How to Add Roles to Existing User in MongoDB

โ€ข

image

Scenario

Imagine you're a DevOps engineer and you are responsible to grant access to the database, which could be known as Database Administrator as well.

However, it's a new year and your company management decided to promote some of the potential team members to become the team leaders. ๐ŸŽ‰๐ŸŽ‰๐ŸŽ‰

As you all known:

With great responsibility comes great power. โ€” Mark Manson

The management informs you to update their database privileges as they previously offered read-only access to the database. If you're interested in how to create a read-only role for MongoDB, please read the post here. The management has asked you to grant them to write access too to all the databases since they're the team leader now.

Let's call them, โ€œdevAโ€ and โ€œdevBโ€. In the next section, we would show the step-by-step guide on how to grant the read & write access to both users.

Step-by-Step Guide

Before we go into the detailed step on how to grant extra roles to the existing users. Here is the short and concise version of the steps.

  1. List all users in the admin database (If all your user is created inside admin database).

  2. Select the โ€˜user' field with a matching values of โ€œdevAโ€ and โ€œdevBโ€.

  3. Use grantRolesToUser() function to give devA and devB users with the built-in role - readWriteAnyDatabase.

Step 1. List all users in the admin database

image

Step 2. Find the โ€˜user' field value

Look at the field name called user and found the value as we would need this in the next step. Refer to the example below:

[
  {
	  "_id" : "admin.devA",
	  "userId" : UUID("3195e205-704f-47ad-8869-d4c6add1d8ad"),
	  "user": "devA", # This is the value that we need in the next step
	  "db" : "admin",
	  "roles" : [
		  {
			  "role" : "read",
			  "db" : "client"
		  }
	  ],
	  "mechanisms" : [
		  "SCRAM-SHA-1",
		  "SCRAM-SHA-256"
	  ]
  }
]

Step 3. Use grantRolesToUser function to grant read & write roles

With the simple command below, you will be able to allow both users have read & write access to all the databases except local & config.

use admin;
db.grantRolesToUser('devA', ['readWriteAnyDatabase']);
db.grantRolesToUser('devB', ['readWriteAnyDatabase']);

However, if you would like to only give read & write access to a specific database. For e.g, you would like to give read & write access to the client database only. You can do it via the below code.

use admin;
db.grantRolesToUser('devB', [{ role: 'readWrite', db: 'client' }]);

Conclusion

In short, this post discussed:

  • How to add more roles to the existing users without creating a new one in MongoDB

  • How to add read & write access to all the databases to an existing user.

  • How to add read & write access to a single database only to an existing user.

Thank you for reading and see you in the next article.

References

  • MongoDB grantRolesToUser Manual

  • MongoDB Built-In Roles Manual

Enjoyed this article?

Share it with your network to help others discover it

Continue Learning

Discover more articles on similar topics