Can we restrict reads only from secondary for a specific user or group?

Hi Team,

We have read access on our PROD DB to all the team members. But due to this, if someone runs a bad query it’s killing the Mongo DB cluster, sometimes from both memory & CPU usage front, if they ran those from Robo3T.

So we would like to know, is there a way we can redirect all reads from any specific user/group to a secondary or to a hidden member in the cluster? This way the actual application will not wait for any writes and no change in the overall performance.

Thanks,
Santosh D.

Welcome to the MongoDB Community Forums @Santosh_Dhaukonda!

You are already on the right track: if you want to isolate readonly queries with different usage patterns so they don’t affect your application performance, I recommend adding a Hidden Secondary to your replica set and setting appropriate firewall rules to limit your end users so they can only connect to this secondary. The connection string format to use in clients like Robo3T will be the standalone / direct connection rather than a replica set connection string.

Clients will not distribute reads to the hidden secondaries, so the only traffic they receive will be for replication and via direct connection.

I would also recommend using a more actively maintained admin client that uses a supported MongoDB driver. Robo3T embeds a specific version of the mongo shell (currently 4.2 as of Robo3T 1.4) and this may lead to unexpected outcomes. MongoDB Compass is the officially supported (and free) GUI, but there are commercial alternatives like Studio 3T which may have other features of interest depending on your use case.

Regards,
Stennie

Thanks, @Stennie for the quick response and agree with the solution that you provided.

We are using mongo atlas for monitoring and users configuration. And we can set some specific rules for individual users - like allow reads only on a set of DB’s, so the same way would like to check if we can set any such user-level config on the atlas for this use case before actually implementing this solution?