The "root" role is lacking several privileges present in "restore" role, such as the ability to insert directly into the system.users, system.roles, and system.version collections. These privileges are necessary to be able to use mongorestore to restore a system with authorization enabled, however granting them to the "root" role is also potentially problematic as it would allow users with the "root" role to manipulate admin.system.users, bypassing the safety checks present in the user management commands.
If you try to use the "root" role to do a mongorestore when the dump contains system.users, system.roles or system.version entries, you will get an error like the following:
mongorestore -u admin -p <pass> --drop -h 127.0.0.1:27017 "/mongodb_data_bak/backup"
connected to: 127.0.0.1:27017
2014-04-17T20:44:54.647+0000 going into namespace [admin.system.version]
Restoring to admin.system.version without dropping. Restored data will be inserted without raising errors; check your server log
1 objects found
2014-04-17T20:44:54.648+0000 Creating index: { key:
, name: "id", ns: "admin.system.version" }
Error creating index admin.system.version: 13 err: "not authorized to create index on admin.system.version"
Aborted (core dumped)
- is documented by
-
DOCS-6310 3.0.7 update to root role
-
- Closed
-