A MongoDB "userAdminAnyDatabase" user cannot admin users in "any database". Why?

Question

This is a userAdmin vs. userAdminAnyDatabase question.

In the system.users I have the following users (password 1234 for both):

> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [  "userAdmin",  "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [  "userAdminAnyDatabase",  "dbAdminAnyDatabase" ] }

Connecting with a wrong user:

$ mongo mono -u admin -p 1234
connecting to: mono
Thu Dec 12 10:09:00.733 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228

which is OK.

Connecting with the db admin:

$ mongo mono -u admin_one -p 1234
connecting to: mono
> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [  "userAdmin",  "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [  "userAdminAnyDatabase",  "dbAdminAnyDatabase" ] }

which is also OK.

Now, connecting with the "AnyDatabase" admin I get an error:

$ mongo mono -u admin_two -p 1234
connecting to: mono
> db.system.users.find()
error: { "$err" : "not authorized for query on mono.system.users", "code" : 16550 }

Why?

Answer 1

It appears that you're attempting to allocate the userAdminAnyDatabase role on the mono database, not the admin database. The anyDatabase role is only available for users that authenticate to the admin database.

See the documentation of the anyDatabase Role for more information.