How to create a dbOwner user for all databases in Mongodb?

8,358 views
Skip to first unread message

Deepjyoti Saha

unread,
Sep 15, 2015, 3:11:59 PM9/15/15
to mongodb-user
HI guys

Can I create a dbOwner user for all the databases ? As the database owner can perform any administrative action on the database. This role combines the privileges granted by the readWritedbAdmin and userAdmin roles. I want to create a dbOwner user for all the databases. Please help me with that.

Serhat Şevki Dinçer

unread,
Sep 15, 2015, 6:00:50 PM9/15/15
to mongodb-user
dbOwner role, when scoped to the admin database

Jalil AA

unread,
Sep 15, 2015, 6:15:51 PM9/15/15
to mongodb-user
Hi Saha,

Try this:

> use admin
db.createUser(
    {
      user: "dba",
      pwd: "12345",
      roles: [ "root" ]
    }


Please note, you can login to mongo and list all [roles] and then use the one you want on the query above. But [root] role above gives you pretty much the keys to the kingdom..

List roles
> show roles

Hope this helps.
@AJ

Deepjyoti Saha

unread,
Sep 16, 2015, 1:07:02 AM9/16/15
to mongodb-user
Hi Jalil

Thanks for your effort. You are right that the "root" role gives the highest privileges to a user, but I want to restrict the user from performing cluster administration activities. That is the reason I want to create a dbOwner user for all the databases which will restrict the user to perform the database related activities only.

Regards
Deepjyoti Saha

Deepjyoti Saha

unread,
Sep 16, 2015, 1:09:32 AM9/16/15
to mongodb-user
Hi Serhat

Yes. I understand the dbOwner role is scoped to the admin database, but I want to know .. can we create a dbOwner role which is scoped to all the databases (e.g: dbOwnerAllDatabase) ?

Jalil AA

unread,
Sep 16, 2015, 12:32:19 PM9/16/15
to mongodb-user
Ok, I see what you want to do. But my understanding is that each database has its own roles, I really don't see how you can create one global Role that applies to all database instances.

Lets say we have 2 Mongo DBs: HR & AP, I would need to switch between the DBs to grant roles accordingly 

> use HR
> show roles

> use AP
> show roles

The [ show roles ] command above will show you Roles for each DB. Not sure if there is a way to create a global Role to maintain HR & AP at the same time..

Wan Bachtiar

unread,
Sep 30, 2015, 2:07:20 AM9/30/15
to mongodb-user

Hi Deepjyoti,

There is no built-in role for dbOwner that applies to all databases.

The dbOwner role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles. If the userAdmin role is granted to all databases (including the admin database) this indirectly provides superuser access to any databases and the cluster.

If there are no built-in roles that are suitable for your requirements, there is a way to create new custom roles. See Create a User-Defined Role for more details.

For example, to create a new role called customRoleAnyDatabase which combines the role of readWrite and dbAdmin on database foo and bar:


use admin

db.runCommand({ 
    createRole: "customRoleAnyDatabase",
    privileges: [],
    roles: [
        { role: "readWrite", db: "foo" },
        { role: "readWrite", db: "bar" },
        { role: "dbAdmin", db: "foo"},
        { role: "dbAdmin", db: "bar"}
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
})

In addition to roles, you can also specify privileges for granularity.

A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.

For more information and examples please see Manage users and roles.


Kind Regards,

Wan.

Nimesh Ganatra

unread,
Dec 22, 2016, 3:32:00 PM12/22/16
to mongodb-user
Thanks a lot. This one helped me too.
Reply all
Reply to author
Forward
0 new messages