circuit

How to Add Roles to Existing User in MongoDB




Scenario

Imagine you're a DevOps engineer and you are responsible to grant access to the database, which could be known as Database Administrator as well.

However, it's a new year and your company management decided to promote some of the potential team members to become the team leaders. πŸŽ‰πŸŽ‰πŸŽ‰

As you all known:

With great responsibility comes great power. β€” Mark Manson

The management informs you to update their database privileges as they previously offered read-only access to the database. If you're interested in how to create a read-only role for MongoDB, please read the post here. The management has asked you to grant them to write access too to all the databases since they're the team leader now.

Let's call them, β€œdevA” and β€œdevB”. In the next section, we would show the step-by-step guide on how to grant the read & write access to both users.

Step-by-Step Guide

Before we go into the detailed step on how to grant extra roles to the existing users. Here is the short and concise version of the steps.

  1. List all users in the admin database (If all your user is created inside admin database).

  2. Select the β€˜user' field with a matching values of β€œdevA” and β€œdevB”.

  3. Use grantRolesToUser() function to give devA and devB users with the built-in role - readWriteAnyDatabase.

Step 1. List all users in the admin database

Step 2. Find the β€˜user' field value

Look at the field name called user and found the value as we would need this in the next step. Refer to the example below:

[
  {
	  "_id" : "admin.devA",
	  "userId" : UUID("3195e205-704f-47ad-8869-d4c6add1d8ad"),
	  "user": "devA", # This is the value that we need in the next step
	  "db" : "admin",
	  "roles" : [
		  {
			  "role" : "read",
			  "db" : "client"
		  }
	  ],
	  "mechanisms" : [
		  "SCRAM-SHA-1",
		  "SCRAM-SHA-256"
	  ]
  }
]

Step 3. Use grantRolesToUser function to grant read & write roles

With the simple command below, you will be able to allow both users have read & write access to all the databases except local & config.

use admin;
db.grantRolesToUser('devA', ['readWriteAnyDatabase']);
db.grantRolesToUser('devB', ['readWriteAnyDatabase']);

However, if you would like to only give read & write access to a specific database. For e.g, you would like to give read & write access to the client database only. You can do it via the below code.

use admin;
db.grantRolesToUser('devB', [{ role: 'readWrite', db: 'client' }]);

Conclusion

In short, this post discussed:

  • How to add more roles to the existing users without creating a new one in MongoDB

  • How to add read & write access to all the databases to an existing user.

  • How to add read & write access to a single database only to an existing user.

Thank you for reading and see you in the next article.

References

  • MongoDB grantRolesToUser Manual

  • MongoDB Built-In Roles Manual




Continue Learning