[SERVER-10750] Minimum roles required to run mongorestore with authentication Created: 11/Sep/13 Updated: 11/Jul/16 Resolved: 16/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Tools |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Siva Balasubramaniam | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Comments |
| Comment by Siva Balasubramaniam [ 16/Oct/13 ] |
|
Thank you. You may close this case. -Siva |
| Comment by Spencer Brody (Inactive) [ 16/Oct/13 ] |
|
As the reporter of Cheers, |
| Comment by Siva Balasubramaniam [ 16/Oct/13 ] |
|
Yes this is a request for the future. How would I know if the new feature requested is considered? Will I be receiving an email? You may close the case. Thanks |
| Comment by Spencer Brody (Inactive) [ 16/Oct/13 ] |
|
Great, glad the workaround is working for you! Cheers, |
| Comment by Siva Balasubramaniam [ 16/Oct/13 ] |
|
Hi Spencer, Thanks |
| Comment by Spencer Brody (Inactive) [ 16/Oct/13 ] |
|
Hi Siva, Cheers, |
| Comment by Siva Balasubramaniam [ 20/Sep/13 ] |
|
Thanks Spencer. Let me try it out. -Siva |
| Comment by Spencer Brody (Inactive) [ 20/Sep/13 ] |
|
Hi Siva, |
| Comment by Siva Balasubramaniam [ 18/Sep/13 ] |
|
Hi Spencer, --========================================================================================================================================= As an alternative, you could just give them readWrite, without userAdmin. This would allow them to dump/restore all the normal collections in the databases, but the information about the users defined in the database would not be dumped or restored. So then your application users could dump/restore their own data, but DBAs would still need to set up the user accounts on both the prod and dev systems. Followed the steps below : ) { "user" : "dumptest1", "pwd" : "7a0ac2d62edc9d561033193e49dfde7d", "roles" : [ "readWrite" ], "_id" : ObjectId("5239ebe6b873e336be327629") } db.system.users.find() { "_id" : ObjectId("5239ebe6b873e336be327629"), "user" : "dumptest1", "pwd" : "7a0ac2d62edc9d561033193e49dfde7d", "roles" : [ "readWrite" ] }--========================================================================================================== --========================================================================================================== Thanks ---- Spencer Brody commented on As an alternative, you could just give them readWrite, without userAdmin. This would allow them to dump/restore all the normal collections in the databases, but the information about the users defined in the database would not be dumped or restored. So then your application users could dump/restore their own data, but DBAs would still need to set up the user accounts on both the prod and dev systems. – |
| Comment by Siva Balasubramaniam [ 17/Sep/13 ] |
|
Thanks Spencer, let me give it a try. I will let you know the outcome. -Siva |
| Comment by Spencer Brody (Inactive) [ 16/Sep/13 ] |
|
As an alternative, you could just give them readWrite, without userAdmin. This would allow them to dump/restore all the normal collections in the databases, but the information about the users defined in the database would not be dumped or restored. So then your application users could dump/restore their own data, but DBAs would still need to set up the user accounts on both the prod and dev systems. |
| Comment by Siva Balasubramaniam [ 16/Sep/13 ] |
|
Thank you Spencer. Essentially, DBA's should do the mongodump and mongorestore, to avoid giving admin privileges to regular users. -Siva |
| Comment by Spencer Brody (Inactive) [ 16/Sep/13 ] |
|
Yes, that is correct, although if listingprod and listingdev are the only databases in use in each system, you could probably get by with just readWrite and userAdmin on each. |
| Comment by Siva Balasubramaniam [ 16/Sep/13 ] |
|
Say there is a PRODUCTION database listingprod and a DEVELOPMENT database listingdev. The databases are running on different systems. The user would like production data from listingprod into DEVELOPMENT database listingdev. Instead of DBA's doing the task of mongodump and mongorestore, we would like the user do their task themselves. Thanks |
| Comment by Spencer Brody (Inactive) [ 16/Sep/13 ] |
|
Just to be clear, when you say you have PROD and DEV databases, are those the names of two databases in the same running mongod system, or are those two completely independent systems? If the former, then readWrite and userAdmin on the databases will be sufficient. If you mean that they are different clusters, however, then you will probably need readWriteAnyDatabase and userAdminAnyDatabase so that all databases in the cluster can be dumped/restored. Please be aware that any user with userAdmin on a database can grant themselves any other role on that database, effectively giving them full admin access to that database. See here for more information about this: http://docs.mongodb.org/manual/reference/user-privileges/#userAdmin |
| Comment by Siva Balasubramaniam [ 16/Sep/13 ] |
|
Thanks Spencer. We have authentication enabled on both PROD and DEV databases. We would like to give our database(from production database) users, privileges to export(mongodump) their database themselves and mongorestore to DEV database themselves, in this scenario, based on what you said, we would give our users "userAdmin" and " readWrite" privileges. Is this correct assumption? -Siva |
| Comment by Spencer Brody (Inactive) [ 16/Sep/13 ] |
|
The roles you need will depend on what data you are restoring. If you are restoring just a single collection, you will need the readWrite role on the database being restored into. If you are restoring a whole database, and that database has users defined in it, you will need userAdmin on that database to restore the user definitions (as well as readWrite for the main data). If you are restoring a full system with multiple databases, you will need readWriteAnyDatabase and userAdminAnyDatabase. That answer is all predicated on the assumption that you're talking about a version 2.4.x server and mongorestore. |