4

I've created two users, who I thought were userAdmins. Unfortunately, when I login with them, I get permission denied for everything. If I login locally without providing a username or password, I get permission denied for everything. What can I do?

The users were created using the following commands

use admin

db.createUser(
    {
      user: "Nikhil",
      pwd: "wouldntyouliketoknow",
      roles: ["userAdminAnyDatabase" ]
    }
)

Does userAdminAnyDatabase not mean what I think it means?

Neil Lunn
  • 148,042
  • 36
  • 346
  • 317
Nikhil
  • 1,121
  • 2
  • 11
  • 27

2 Answers2

3

I'm using that you've got authorization security enabled for this to be happening. Why don't you just set security.authorization to disabled and restart mongod?

http://docs.mongodb.org/manual/reference/configuration-options/

As far as the command you issued it looks to be incorrect, should be something like this:

use admin

db.createUser(
  {
    user: "Nikhil",
    pwd: "wouldntyouliketoknow",
    roles: 
      [
        {
          role: "userAdminAnyDatabase",
          db: "admin"
        }
      ]
  }
)

Note that you have to pass in a document with both the role and the db into the call.

Best starting point is here: http://docs.mongodb.org/manual/tutorial/enable-authentication/

This user is limited to the userAdmin role on all databases. If you want to perform additional actions you'll need to either grant yourself additional roles or create a new user who has them:

userAdminAnyDatabase

Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster. The role also provides the following actions on the cluster as a whole:

authSchemaUpgrade
invalidateUserCache
listDatabases

The role also provides the following actions on the admin.system.users and admin.system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:

collStats
dbHash
dbStats
find
killCursors
planCacheRead

The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.

http://docs.mongodb.org/manual/reference/built-in-roles/#built-in-roles

Neil Lunn
  • 148,042
  • 36
  • 346
  • 317
John Petrone
  • 26,943
  • 6
  • 63
  • 68
  • I'm using replication, so authorization is on. I can disable that, but I'm probably doing authorization wrong. What's a good resource beside the official documentation? – Nikhil May 01 '14 at 18:22
  • Added edits to answer - believe your setup of roles was incorrect, added link to documentation. – John Petrone May 01 '14 at 18:58
  • Ok. I can now login with my username/password, as long as I specify that I want to go into the admin database on the command line. I get the error "Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }" Is this expected? – Nikhil May 01 '14 at 19:24
  • So this user only has UserAdmin rights - nothing else. I'll add more detail to the answer but you'll need to either grant yourself more rights or create another user with the correct rights. – John Petrone May 01 '14 at 21:20
2

You can simply restart your MongoD without the auth options and it should happily allow you to login and do any operations.

Alternatively you can also enable the bypass for localhost authentication and connect from the same host where you the MongoD is running. You can find more information about it at http://docs.mongodb.org/manual/core/authentication/#localhost-exception

The above mentioned steps may have different behaviour based on version of MongoDB you are using and I would suggest looking up version specific documentation at the mentioned website.

aks
  • 720
  • 4
  • 9