MongoDB Atlas. 无法创建具有内置角色 “atlasAdmin” 的角色。

huangapple go评论72阅读模式
英文:

MongoDB Atlas. Cant create roles with built-in-role "atlasAdmin"

问题

我正在使用内置角色 "Atlas admin"。

运行命令时:

db.runCommand({
  "createRole": "555-read",
  "roles": [],
  "privileges": [
    {
      "actions": ["find"],
      "resource": {
        "db": "qqq",
        "collection": "555"
      }
    }
  ]
})

我收到以下错误:

MongoServerError: not authorized on qqq to execute command { createRole: "555-read"

我认为 "Atlas admin" 应该具有对所有内容的访问权限?

还是我需要在Atlas中配置一些特定的权限?

英文:

I'm using the built-in-role "Atlas admin".

When running the command:

db.runCommand({
  "createRole": "555-read",
  "roles": [],
  "privileges": [
    {
      "actions": [
        "find"
      ],
      "resource": {
        "db": "qqq",
        "collection": "555"
      }
    }
  ]
})

I get:

MongoServerError: not authorized on qqq to execute command { createRole: "555-read"

I think the "Atlas admin" should have access to everything?

Or do I need to some specific privliages in atlas?

答案1

得分: 1

正如我的评论中所提到的,你无法在mongo shell中创建角色。你可以使用以下命令检查权限:

db.runCommand({ connectionStatus: 1 })
{
  authInfo: {
    authenticatedUsers: [ { user: 'atlas-admin', db: 'admin' } ],
    authenticatedUserRoles: [
      { role: 'atlasAdmin', db: 'admin' },
      { role: 'backup', db: 'admin' },
      { role: 'clusterMonitor', db: 'admin' },
      { role: 'dbAdminAnyDatabase', db: 'admin' },
      { role: 'enableSharding', db: 'admin' },
      { role: 'readWriteAnyDatabase', db: 'admin' }
    ]
  },
  ok: 1,
  operationTime: Timestamp({ t: 1679383010, i: 1 })
}

db.runCommand({ connectionStatus: 1, showPrivileges: 1 }).authInfo.authenticatedUserPrivileges.filter(x => x.resource.collection == 'system.roles')
[
  {
    resource: { db: 'admin', collection: 'system.roles' },
    actions: [ 'find' ]
  }
]

正如你所见,你只能选择角色。权限 userAdminuserAdminAnyDatabase 未被授予。

英文:

As mentioned in my comment, you cannot create create roles in mongo shell. You can check privileges with this:

db.runCommand({ connectionStatus: 1 })
{
  authInfo: {
    authenticatedUsers: [ { user: 'atlas-admin', db: 'admin' } ],
    authenticatedUserRoles: [
      { role: 'atlasAdmin', db: 'admin' },
      { role: 'backup', db: 'admin' },
      { role: 'clusterMonitor', db: 'admin' },
      { role: 'dbAdminAnyDatabase', db: 'admin' },
      { role: 'enableSharding', db: 'admin' },
      { role: 'readWriteAnyDatabase', db: 'admin' }
    ]
  },
  ok: 1,
  operationTime: Timestamp({ t: 1679383010, i: 1 })
}

db.runCommand({ connectionStatus: 1, showPrivileges: 1 }).authInfo.authenticatedUserPrivileges.filter(x => x.resource.collection == 'system.roles')
[
  {
    resource: { db: 'admin', collection: 'system.roles' },
    actions: [ 'find' ]
  }
]

As you see, you can only select roles. Privilege userAdmin or userAdminAnyDatabase is not granted.

huangapple
  • 本文由 发表于 2023年3月21日 03:27:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/75794517.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定