Getting mongo authorization errors with userAdminAnyDatabase role

I am trying to get authorization working on a mongo database on a new Ubuntu machine. I have created an admin user with the role userAdminAnyDatabase:

admin> show users
[
  {
    _id: 'admin.mongoAdmin',
    userId: UUID("590a4465-625a-4fa0-af2e-0f2c75777ac5"),
    user: 'mongoAdmin',
    db: 'admin',
    roles: [ { role: 'userAdminAnyDatabase', db: 'admin' } ],
    mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
  }
]

but I get authorization errors when I try to do anything:

admin> use test
switched to db test
test> db.users.find({})
MongoServerError: not authorized on test to execute command { find: "users", filter: {}, lsid: { id: UUID("f3cf2fbc-bbea-4ceb-83a1-b842b5047e74") }, $db: "test" }

I know I am using the correct id/password, as when I try to run the mongo shell with a different password it fails to start with a password error.

Ubuntu version is 20.04.4 (Focal); Mongo version is 5.0.8:

% mongod --version
db version v5.0.8
Build Info: {
    "version": "5.0.8",
    "gitVersion": "c87e1c23421bf79614baf500fda6622bd90f674e",
    "openSSLVersion": "OpenSSL 1.1.1f  31 Mar 2020",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "ubuntu2004",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

1 answer

  • answered 2022-05-07 09:17 Wernfried Domscheit

    RoleuserAdminAnyDatabase or userAdmin grant privileges to user administration, i.e. you can run commands like db.createUser(), db.grantRolesToUser() or db.updateUser()

    They do not grant to read or write non-system collections of your database.

    I guess you need to grant dbAdminAnyDatabase, readWriteAnyDatabase or simply root

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum