Scenario
Imagine you're a DevOps engineer and you are responsible to grant access to the database, which could be known as Database Administrator as well.
However, it's a new year and your company management decided to promote some of the potential team members to become the team leaders. ๐๐๐
As you all known:
With great responsibility comes great power. โ Mark Manson
The management informs you to update their database privileges as they previously offered read-only access to the database. If you're interested in how to create a read-only role for MongoDB, please read the post here. The management has asked you to grant them to write access too to all the databases since they're the team leader now.
Let's call them, โdevAโ and โdevBโ. In the next section, we would show the step-by-step guide on how to grant the read & write access to both users.
Step-by-Step Guide
Before we go into the detailed step on how to grant extra roles to the existing users. Here is the short and concise version of the steps.
-
List all users in the admin database (If all your user is created inside admin database).
-
Select the โuser' field with a matching values of โdevAโ and โdevBโ.
-
Use
grantRolesToUser()
function to give devA and devB users with the built-in role - readWriteAnyDatabase.
Step 1. List all users in the admin database
Step 2. Find the โuser' field value
Look at the field name called user and found the value as we would need this in the next step. Refer to the example below:
[
{
"_id" : "admin.devA",
"userId" : UUID("3195e205-704f-47ad-8869-d4c6add1d8ad"),
"user": "devA", # This is the value that we need in the next step
"db" : "admin",
"roles" : [
{
"role" : "read",
"db" : "client"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Step 3. Use grantRolesToUser function to grant read & write roles
With the simple command below, you will be able to allow both users have read & write access to all the databases except local & config.
use admin;
db.grantRolesToUser('devA', ['readWriteAnyDatabase']);
db.grantRolesToUser('devB', ['readWriteAnyDatabase']);
However, if you would like to only give read & write access to a specific database. For e.g, you would like to give read & write access to the client database only. You can do it via the below code.
use admin;
db.grantRolesToUser('devB', [{ role: 'readWrite', db: 'client' }]);
Conclusion
In short, this post discussed:
-
How to add more roles to the existing users without creating a new one in MongoDB
-
How to add read & write access to all the databases to an existing user.
-
How to add read & write access to a single database only to an existing user.
Thank you for reading and see you in the next article.