Minimum permission for using mongodump (to dump a specific db)

Question

We can't seem to find any conclusive document on what permissions (user roles) are required to run mongodump on a specific db.

Say I have a db named x and a user y on it with following roles roles: [ "readWrite", "dbAdmin" ], as well as 2 users a and b on admin collection with roles: [ "userAdminAnyDatabase" ] and roles: [ "dbAdminAnyDatabase" ], it seems none of them has the right permission to run mongodump:

mongodump --db x --username y --password --authenticationDatabase x  Tue Dec 10 17:04:23.901     x.system.users to dump/x/system.users.bson assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }  mongodump --db x --username a --password --authenticationDatabase admin  Tue Dec 10 17:06:19.674 DATABASE: x  to     dump/x assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.indexes", code: 16550 }  mongodump --db x --username b --password --authenticationDatabase admin  Tue Dec 10 17:08:20.678 DATABASE: x  to     dump/x assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.namespaces", code: 16550 } 

We must be missing something obvious, but what does mongodump look for when dumping a database and what permission does it need?

PS: as a bonus, we would like to figure out what user roles are needed to dump a specific collection, as well as all db(s).

Answer 1

Fortunately mongodump 3.0 is accepting options to skip certain collections.

This solved my problem not having admin access to the database to tweak permissions. Please keep in mind that you will not create full backups anymore.

mongodump --excludeCollection=system.indexes 

or

mongodump --excludeCollectionsWithPrefix=system 

Answer 2

TL;DR: For mongodb 2.4, you need at least a user with read role as well as userAdmin on the db. Or else you will run into the error we faced in the question when dumping system.users.bson on such db.

---

So we overlooked an important reference: man mongodump

However, you need to have mongodump 2.4.x to see the relevant section, so here is a reference via mongodb github docs:

Required User Privileges ------------------------  .. note:: User privileges changed in MongoDB 2.4.  The user must have appropriate privileges to read data from database holding collections in order to use :program:`mongodump`. Consider the following :doc:`required privileges </reference/system-defined-roles>` for the following :program:`mongodump` operations:  .. list-table::    :header-rows: 1     * - Task      - Required Privileges     * - All collections in a database except ``system.users``.      - :authrole:`read`. [#read-or-read-write]_     * - All collections in a database, including ``system.users``.      - :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.     * - All databases. [#profiling-exception]_      - :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,        and :authrole:`clusterAdmin`. [#cluster-admin]_  See :doc:`/reference/system-defined-roles` and :doc:`/reference/privilege-documents` for more information on user roles.  .. [#read-or-read-write] You may provision :authrole:`readWrite`    instead of :authrole:`read`.  .. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to    run the :dbcommand:`listDatabases` command, to list all existing    databases.  .. [#profiling-exception] If any database runs with profiling enabled,    :program:`mongodump` may need the    :authrole:`dbAdminAnyDatabase` privilege to dump the    ``system.profile`` collection. 

PS: there are currently no way to skip certain collection(s), so if you only have read or readWrite role on a db, you need to dump each collection individually.