Ticket: Principle of Least Privilege - Cannot create new user

Hi everyone!
I have some issue with creating new user.
Steps what I did for creation user:

  1. Connect through terminal by next command:
    1.1 mongo mongodb+srv://m220student:m220password@<my_peronal_data>/test
  2. Run next commands:
    2.1 use mflix
    2.2 db.createUser({user: “mflixAppUser”,pwd: “mflixAppPwd”,roles: [“readWrite”]})

And after that I had exception:

MongoDB Enterprise mflix-shard-0:PRIMARY> db.createUser({user: “mflixAppUser”,pwd: “mflixAppPwd”,roles: [“readWrite”]})
2019-03-01T01:51:50.752+0200 E QUERY [js] Error: couldn’t add user: CMD_NOT_ALLOWED: createUser :

What did I wrong?

You can create the user through the Atlas interface. The ticket instructions actually say:

This user should have the readWrite role on the mflix database. Use Add Default Privileges to assign the user this specific role.

Where Add Default Privileges is actually a named “button” within the Atlas interface.

If for personal curiosity you wanted to add a new user through mongo shell commands, you actually do ALL user maintenance in the admin database namespace. i.e:

use admin
  user: "<name>",
  pwd: "<cleartext password>",
  roles: [
    { role: "<role>", db: "<database>" }

Where the db on the entry within the roles array would be of course "mflix" and the role is the one the ticket itself actually tells you to assign.

Note that if “modifying” an existing user through the shell, see db.updateUser() and the related notes ( or possibly other methods ) documented there.

@ neillunn:

“CMD_NOT_ALLOWED” means, that operation db.createUser(…) unsupported in Atlas shell.
Full list of unsupported operation possible to see there https://docs.atlas.mongodb.com/reference/unsupported-commands/
and there

You can create the user through the Atlas interface. Yeap, I understand it, It’s not a problem.) I only interested why I cannot add it through shell, because with my local Mongodb it was possible to do it. I did this experiment for fun, anyway thanks for the advice.

Hi @mrgr3n,

There are few reasons for this this:

a) Your are using a free-tier M0 instance which is a shared instance therefore some user administration options are blocked.
b) When you deal with Database as a Service like Atlas, there are some limitations to what you should/need to do from a deployment and user management perspective. So these safeguards and restrictions are for your and other users best interest.

Does this make sense ?


Yeap, thanks for information.