[DOCS-3370] Clarify that even though in 2.6 all users are *stored* in the admin db, they are still scoped to individual dbs same as ever Created: 08/May/14 Updated: 31/May/14 Resolved: 31/May/14 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual |
| Affects Version/s: | None |
| Fix Version/s: | v1.3.6 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Kay Kim (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 9 years, 37 weeks, 4 days ago | ||||||||
| Description |
|
this page says: "MongoDB stores all user information, including credentials and authorization information, for a MongoDB instance in the system.users collection in the admin database." There are several other places on that page that reference user information being stored in the admin db, but doesn't make clear that that is just about storage. It's more or less an implementation detail. Users still have home databases like they always did, and you still have to send authentication commands to the right database. |
| Comments |
| Comment by Githook User [ 31/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}Message: | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Kay Kim (Inactive) [ 29/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hi Hendy –
The following is a query on the admin database's system.users collection. As you can see for my user reportsUser, the database db associated with the user is reporting.
So in summary, create the user in the database you want to associate the user; in my example reporting database for the reportsUser. Then, to authenticate, you authenticate the user against that same database; in my example, authenticate reportsUser agains the reporting database. Hope this helps. Let me know if you have any further questions. | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hendy Irawan [ 29/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
kay.kim@10gen.com Wait... your example stores users in the reporting database (see the title of this JIRA ticket), not the admin database. or you're actually saying that MongoDB internally stores users from the reporting database inside the admin database? | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Kay Kim (Inactive) [ 28/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hi Hendy – For example, I created a reportsUser in the reporting database.
Then to log in, I authenticate to the reporting database
This logs me in as the reportsUser who can only perform the read operations on the 3 databases:
Hope this helps. Regards, Kay | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hendy Irawan [ 28/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
> how authentication works from the perspective of a driver author or an end user should be the same in 2.6 as in 2.4, although the way you create and update user definitions is different. I don't think this is completely true, or I misunderstood it. 2.4 create user: create user in target DB -> OK 2.6 create user: create user in admin DB, using roles to target DB -> OK Conclusion is: | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Spencer Brody (Inactive) [ 27/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
I can't speak to the deprecation of the java driver method, perhaps jeff.yemin knows more? | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hendy Irawan [ 20/May/14 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
"you still have to send authentication commands to the right database." This seems conflicting with MongoDB Java API's deprecation notice, which authenticates the client, not per database: @deprecated Please use {@link MongoClient#MongoClient(java.util.List, java.util.List)} to create a client, which will authenticate all connections to serverFrom DB.java : /** * Authenticates to db with the given credentials. If this method (or {@code authenticate}) has already been * called with the same credentials and the authentication test succeeded, this method will return true. If this method * has already been called with different credentials and the authentication test succeeded, * this method will throw an {@code IllegalStateException}. If this method has already been called with any credentials * and the authentication test failed, this method will re-try the authentication test with the * given credentials. * * @param username name of user for this database * @param password password of user for this database * @return the CommandResult from authenticate command * @throws MongoException if authentication failed due to invalid user/pass, or other exceptions like I/O * @throws IllegalStateException if authentication test has already succeeded with different credentials * @dochub authenticate * @see #authenticate(String, char[]) * @deprecated Please use {@link MongoClient#MongoClient(java.util.List, java.util.List)} to create a client, which will authenticate all connections to server |