What permissions are required to run aggregate

ismail_yenigul · May 11, 2021, 11:34am

I am using MongoDB Atlas. I create a user which has readWrite@dbname permission on a single DB(dbname).
Getting the following error when I start aggregation
It works If I change policy to readWriteAnyDatabase@admin

UnhandledPromiseRejectionWarning: 
MongoError: not authorized on mydb?retryWrites=true&w=majority 
to execute command  { aggregate: "applicationMetadata", pipeline: [ { $match: {} }, {
 $group: { _id: 1, n: { $sum: 1 } } } ], cursor: {}, lsid: { id: UUID("dcb2caef-dccf-4de7-acd9-1713101be14b") },
 $clusterTime: { clusterTime: Timestamp(1620655876, 2)

I would like to create custom policy with the least permission on the cluster. I don’t want to let this user access other DBs.
Which permission should I assign to this user to be able to run aggregate?

Jason_Tran · May 12, 2021, 9:56am

Hi @ismail_yenigul,

Welcome to the community!

Would you be able to provide the following information to help troubleshoot the error?:

Which driver you are using to perform the command on
The driver version
A snippet of the connection portion of your code (Please remove any credentials before posting it here)
A snippet of the code where the aggregate command exists

UnhandledPromiseRejectionWarning:
MongoError: not authorized on mydb?retryWrites=true&w=majority

You have stated originally that the user had the readWrite@dbname permission on the dbname database. However, the error above indicates you are running the aggregate command against a different database name. Have you tried the same command with the user who has readWrite@dbname permissions against database dbname? Since the same command works using readWriteAnyDatabase@admin as opposed to readWrite@dbname, I suspect that the issue may exist with what database the command is being run against.

I would like to create custom policy with the least permission on the cluster. I don’t want to let this user access other DBs.

You can configure a Custom Role in Atlas so that Database users associated with the custom role can only perform selected actions and roles against certain database(s).

Which permission should I assign to this user to be able to run aggregate?

You can assign the find action so that database users associated with a custom role with this action are allowed to perform the aggregation command you have provided.

Please see the example below of a custom role with the find action allowed for the testdb database:

Note : You will be able to find the find action under the category Collection Actions → Query and Write Actions

Hope this helps.

Kind Regards,
Jason

ismail_yenigul · May 12, 2021, 10:54am

Hi Jason,

I realized it was the wrong database after the message. How did I miss that part
We are using nodejs with typeorm.
It seems we hit bug: mongodb url with query params is incorrectly parsed · Issue #6389 · typeorm/typeorm · GitHub error. typeorm can’t parse mongodb uri correctly, then it considers “mydb?retryWrites=true&w=majority” as db name. This is the reason why we are getting error on aggregate.
We updated typeorm release and it is fixed. It works fine with readWrite@mydb
Thanks

system · May 17, 2021, 10:55am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.