createRole (for empty user-defined roles) can be run by any user, and can also be run when not logged in at all.
> db.runCommand(
{ createRole: "sam", privileges: [], roles: [] })
{ "ok" : 1 }When the role we are trying to create contains any linked roles or privileges, the command fails with an auth error:
> db.runCommand(
{ createRole: "dave", privileges: [], roles: [ "sam" ] })
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command
",
"code" : 13
}
> db.runCommand(
{ createRole: "amalia", privileges: [], roles: [ "read" ] })
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command
",
"code" : 13
}
> var priv = { resource:
{ db: "test", collection: "" }, actions: [ "find" ] }
> db.runCommand(
)
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command { createRole: \"jeremy\", privileges: [ { resource:
, actions: [ \"find\" ] } ], roles: [] }",
"code" : 13
}