Granting only logRotate access

Good day!

Running MongoDB 4.4 on windows, I want to write a log rotation batch file. I’m gonna need to create a dummy “logsAdm” user who’s job will ONLY be to perform log rotation.

I’ve created a custom role and user as such:

db = db.getSiblingDB('admin');

db.createRole(
    {
      role: "logsAdmin",
      privileges: [
        { resource: { db: "admin", collection: "" }, actions: [ "logRotate" ] }  
      ],
      roles: []
    }
);

db.createUser(
  {
    user: "logsadm",
    pwd: passwordPrompt(),
    roles: [ 
      { role: "logsAdmin", db: "admin" }
    ]
  }
)

Now, if I try to logRotate with this user, I’m still running into bad privileges:

C:> mongosh.exe -u logsadm -p <password> --eval “db.adminCommand({ logRotate: 1 })”

MongoServerError: not authorized on admin to execute command { logRotate: 1, lsid: { id: UUID("60daeae9-193a-4604-b9b0-Z723aksj2872398kajs") }, $clusterTime: { clusterTime: Timestamp(1649751187, 1), signature: { hash: BinData(0, DDB2AA34AFBF140AA03937879336BC6547BB4316), keyId: 706235745087016435464 } }, $db: "admin" }

Did I miss something in my custom role ? Did I at least do it properly ? I know the documentation states for the action that:

User can perform the logRotate command. Apply this action to the cluster resource.

So I am not sure I’ve properly setup the role. Apologies, pretty new with MongoDB…

Thanks for your help and time.

Regards,
Pat

Hi @Patrick_Roy

Try creating a custom role first then grant the role to the user:

db.createRole({ role:"logsOnly",privileges:[{ resource: { cluster : true }, actions: [ "logRotate"]}],roles:[]})
db.createUser({user:'rot',pwd:'useAbetterPASSWORD', roles:['logsOnly']})

Hi Chris! Awesome ! Fixed my issue! All I was doing wrong was that I was creating the role with:

resource: { db: "admin", collection: "" }

instead of:

resource: { cluster : true }

Thanks a bunch for help!
Pat

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.