Granting roles to users - what am I missing?

Ops and Admin
1

Hi,

I am trying to grant a role to a user to perform the dbStats and collStats actions on a database and its backup database.

When granting the role “clusterMonitor” to the user, everything works fine. However, this would give access to all other databases on the cluster. I wanted it to be more restrictive. So I tried:

use admin

db.createRole({
  role: "dbStats",
  privileges: [
    {
      resource: { db: "db, collection: "" },
      actions: ["dbStats", "collStats"]
    },
    {
      resource: { db: "db-backup", collection: "" },
      actions: ["dbStats", "collStats"]
    }
  ],
  roles: [
    {
      role: "read",
      db: "admin"
    }
  ]
})

db.getRole
{
  _id: 'admin.dbStats',
  role: 'dbStats',
  db: 'admin',
  roles: [ { role: 'read', db: 'admin' } ],
  inheritedRoles: [ { role: 'read', db: 'admin' } ],
  isBuiltin: false
}

db.getUser("db_writer")
{
  _id: 'admin.db_writer',
  userId: UUID('4b3a9128-d75d-4e45-9989-8f83b5ecd581'),
  user: 'db_writer',
  db: 'admin',
  roles: [
    { role: 'dbStats', db: 'admin' },
    { role: 'readWrite', db: 'db' },
    { role: 'readWrite', db: 'db-backup' }
  ],
  mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}

Yet, when I try to run my service performing the dbStats with the user I get the following error:
“errmsg” : "not authorized on test to execute command { dbstats: 1.0, scale

NOTE: this error is not present when I assign “clusterMonitor” as role to the “db_writer” user.

What am I missing here?

2

It says not authorized on test db
May be you forgot to switch to your db
clusterMonitor has more privs than the custom role you created

1 Like
3

Hi,

thank you for the response.

The way I set up the roles and users. Is that the correct way and “should it work theoritically” this way?

I will look into the service files and see if the dbs are instantiated with “use” properly. I did not think of this. Thank you for the tip!

Cheers,
Christian