How to give diagnostic actions listDatabases to a user in mongodb?

Question

I'm trying to connect from a java application to a mongodb database in openshift and I'm having some trouble with roles and actions allowed.

I run the rch port-forward command like so:

rhc port-forward -a test

it all goes great and I'm able to connect to the database using:

mongo admin -u admin -p '*******' --host 127.0.0.1 --port 44506

and I can execute commands like:

> use test
> show databases

But if i connect directly to my database using:

mongo test -u admin -p '*******' --host 127.0.0.1 --port 44506

I'm unable to run the show databases command

listDatabases failed:{ "ok" : 0, "errmsg" : "unauthorized" } at src/mongo/shell/mongo.js:47

How can i give action listDatabases to this user in this database?

I found this page in the mongodb documentation http://docs.mongodb.org/manual/reference/privilege-actions/#security-user-actions Which talks about Diagnostic Actions but does not mention how to give such action to a user.

Thanks for the help.

Answer 1

As mentioned by wdberkeley, you have to have a user in the admin database with the ability to list databases.

To do this, you first have to create a very minimal "role" for this user allowing them to list databases, and then create a user with both this role and the role for reading and writing your other database:

use admin

db.runCommand({ createRole: "listDatabases",
    privileges: [
        { resource: { cluster : true }, actions: ["listDatabases"]}
    ],
    roles: []
})

db.createUser({
    user: "<userName>",
    pwd: "<passwd>",
    roles: [
        { role: "readWrite", db: "test" },
        { role: "listDatabases", db: "admin" }
    ]
})

The MongoDB documentation has references for both createRole and createUser, if you want to learn more about these commands.

Answer 2

You're logging in as two different users. Users are scoped by namespace, so user John who lives in test is not the same as user John who lives in admin, though both Johns may have rights in the test database. I think this much you may already understand, but I wanted to clarify it just in case.

I don't believe you can give a user scoped to a non-admin database the listDatabases action in a privilege because the listDatabases action must go with the cluster resource (listDatabases is a cluster-wide sort of operation), and a privilege with a cluster resource can only be scoped to a role on the admin database. Cutting out the jargon of MongoDB's authorization model, a non-admin database user can't use listDatabases because it's a cluster-wide operation and only admin database users should be able to do cluster-wide things.