Ticket: Principle of Least Privilege: Test passed, but program broken

MongoDB University M220JS: MongoDB for Javascript Developers
#1

Continuing the discussion from Ticket: Principle of Least Privilege problem:

I’m experiencing the same issue as this user from 1.5 year ago.

Here’s what I did to create the user:

  1. Go to cloud.mongodb.com
  2. Under “Security” on the left, select “Database Access”
  3. Click the green button labeled “+ Add New Database User” on the right
  4. Enter the given username and password and grant specific privileges: readWrite@mflix.sample_mflix

However, while I can pass the test, the server program is no longer able to load images. I see the following error:

GET / 304 12.037 ms - -
GET /static/css/main.d2c98b4b.chunk.css 304 8.789 ms - -
GET /static/js/1.908cc23a.chunk.js 304 8.728 ms - -
GET /static/js/main.02d67aeb.chunk.js 304 8.909 ms - -
GET /static/media/mongoleaf.0ebc1843.png 200 8.774 ms - 52399
Unable to convert cursor to array or problem counting documents, MongoError: user is not allowed to do action [find] on [sample_mflix.movies]

As detailed above, I specifically granted read and write privileges to this user on this collection, so why is this happening? This was never answered. I think it would be helpful to know in case this happens in a real world application.

#2

Hi @J_A, welcome to the community.
Can you please make sure that you have performed the following after all the 4 steps you mentioned?

Modify the SRV connection string in your configuration file so the application connects with the new username and password.

In case you have any doubts, please feel free to reach out to us.

Thanks and Regards.
Sourabh Bagrecha,
Curriculum Services Engineer

#3

Yes, I did make sure to change the SRV connection string. I modified the .env file as follows:

MFLIX_DB_URI=mongodb+srv://mflixAppUser:mflixAppPwd@mflix...

(The rest of the string has been omitted for security reasons)

Please let me know if there’s anything else I’m missing. Thank you.

#4

Hi @J_A, thanks for confirming that.
Did you whitelist your IP address as well?
Also, can you please ensure one more thing that you are able to connect to your cluster using MongoDB Shell?

In case you have any doubts, please feel free to reach out to us.

Thanks and Regards.
Sourabh Bagrecha,
Curriculum Services Engineer

#5

The only IP address that I’ve whitelisted is 0.0.0.0/0, but that means that no IP addresses should be blocked, correct?

I also was able to connect to my cluster in mongosh, but I can’t do anything:

Atlas atlas-ouman5-shard-0 [primary] sample_mflix> show collections
MongoServerError: user is not allowed to do action [listCollections] on [sample_mflix.]
#6

Hi @J_A, can you please ensure that the database user you created has enough permissions assigned to it?

If you have any doubts, please feel free to reach out to us.

Thanks and Regards.
Sourabh Bagrecha,
MongoDB