My read-only user is able to write

Question

I'm using MongoDB 3.0.7. I have a database called bravegoat and a read-only user called bravegoat-r.

I connect via shell:

mongo localhost:27017/bravegoat -u bravegoat-r -p mypassword

I switch to my database:

use bravegoat;

And I run:

db.runCommand({connectionStatus : 1})

Which outputs:

{
        "authInfo" : {
                "authenticatedUsers" : [
                        {
                                "user" : "bravegoat-r",
                                "db" : "bravegoat"
                        }
                ],
                "authenticatedUserRoles" : [
                        {
                                "role" : "read",
                                "db" : "bravegoat"
                        }
                ]
        },
        "ok" : 1
}

Only read role, so it looks fine, but when I invoke .save(), my user can insert data. I've read few pages about creating read-only users and I'm not able to see my problem. I'm starting to think it might be a bug in my version.

Answer 1

You have to enable client access control by doing the following:

1. Edit the /etc/mongod.conf file
2. Add the following lines

security: authorization: enabled

3. Restart MongoDB:

sudo service mongodb restart