[mongodb] #db #tips

mongodb--syntax.md

client

list users

mongo
	use admin
	db.getUsers()
	exit

Create user

mongo
	use admin
	db.grantRolesToUser('admin', [{ role: 'userAdminAnyDatabase', db: 'admin' }, { role: 'readAnyDatabase', db: 'admin' }])
	exit

Add Role

mongo
	use admin
	db.grantRolesToUser('admin', [{ role: 'userAdmin', db: 'admin' }, { role: 'readAnyDatabase', db: 'admin' }])
	exit

script

list users

db=admin

mongo 127.0.0.1:27017/$db <<<"printjson(db.getUsers());"

mongo 127.0.0.1:27017 <<<"use $db;
printjson(db.getUsers());"

Create user

user=admin
db=admin

query="db.grantRolesToUser('$user', [{ role: 'userAdminAnyDatabase', db: '$db' }, { role: 'readAnyDatabase', db: '$db' }])"
mongo 127.0.0.1:27017/$db <<<"printjson(db.system.users.find());"

mongo 127.0.0.1:27017 <<<"use $db;
db.grantRolesToUser('$user', [{ role: 'userAdminAnyDatabase', db: '$db' }, { role: 'readAnyDatabase', db: '$db' }]);"

Add Role

user=admin
db=admin

query="db.grantRolesToUser('$user', [{ role: 'userAdmin', db: '$db' }, { role: 'readAnyDatabase', db: '$db' }])"
mongo 127.0.0.1:27017/$db <<<"printjson(db.system.users.find());"

mongo 127.0.0.1:27017 <<<"use $db;
db.grantRolesToUser('$user', [{ role: 'userAdmin', db: '$db' }, { role: 'readAnyDatabase', db: '$db' }]);"

mongodb-methods.md

User

Name	Description
db.auth()	Authenticates a user to a database
db.changeUserPassword()	Changes an existing user's password
db.createUser()	Creates a new user
db.dropUser()	Removes a single user
db.dropAllUsers()	Deletes all users associated with a database
db.getUser()	Returns information about the specified user
db.getUsers()	Returns information about all users associated with a database
db.grantRolesToUser()	Grants a role and its privileges to a user
db.removeUser()	Deprecated. Removes a user from a database
db.revokeRolesFromUser()	Removes a role from a user
db.updateUser()	Updates user data
passwordPrompt()	Prompts for the password as an alternative to specifying passwords directly in various mongosh user authentication/management methods

Role

Name	Description
db.createRole()	Creates a role and specifies its privileges
db.dropRole()	Deletes a user-defined role
db.dropAllRoles()	Deletes all user-defined roles associated with a database
db.getRole()	Returns information for the specified role
db.getRoles()	Returns information for all the user-defined roles in a database
db.grantPrivilegesToRole()	Assigns privileges to a user-defined role
db.revokePrivilegesFromRole()	Removes the specified privileges from a user-defined role
db.grantRolesToRole()	Specifies roles from which a user-defined role inherits privileges
db.revokeRolesFromRole()	Removes inherited roles from a role
db.updateRole()	Updates a user-defined role

mongodb-roles.md

Database User Roles

read

Provides users with the ability to read data from any collection within a specific logical database. This includes find() and the following database commands:

• aggregate
• checkShardingIndex
• cloneCollectionAsCapped (applies only to the source collection)
• collStats
• count
• dataSize
• dbHash
• dbStats
• distinct
• filemd5
• geoNear
• geoSearch
• geoWalk
• group
• mapReduce (inline output only.)
• text (beta feature.)

readWrite

Provides users with the ability to read from or write to any collection within a specific logical database. Users with readWrite have access to all of the operations available to read users, as well as the following basic write operations: insert(), remove(), and update().

Additionally, users with the readWrite have access to the following database commands:

• cloneCollection (as the target database.)
• convertToCapped
• create (and to create collections implicitly.)
• drop()
• dropIndexes
• emptycapped
• ensureIndex()
• findAndModify
• mapReduce (output to a collection.)
• renameCollection (within the same database.)

Database Administration Roles

dbAdmin

Provides the ability to perform the following set of administrative operations within the scope of this logical database.

• clean
• collMod
• collStats
• compact
• convertToCapped
• create
• db.createCollection()
• dbStats
• drop()
• dropIndexes
• ensureIndex()
• indexStats
• profile
• reIndex
• renameCollection (within a single database.)
• validate

userAdmin

Allows users to read and write data to the system.users collection of the user’s database. Users with this role will be able to modify permissions for existing users and create new users. userAdmin does not restrict the permissions that a user can grant, and a userAdmin user can grant privileges to themselves or other users in excess of the userAdmin users’ current privileges.

Any Database Roles

You must specify the following “any” database roles on the admin databases. These roles apply to all databases in a mongod instance and are roughly equivalent to their single-database equivalents.

If you add any of these roles to a user privilege document outside of the admin database, the privilege will have no effect. However, only the specification of the roles must occur in the admin database, with delegated authentication credentials, users can gain these privileges by authenticating to another database.

readAnyDatabase

readAnyDatabase provides users with the same read-only permissions as read, except it applies to all logical databases in the MongoDB environment.

readWriteAnyDatabase

readWriteAnyDatabase provides users with the same read and write permissions as readWrite, except it applies to all logical databases in the MongoDB environment.

userAdminAnyDatabase

userAdminAnyDatabase provides users with the same access to user administration operations as userAdmin, except it applies to all logical databases in the MongoDB environment.

Important Because users with userAdminAnyDatabase and userAdmin have the ability to create and modify permissions in addition to their own level of access, this role is effectively the MongoDB system superuser. However, userAdminAnyDatabase and userAdmin do not explicitly authorize a user for any privileges beyond user administration.

dbAdminAnyDatabase

dbAdminAnyDatabase provides users with the same access to database administration operations as dbAdmin, except it applies to all logical databases in the MongoDB environment.

Administrative Roles

clusterAdmin

clusterAdmin grants access to several administration operations that affect or present information about the whole system, rather than just a single database. These privileges include but are not limited to replica set and sharded cluster administrative functions.

clusterAdmin is only applicable on the admin database, and does not confer any access to the local or config databases.

Specifically, users with the clusterAdmin role have access to the following operations:

• addShard
• closeAllDatabases
• connPoolStats
• connPoolSync
• _cpuProfilerStart
• _cpuProfilerStop
• cursorInfo
• diagLogging
• dropDatabase
• enableSharding
• flushRouterConfig
• fsync
• db.fsyncUnlock()
• getCmdLineOpts
• getLog
• getParameter
• getShardMap
• getShardVersion
• hostInfo
• db.currentOp()
• db.killOp()
• listDatabases
• listShards
• logRotate
• moveChunk
• movePrimary
• netstat
• removeShard
• repairDatabase
• replSetFreeze
• replSetGetStatus
• replSetInitiate
• replSetMaintenance
• replSetReconfig
• replSetStepDown
• replSetSyncFrom
• resync
• serverStatus
• setParameter
• setShardVersion
• shardCollection
• shardingState
• shutdown
• splitChunk
• splitVector
• split
• top
• touch
• unsetSharding