Custom Roles for admin

Working with Data
#1

Hi! I have a question on custom roles. I’ve set up my admin role as:
db.createRole({role: "mydbAdmin", privileges: [], roles: [{role: "userAdmin", db: "admin"}, {role: "dbAdmin", db: "admin"}, {role: "readWrite", db: "admin"}, {role: "dbAdmin", db: "mydb"}, {role: "readWrite", db: "mydb"}]});

and generic user role as:
db.createRole({role: "mydbUser", privileges: [{resource: {db: "admin", collection: ""}, actions: ["changeOwnPassword", "changeOwnCustomData"]} ], roles: [{role: "readWrite", db: "mydb"}]});

Although my custom admin role works on user creation, deletion, granting and revoking roles. I can’t seem to use the updateUser feature to replace user roles. Any attempt to do so results in:uncaught exception: Error: Updating user failed: not authorized on admin to execute command

strangely, when I switch to an account with the *AnyDatabase roles, I have no problems executing the “updateUser” above. All users are created in the admin database. Any pointers on getting the right credentials to execute “updateUser” would be greatly appreciated!

Thanks in advanced!

Suresh

#3

Hi @Suresh_Kumar3
Welcome to the community!!

Could you help by confirming the steps on reproducing the above issue observed?

  1. Create user on admin and test database with userAdmin and userAdminAnyDatabse and readWrite roles respectively.
  2. Perform getUsers(), dropUser(), createUser() and updateUser() using a user with userAdminAnyDatabase role and everything works fine.
  3. Perform getUsers(), dropUser(), createUser() and updateUser() using the userAdmin role but the updateUser() generates the error as mentioned?

If this is not the exact steps of reproducing the issue, could you please provide a step by step reproduction of what you are observing.
Also could you also confirm the version of MongoDB you are using?

Thanks
Aasawari

1 Like