Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
None
Description
I want to create a user with particular "find" access only on a collection & tried below process.
Process 1:
Use admin ..............................Success
db.createRole(
{
role: "DeveloperRole",
privileges: [
{ resource:
, actions: [ "find"] }
],
roles: []
}
)
.........................success
db.createUser(
{
user: "perfDeveloper",
pwd: "mongo123",
roles: [
]
}
)
......error No role named DeveloperRole@mydb
Process 2:
Use admin ..............................Success
Use mydb ..............................Success
db.createRole(
{
role: "DeveloperRole",
privileges: [
{ resource:
, actions: [ "find"] }
],
roles: []
}
)
.........................success
db.createUser(
{
user: "perfDeveloper",
pwd: "mongo123",
roles: [
]
}
)
......success
But now user perfDeveloper is able to insert or remove data also, which I didn't provide access for.