26

We can't seem to find any conclusive document on what permissions (user roles) are required to run mongodump on a specific db.

Say I have a db named x and a user y on it with following roles roles: [ "readWrite", "dbAdmin" ], as well as 2 users a and b on admin collection with roles: [ "userAdminAnyDatabase" ] and roles: [ "dbAdminAnyDatabase" ], it seems none of them has the right permission to run mongodump:

mongodump --db x --username y --password --authenticationDatabase x

Tue Dec 10 17:04:23.901     x.system.users to dump/x/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }

mongodump --db x --username a --password --authenticationDatabase admin

Tue Dec 10 17:06:19.674 DATABASE: x  to     dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.indexes", code: 16550 }

mongodump --db x --username b --password --authenticationDatabase admin

Tue Dec 10 17:08:20.678 DATABASE: x  to     dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.namespaces", code: 16550 }

We must be missing something obvious, but what does mongodump look for when dumping a database and what permission does it need?

PS: as a bonus, we would like to figure out what user roles are needed to dump a specific collection, as well as all db(s).

bitinn
  • 9,188
  • 10
  • 38
  • 64

4 Answers4

45

Fortunately mongodump 3.0 is accepting options to skip certain collections.

This solved my problem not having admin access to the database to tweak permissions. Please keep in mind that you will not create full backups anymore.

mongodump --excludeCollection=system.indexes

or

mongodump --excludeCollectionsWithPrefix=system
Ali Abbas Jaffri
  • 153
  • 2
  • 15
iltempo
  • 15,718
  • 8
  • 61
  • 72
14

TL;DR: For mongodb 2.4, you need at least a user with read role as well as userAdmin on the db. Or else you will run into the error we faced in the question when dumping system.users.bson on such db.

So we overlooked an important reference: man mongodump

However, you need to have mongodump 2.4.x to see the relevant section, so here is a reference via mongodb github docs:

Required User Privileges
------------------------

.. note:: User privileges changed in MongoDB 2.4.

The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges </reference/system-defined-roles>` for
the following :program:`mongodump` operations:

.. list-table::
   :header-rows: 1

   * - Task
     - Required Privileges

   * - All collections in a database except ``system.users``.
     - :authrole:`read`. [#read-or-read-write]_

   * - All collections in a database, including ``system.users``.
     - :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.

   * - All databases. [#profiling-exception]_
     - :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
       and :authrole:`clusterAdmin`. [#cluster-admin]_

See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.

.. [#read-or-read-write] You may provision :authrole:`readWrite`
   instead of :authrole:`read`.

.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
   run the :dbcommand:`listDatabases` command, to list all existing
   databases.

.. [#profiling-exception] If any database runs with profiling enabled,
   :program:`mongodump` may need the
   :authrole:`dbAdminAnyDatabase` privilege to dump the
   ``system.profile`` collection.

PS: there are currently no way to skip certain collection(s), so if you only have read or readWrite role on a db, you need to dump each collection individually.

bitinn
  • 9,188
  • 10
  • 38
  • 64
  • I met the similar problem. I tried to add a "userAdmin" role, but failed:`code`> db.system.users.update({'user': 'keywords.kunzhipeng'}, {'$addToSet': {'roles': {'role': 'userAdmin', 'db': 'keywords'}}}, false, false) WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on admin to execute command { update: \"system.users\", updates: [ { q: { user: \"keywords.kunzhipeng\" }, u: { $addToSet: { roles: { role: \"userAdmin\", db: \"keywords\" } } }, multi: false, upsert: false } ], ordered: true }" } }) – redice Jun 14 '14 at 11:30
11

Bad memory for me too. But finally figure it out... Actually it's so simple. You just need to add a user with the backup role for mongodump and restore role for mongorestore.

backup role: Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.

restore role: Provides privileges needed to restore data from backups that do not include system.profile collection data. This role is sufficient when restoring data with mongorestore without the --oplogReplay option.

For example, you can create a backup user like this: 

> use admin
> db.createUser({
    user: "backupuser",
    pwd: "12345",
    roles: ["backup"]
})
ki9
  • 5,183
  • 5
  • 37
  • 48
Pickmeup101
  • 319
  • 3
  • 4
1

This minimal set of privileges seems to work fine for me (note that the built-in 'backup' role exists only in the 'admin' database'). The first privilege is needed to get rid of the [myDb.system.indexes: not authorized on myDb to execute command { count: "system.indexes", query: {} }] error:

db.createRole({
     role: "myDumpRole",
     privileges: [
       { resource: { db: "myDb", collection: "system.indexes" }, actions: [ "find"] },
       { resource: { db: "myDb", collection: "" }, actions: [ "find", "listCollections", "listIndexes", "indexStats"] }
     ]
});
Maksym
  • 1,430
  • 1
  • 11
  • 13
  • Is possible to revoke permissions to disallow a user to backup or export data out of the db? – Luis Parada Nov 19 '20 at 13:43
  • You mean revoking a role that you granted already, e.g., https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/ ? – Maksym Nov 19 '20 at 16:48
  • I mean, what permissions do I avoid to disallow a user use mongodump or mongoexport to take data of the DB? – Luis Parada Nov 20 '20 at 18:08
  • Another way to ask the same is, what permissions do I have to revoke to prevent users taking data out of the DB using mongoexport or mongodump ? – Luis Parada Nov 20 '20 at 18:48
  • Sorry Luis, I have not played with this much. You would be better off posting a new question. My wild guess is taking away 'find' will stop them from taking any data out of the DB, but this will also cut their ability to do anything useful with the database. If you leave find but take away 'list' operations - they can potentially still go and dump each collection individually if they know names of these collections. – Maksym Nov 21 '20 at 23:31