Hide
A specific test case by hand. First start a mongod like this
And then revoke user privileges like this:
And look at the tail of the audit log file, where you can see the user oo
getting created, but not the authority getting revoked.
And to confirm that it happened, the last part of the shell output shows no
roles for 'oo':
Show
A specific test case by hand. First start a mongod like this
#!/bin/bash
echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'
rm -r /tmp/mongoda
mkdir /tmp/mongoda
mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj
And then revoke user privileges like this:
admindb = db.getMongo().getDB('admin')
admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})
admindb.auth("uu","pp")
oinkdb = db.getMongo().getDB('oink')
oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})
oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})
admindb = db.getMongo().getDB('admin')
print("Here comes output")
admindb.system.users.find().forEach(printjson)
And look at the tail of the audit log file, where you can see the user oo
getting created, but not the authority getting revoked.
2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }.
2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin.
2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR.
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink.
And to confirm that it happened, the last part of the shell output shows no
roles for 'oo':
{
"_id" : "oink.oo",
"user" : "oo",
"db" : "oink",
"credentials" : {
"MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d"
},
"roles" : [ ]
}