need to recreate the conditions of an issue that a user opened so I can test and validate my fix.
So I don't have any requirement but to forbbid those commands.
Regards,
Yann
Ankit Kakkar
Aug 12, 2015, 2:32:03 AM8/12/15
to mongodb-user
Hi Yann,
You are on the right track in terms of creating a custom role having limited privileges. Following are example steps that I used to satisfy your access requirement:
1) Create a custom role and a user:
db.runCommand({ createRole: "appUserRole",
privileges: [
{ resource:
{ db: "myApp" , collection: "" }
,
actions: [ "find", "createCollection"] },
{ resource:
{ db: "myApp", collection: "logs" }
,
actions: [ "insert","find" ] },
{ resource:
{ db: "myApp", collection: "data" }
,
actions: [ "insert", "update", "remove", "compact" ] },
{ resource:
{ db: "myApp", collection: "js" }
,
actions: [ "find" ] },
],
roles: [],
})
db.createUser(
{
user: "appUser",
pwd: "appUser",
roles: [
{ role: "appUserRole", db: "admin" }
]
}
)
2) Restart mongod with --auth or keyfile parameter. For example:
mongod --dbpath "/data/db1" --auth
3) Connect mongo shell to database:
mongo -u appUser -p appUser --authenticationDatabase admin
Next, I ran following shell commands and as expected, I was disallowed from using stats command.
> use myApp
switched to db myApp
> db.logs.insert({})
WriteResult(
{ "nInserted" : 1 }
)
> db.logs.find()
{ "_id" : ObjectId("55cae15895aaaf3153e6515f") }
> db.logs.stats()
{
"ok" : 0,
"errmsg" : "not authorized on myApp to execute command
{ collStats: \"logs\", scale: undefined }
",
"code" : 13
}
The behaviour that you noticed indicates that perhaps, server was not running in the "Authentication" mode. Can you please try above steps and see if this resolves your issue?
Regards,
ankit
Yann D'Isanto
Aug 14, 2015, 3:12:24 PM8/14/15
to mongodb-user
Hi Ankit,
Thanks for your answer, it worked as I wanted. The missing "authentication" mode was indeed a point I was not aware of.
Just a few details for people having the same problem.
* before creating the role and user don't forget to switch to the targeted database: use myApp
* there is a small typo in the createRole document, the comma before the last curly bracket must be removed
Thanks again Ankit :-)
Best regards,
Yann
Thanks for your answer, it worked as I wanted. The missing "authentication" mode was indeed a point I was not aware of.
Just a few details for people having the same problem.
* before creating the role and user don't forget to switch to the targeted database: use myApp
* there is a small typo in the createRole document, the comma before the last curly bracket must be removed
Thanks again Ankit :-)
Best regards,
Yann
Reply all
Reply to author
Forward
0 new messages