Master MongoDB Permission Management: Roles, Users, and Best Practices
This guide thoroughly explains MongoDB's permission system, covering key concepts, role creation, inheritance, privilege assignment, user management, and essential precautions to avoid common security pitfalls and simplify administration.
Background
Earlier MongoDB versions gave developers root privileges, leading to mistakes like missing background:true on index creation, accidental deletions, and storage bloat. Starting with MongoDB 2.6 and fully in 3.0, a finer‑grained permission system was introduced.
Permission Concepts
Key terms: user – authentication account; role – collection of privileges; resource – database, collection, or global cluster; actions – operations such as find, insert, remove, update; privilege – a pair of resource and actions; authenticationDatabase – the database where the role or user is defined.
Roles
MongoDB provides built‑in roles and allows custom roles. Custom roles are often needed for precise control.
Creating a Role
<code>use admin;
db.createRole({
role: "testrole",
privileges: [
{
resource: { db: "lidan", collection: "" },
actions: [ "find", "insert", "remove", "update" ]
}
],
roles: []
});
</code>The role is stored in system.roles collection. View it with:
<code>db.system.roles.find();
</code>Viewing a Role
<code>use admin;
db.getRole("testrole", { showPrivileges: true });
</code>Role Inheritance
<code>db.grantRolesToRole("testrole", ["otherrole1","otherrole2"]);
db.revokeRolesFromRole("testrole", ["otherrole2"]);
</code>Granting Privileges
<code>db.grantPrivilegesToRole("testrole", [
{
resource: { db:"lidan_1", collection:"" },
actions: [ "createCollection", "dropCollection", "convertToCapped" ]
}
]);
</code>Revoking Privileges
<code>db.revokePrivilegesFromRole("testrole", [
{
resource: { db:"lidan_1", collection:"" },
actions: [ "createCollection", "dropCollection", "convertToCapped" ]
}
]);
</code>Deleting a Role
<code>db.dropRole("testrole");
</code>Users
Users can be created with built‑in or custom roles. Example:
<code>use admin;
db.createUser({
user: "mongo",
pwd: "123",
roles: [{ role: "root", db: "admin" }]
});
db.createUser({
user: "mongo",
pwd: "123",
roles: ["testrole"]
});
</code>Login example:
<code>mongo -u mongo -p 123 --host 127.0.0.1 --port 9999 --authenticationDatabase=admin
</code>Viewing a User
<code>use admin;
db.getUser("mongo");
</code>Granting/Revoing Roles to Users
<code>db.grantRolesToUser("mongo", [{ role:"testrole", db:"admin" }]);
db.revokeRolesFromUser("mongo", [{ role:"testrole", db:"admin" }]);
</code>Deleting a User
<code>db.dropUser("mongo");
</code>Precautions
Dropping databases or collections does not automatically remove associated roles and users; clean them manually.
For fine‑grained control while simplifying management, create a single development account using the admin authentication database.
Reference links: MongoDB built‑in roles, privilege actions list, role management methods, user management methods.
360 Zhihui Cloud Developer
360 Zhihui Cloud is an enterprise open service platform that aims to "aggregate data value and empower an intelligent future," leveraging 360's extensive product and technology resources to deliver platform services to customers.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.